Something evil on 5.135.67.160/28 ...
FYI...
radarsky .biz and something evil on 5.135.67.160/28
- http://blog.dynamoo.com/2013/02/rada...g-evil-on.html
8 Feb 2013 - "There is currently an injection attack -redirecting- visitors to a domain radarsky .biz (for example) hosted on 5.135.67.173 (OVH*) and suballocated to:
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress."
* https://www.google.com/safebrowsing/...?site=AS:16276
"... over the past 90 days, 7580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-08, and the last time suspicious content was found was on 2013-02-08... we found 518 site(s) on this network... that appeared to function as intermediaries for the infection of 3631 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1465 site(s)... that infected 7340 other site(s)..."
___
Fake ACH Batch Download Notification emails
- http://security.intuit.com/alert.php?a=71
2/8/13 - "People are receiving fake emails with the title "ACH Batch Download Notification". Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Fri, 8 Feb 2013 21:38:16 +0600 Batch ID: 7718720 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.
This is the end of the fake email..."
___
Fake BBB SPAM / madcambodia .net
- http://blog.dynamoo.com/2013/02/bbb-...mbodianet.html
8 Feb 2013 - "This fake BBB spam leads to malware on madcambodia .net:
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is at [donotclick]madcambodia .net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US) ..."
___
Fake ADP SPAM / 048575623_02082013 .zip
- http://blog.dynamoo.com/2013/02/adp-...082013zip.html
8 Feb 2013 - "This fake ADP spam comes with a malicious attachment:
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From: "ops_invoice @adp .com" [ops_invoice @adp .com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
In this case there was a ZIP file called 048575623_02082013 .zip (this may vary) with an attachment 048575623_02082013 .exe designed to look like a PDF file. VirusTotal* identifies it as a Zbot variant. According to ThreatExpert**, the malware attempts to connect to the following hosts:
eyon-neos .eu
quest.social-neos .eu
social-neos .eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
* https://www.virustotal.com/file/d961...is/1360370000/
File name: 048575623_02082013.exe
Detection ratio: 17/45
Analysis date: 2013-02-09
** http://www.threatexpert.com/report.a...0342013e5d0ad0
:fear: :mad:
Fake Support Center / ADP SPAM
FYI...
Fake "Support Center" SPAM / phticker .com
- http://blog.dynamoo.com/2013/02/supp...tickercom.html
11 Feb 2013 - "Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker .com:
Date: Mon, 11 Feb 2013 06:13:52 -0700
From: "Brinda Wimberly" [noreply @mdsconsulting .be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with other fake pharma sites..."
___
Something evil on 46.163.79.209
- http://blog.dynamoo.com/2013/02/some...616379209.html
11 Feb 2013 - "The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
social-neos .eu
cloud.social-neos .eu
quest.social-neos .eu
archiv.social-neos .eu
eyon-neos .eu
international.eyon-neos .eu
ns.eyon-neos .eu
euroherz.eyon-neos .eu
The domains look like they might be legitimate ones that have been hijacked, nonetheless blocking them would be an excellent move."
___
Fake Citi Group SPAM
- http://www.hotforsecurity.com/blog/s...mers-5322.html
Feb 11, 2013 - "... it’s time Citi clients keep an eye open for e-mails that read “You have received a secure message” inviting them to read the message by opening the attachments securedoc .html...
> http://www.hotforsecurity.com/wp-con...-Customers.png
The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. Untrained eyes could fall for this trick, since these e-mails are written in good English, with decent grammar and harmless-looking attachments. Of the countless ways of infecting a computer, spam delivering malware continues to pay off despite restless efforts of media and the security community. Infecting PCs via spam proves an efficient dissemination method, since users are still caught off-guard by malicious links or attachments such as this message addressed to Citi Group clients..."
___
Fake British Airways SPAM / epianokif .ru
- http://blog.dynamoo.com/2013/02/brit...ianokifru.html
11 Feb 2013 - "This fake British Airways spam leads to malware on epianokif .ru:
Date: Mon, 11 Feb 2013 11:30:39 +0330
From: JamesTieszen @[victimdomain .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-N234922XM .htm
e-ticket receipt
Booking reference: DZ87548418
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The malicious payload is at [donotclick]epianokif .ru:8080/forum/links/column.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___
Fake NACHA SPAM / albaperu .net
- http://blog.dynamoo.com/2013/02/nach...baperunet.html
11 Feb 2013 - "This fake NACHA spam leads to malware on albaperu .net:
Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From: ACH Network [reproachedwp41 @direct.nacha .org]
Subject: ACH Transfer canceled
Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
Transaction ID: 838907191379
Reason of Cancellation See detailed information in the despatch below
Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]albaperu .net/detects/case_offices.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)..."
___
Something evil on 46.165.206.16
- http://blog.dynamoo.com/2013/02/some...616520616.html
11 Feb 2013 - "This is a little group of fake analytics sites containing malware (for example*), hosted on 46.165.206.16 (Leaseweb, Germany**). Sites listed in -red- have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
adstat150 .com
cexstat20 .com
katestat77 .us
kmstat505 .us
kmstat515 .us
kmstat530 .com
lmstat450 .com
mptraf11 .info
mptraf2 .info
mxstat205 .us
mxstat570 .com
mxstat740 .com
mxstat760 .com
rxtraf25 .ru
rxtraf26 .ru
skeltds .us
vmstat100 .com
vmstat120 .com
vmstat140 .com
vmstat210 .com
vmstat230 .com
vmstat320 .com ..."
* http://urlquery.net/report.php?id=738388
Diagnostic page for AS16265 (LEASEWEB)
** https://www.google.com/safebrowsing/...?site=AS:16265
"... over the past 90 days, 3350 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-12, and the last time suspicious content was found was on 2013-02-12... we found 1006 site(s) on this network... that appeared to function as intermediaries for the infection of 3958 other site(s)... We found 1567 site(s)... that infected 6879 other site(s)..."
:fear::mad:
Fake IRS / Changelog SPAM
FYI...
Fake IRS SPAM / micropowerboating .net
- http://blog.dynamoo.com/2013/02/chan...maianemru.html
12 Feb 2013 - "This fake IRS spam leads to malware on micropowerboating .net:
Date: Tue, 12 Feb 2013 22:06:55 +0800
From: Internal Revenue Service [damonfq43 @taxes.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.
Please enter official website for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:00:35 +0100
From: Internal Revenue Service [zirconiumiag0 @irs .gov]
Subject: Income Tax Refund NOT ACCEPTED
Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.
Please browse official site for more information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From: Internal Revenue Service [idealizesmtz @informer.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.
Please enter official site for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is on [donotclick]micropowerboating .net/detects/pending_details.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating .net
morepowetradersta .com
asistyapipressta .com
uminteraktifcozumler .com
rebelldagsanet .com
madcambodia .net
acctnmrxm .net
capeinn .net
albaperu .net
live-satellite-view .net ..."
___
Fake Changelog SPAM / emaianem .ru
- http://blog.dynamoo.com/2013/02/chan...maianemru.html
12 Feb 2013 - "This changelog spam leads to malware on emaianem .ru:
Date: Tue, 12 Feb 2013 09:11:11 +0200
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changlog 10.2011
Good day,
changelog update - View
L. KIRKLAND
===
Date: Tue, 12 Feb 2013 05:14:54 -0600
From: LinkedIn [welcome @linkedin .com]
Subject: Fwd: Re: Changelog as promised(updated)
Good morning,
as prmised updated changelog - View
L. AGUILAR
The malicious payload is at [donotclick]emaianem .ru:8080/forum/links/column.php and is hosted on the same servers as found here*."
* http://blog.dynamoo.com/2013/02/efax...ipaindoru.html
46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)
___
Something evil on 192.81.129.219
- http://blog.dynamoo.com/2013/02/some...281129219.html
12 Feb 2013 - "It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example*). The IP is controlled by Linode in the US who have been a bit quiet recently... active domains that I can identify on this IP..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=986474
:fear ::mad:
Something evil on 92.63.105.23
FYI...
Something evil on 92.63.105.23
- http://blog.dynamoo.com/2013/02/some...926310523.html
14 Feb 2013 - "Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia*) - see an example of the nastiness here** (this link is safe to click!). The following domains are present on this address, although there are probably more..."
(Long list at the dynamoo URL above.)
** http://urlquery.net/report.php?id=995495
... Blackholev2 url structure detected
* https://www.google.com/safebrowsing/...?site=AS:29182
"... over the past 90 days, 606 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-14, and the last time suspicious content was found was on 2013-02-14... we found 182 site(s) on this network... that appeared to function as intermediaries for the infection of 652 other site(s)... We found 655 site(s)... that infected 4547 other site(s)..."
___
Top 10 Valentine’s Day Scams...
- http://www.hotforsecurity.com/blog/t...erts-5357.html
Feb 14, 2013 - "... advises users to stay away from fake limousine offers and online ‘heart experts’ who claim to heal troubled relationships. This type of scam spreads through spam and redirects users to phishing, fraud and malware-infected websites... The bait that tricks men these days includes fake chocolate offers, diamond-like rings, perfumes, personalized gifts, heart-shaped jewelry and replica watches... A fast spreading scam tricks victims to download Valentine’s Day wallpapers which redirect to fraudulent websites. Users are told they won an iPhone 5 and asked for personal details. In the name of Cupid, similar scams circulate on Facebook, too. Valentine’s Day games and Android apps downloaded from unofficial marketplaces such as free love calculators may install adware and malware. Britons should be especially careful with flower offers. Valentine’s Day is not only the busiest day of the year for UK florists, but also for fake ‘flower’ scammers..."
> http://www.hotforsecurity.com/wp-con...-experts-1.jpg
___
Malicious URL hits related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs...-URLs-2013.png
Malware detections related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs...tines-2013.png
___
Fake 'Facebook blocked' emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/14/f...s-and-malware/
14 Feb 2013 - "Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised campaign:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain names reconnaissance:
gonita .net – 222.238.109.66 – Email: lockwr @rocketmail .com
able-stock .net – 222.238.109.66
capeinn .net – 222.238.109.66; 198.144.191.50 – Email: softonlines @yahoo .com
Name servers used in the campaign:
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in... malicious campaigns...
Responding to 222.238.109.66 are... malicious/fraudulent domains...
Responding to 198.144.191.50 are... malicious domains...
We’ve already seen the same pseudo-randm C&C communication characters (EGa+AAAAAA), as well as the same C&C server (173.201.177.77) in... previously profiled campaigns..."
(More detail at the webroot URL above.)
___
Fake HP ScanJet SPAM / eipuonam .ru
- http://blog.dynamoo.com/2013/02/hp-s...ipuonamru.html
14 Feb 2013 - "This fake printer spam leads to malware on eipuonam .ru:
Date: Thu, 14 Feb 2013 -02:00:50 -0800
From: "Xanga" [noreply@xanga.com]
Subject: Fwd: Scan from a HP ScanJet #72551
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-39329P.
SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam .ru:8080/forum/links/column.php (report here*) hosted on:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1000763
... Detected suspicious URL pattern
___
Fake "Copies of policies" SPAM / ewinhdutik .ru
- http://blog.dynamoo.com/2013/02/copi...nhdutikru.html
14 Feb 2013 - "This spam leads to malware on ewinhdutik .ru:
Date: Thu, 14 Feb 2013 07:16:28 -0500
From: "Korbin BERG" [ConnorAlmeida @telia .com]
Subject: RE: Korbin - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Korbin BERG,
===
Date: Thu, 14 Feb 2013 03:30:52 +0530
From: Tagged [Tagged @taggedmail .com]
Subject: RE: KESHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KESHIA LEVINE,
The malicious payload is at [donotclick]ewinhdutik .ru:8080/forum/links/column.php (report here*) hosted on the same IP addresses as this attack we saw earlier:
- http://blog.dynamoo.com/2013/02/hp-s...ipuonamru.html
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
* http://urlquery.net/report.php?id=1001864
... AS48716** Kazakhstan... suspicious URL pattern
** https://www.google.com/safebrowsing/...?site=AS:48716
___
Fake HP ScanJet SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/hp-s...272245146.html
14 Feb 2013 - "This fake printer spam leads to malware on 202.72.245.146:
Date: Thu, 14 Feb 2013 10:10:56 +0000
From: AntonioShapard @hotmail .com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-32347P.
SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
===
Date: Thu, 14 Feb 2013 06:07:00 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-775861P.
SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/column.php which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server..."
(Long list at the dynamoo URL above.)
___
Fake Intuit SPAM / epionkalom .ru
- http://blog.dynamoo.com/2013/02/intu...onkalomru.html
14 Feb 2013 - "This fake Intuit spam leads to malware on epionkalom .ru:
Date: Thu, 14 Feb 2013 09:05:48 -0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.
Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
amount to be seceded: 2246 USD
Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom .ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___
Fake 'TurboTax State Return Rejected' SPAM
- http://security.intuit.com/alert.php?a=72
2/14/13 - "People are receiving fake emails with the title 'TurboTax State Return Rejected'. Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
> http://security.intuit.com/images/turbotaxstate.jpg
This is the end of the fake email..."
:mad::mad:
Fake IRS emails lead to BlackHole Exploit Kit
FYI...
Fake IRS emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/15/s...e-exploit-kit/
Feb 15, 2013 - "Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
micropowerboating .net – 175.121.229.209; 198.144.191.50 – Email: dooronemars @aol .com
Name Server: NS1.POOPHANAM .NET – 31.170.106.17
Name Server: NS2.POOPHANAM .NET – 65.135.199.21
The following malicious domains also respond to the same IPs (175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure...
Although the initial client-side exploits serving domain used in the campaign (micropowerboating .net) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209), namely, madcambodia .net.
Detection rate for the dropped malware:
madcambodia .net – 175.121.229.209 – MD5: * ... Trojan-Spy.Win32.Zbot.ivkf.
Once executed, the sample also phones back to the following C&C (command and control) servers: 94.68.61.135 :14511, 99.76.3.38 :11350
We also got another MD5 phoning back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/d...9a70/analysis/
File name: 2da28ae0df7a90ce89c7c43878927a9f
Detection ratio: 23/45
Analysis date: 2013-02-10 05
___
Malware sites to block 15/2/13
- http://blog.dynamoo.com/2013/02/malw...ock-15313.html
15 Feb 2013 - "A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US**) which may be a C&C server. Interested parties might want to poke at the server a bit.. As a bonus, these are the IPs* that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more..."
* http://www.dynamoo.com/files/botnet-feb-13.txt
** https://www.google.com/safebrowsing/...?site=AS:46664
___
Fake IRS SPAM / azsocseclawyer .net
- http://blog.dynamoo.com/2013/02/cum-...lawyernet.html
15 Feb 2013 - "This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer .net:
Date: Fri, 15 Feb 2013 09:47:25 -0500
From: Internal Revenue Service [ahabfya196 @etax.irs .gov]
Subject: pecuniary penalty for delay of tax return filling
Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.
Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.
You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.
Please visit official website for more information
Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer .net/detects/necessary_documenting_broadcasts-sensitive.php (report here*) hosted on:
77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)..."
* http://urlquery.net/report.php?id=1009373
... BlackHole v2.0 exploit kit
___
Fake Wire transfer SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/wire...272245146.html
15 Feb 2013 - "This fake wire transfer spam leads to malware on 202.72.245.146:
Date: Fri, 15 Feb 2013 07:24:40 -0500
From: Tasha Rosenthal via LinkedIn [member @linkedin .com]
Subject: RE: Wire transfer cancelled
Good day,
Wire Transfer was canceled by the other bank.
Canceled transaction:
FED NR: 94813904RE5666838
Transfer Report: View
The Federal Reserve Wire Network
The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.
Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146 :8080/forum/links/column.php..."
:mad::fear::fear:
Facebook Wall posts malware propagations ...
FYI...
Facebook Wall posts malware propagations ...
- http://blog.webroot.com/2013/02/18/m...ok-wall-posts/
Feb 18, 2013 - "We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software...
Sample screenshot of the propagation in action:
> https://webrootblog.files.wordpress....ware_links.png
Sample spamvertised URL appearing on Facebook users’ Walls:
hxxp ://0845 .com/fk7u
Sample redirection chain:
hxxp ://0845 .com/fk7u -> hxxp ://connectiveinnovations .com/mandolin.html?excavator=kmlumm -> hxxp ://91.218.38.245 /imagedl11.php
Sample detection rates for the malicious executables participating in the campaign:
hxxp ://91.218.38.245 /imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 * ... Backdoor:Win32/Tofsee.F ...
Responding to this IP (91.218.38.245, AS197145 Infium Ltd.) are also... malicious/fraudulent domains...
More MD5s are known to have phoned back to 91.218.38.245:
MD5: 20057f1155515dd3a37afde0b459b2cf
MD5: 665419c0e458883122a790f260115ada
MD5: 1ea373c41eabd0ad3787039dd0927525
MD5: f3472ec713d3ab2e255091194e4dccaa
MD5: 4d54a2c022dad057f8e44701d52fec6b
MD5: 6807409c44a4a9c83ce67abc3d5fe982
As well as related MD5s phoning back to 185.4.227.76:
MD5: 6b1e671746373a5d95e55d17edec5623
MD5: 377c2e63ff3fd6f5fdd93ff27c8216fe
MD5: 2D4C5B95321C5A9051874CEE9C9E9CDC
MD5: 3f9df3fd39778b1a856dedebf8f39654
MD5: 82e2672c2ca1b3200d234c6c419fc83a
MD5: 796967255c8b99640d281e89e3ffe673
MD5: bc1883b07b47423bd30645e54db4775c
MD5: e6f081d2c5a3608fad9b2294f1cb6762
What’s special about the second C&C phone back IP (185.4.227.76) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/c...5947/analysis/
File name: Dionis
Detection ratio: 31/45
Analysis date: 2013-02-15
AS197145 Infium
- https://www.google.com/safebrowsing/...site=AS:197145
:mad::fear:
Fake Wire Transfer emails serve client-side exploits and malware
FYI...
Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/19/m...s-and-malware/
Feb 19, 2013 - "... a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes... they all share the same malicious infrastructure. Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan .com/page-329.htm
hxxp://www.athenassoftware .com.br/page-329.htm
hxxp://www.sweetgarden .ca/page-329.htm
hxxp://lab.monohrom .uz/page-329.htm
hxxp://easy2winpoker .com/page-329.htm
hxxp://ideashtor .ru/page-329.htm
Sample client-side exploits serving URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php
... malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days...
(Long list available at the webroot URL above.)...
Sample malicious payload dropping URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 * ... Trojan.Win32.Yakes.cdxy.
Once executed, the sample creates... Registry Keys... And modifies them..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/b...d48d/analysis/
File name: contacts.exe
Detection ratio: 33/46
Analysis date: 2013-02-18
___
Something evil on 67.208.74.71
- http://blog.dynamoo.com/2013/02/some...672087471.html
19 Feb 2013 - "67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here*.
Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain...
You can find a copy of the domains, IPs, WOT ratings and Google prognosis here** [csv].
These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics...
These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious...
These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present...
These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect..."
(More detail available at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/02/some...926310523.html
** http://www.dynamoo.com/files/67-208-74-71.csv
- https://www.google.com/safebrowsing/...?site=AS:33597
___
Fake UPS SPAM / emmmhhh .ru
- http://blog.dynamoo.com/2013/02/ups-spam-emmmhhhru.html
19 Feb 2013 - "The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462
You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account
Welcome to UPS Team
Hi, [redacted].
DEAR CUSTOMER , We were not able to delivery the post package
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With best regards , UPS Customer Services.
Copyright 2011 United Parcel Service of America, Inc. Your USPS ...us
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh .ru:8080/forum/links/column.php hosted on:
50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)
The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208..."
___
Something evil on 74.208.148.35
- http://blog.dynamoo.com/2013/02/some...420814835.html
19 Feb 2013 - "Spotted by the good folks at GFI Labs here*, here** and here*** are several Canadian domains on the same server, 74.208.148.35 (1&1, US):
justcateringfoodservices .com
dontgetcaught .ca
blog.ritual .ca
lumberlandnorth .com
Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns..."
* http://gfisoftware.tumblr.com/post/4...l-invoice-spam
** http://gfisoftware.tumblr.com/post/4...complaint-spam
*** http://gfisoftware.tumblr.com/post/4...-transfer-spam
___
Fake pharma SPAM - Cyberbunker / 84.22.104.123
- http://blog.dynamoo.com/2013/02/cybe...422104123.html
19 Feb 2013 - "Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:
Date: Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From: Apple [noreply @bellona.wg.saar .de]
To: [redacted]
Subject: Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.
The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets .ru hosted on 84.22.104.123 along with... spammy sites... Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.
(More detail at the dynamoo URL above.)
* https://www.google.com/safebrowsing/...?site=AS:34109
:fear::mad:
Fake USPS SPAM with malware attachment...
FYI...
Fake USPS SPAM / USPS delivery failure report.zip
- http://blog.dynamoo.com/2013/02/usps...y-failure.html
20 Feb 2013 - "This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.
Date: Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From: USPS client manager Michael Brewer [reports @usps .com]
Subject: USPS delivery failure report
USPS notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.
The VirusTotal detections for this are patchy and fairly generic*. Automated analysis tools are pretty inconclusive** when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start."
* https://www.virustotal.com/en/file/6...is/1361351470/
File name: USPS report id 943577924988734.exe
Detection ratio: 27/46
Analysis date: 2013-02-20
** http://camas.comodo.com/cgi-bin/subm...ac5b32d8e28682
___
Something evil on 62.212.130.115
- http://blog.dynamoo.com/2013/02/some...212130115.html
20 Feb 2013 - "Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.
Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation .co.za - these are mostly hijacked .co.za and .cl domains. The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP)...
The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report*) and can be assumed to be malicious, and are hosted on 62.212.130.115...
The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too..."
(More detail at the dynamoo URL above.)
* http://pastebin.com/FNjkdB34
___
famagatra .ru injection attack in progress
- http://blog.dynamoo.com/2013/02/fama...-progress.html
20 Feb 2013 - "There seems to be an injection attack in progress, leading visitors to a hacked website to a malicious page on the server famagatra .ru.
The payload is at [donotclick]famagatra .ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here*) which is basically a nasty dose of Blackhole.
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1050803
... Blackholev2 redirection successful
___
Fake Wire transfer SPAM / fulinaohps .ru
- http://blog.dynamoo.com/2013/02/wire...inaohpsru.html
20 Feb 2013 - "This fake wire transfer spam leads to malware on fulinaohps .ru:
Date: Wed, 20 Feb 2013 04:28:14 +0600
From: accounting@[victimdomain]
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps .ru:8080/forum/links/column.php (report here*) hosted om the following IPs:
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
These are the same IPs as used in this attack**, you should block them if you can."
* http://urlquery.net/report.php?id=1051770
... suspicious URL pattern... obfuscated URL
** http://blog.dynamoo.com/2013/02/fama...-progress.html
___
Fake SendSecure Support SPAM / secure_message... .zip
- http://blog.dynamoo.com/2013/02/send...port-spam.html
20 Feb 2013 - "This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:
Date: Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From: SendSecure Support [SendSecure.Support @bankofamerica .com]
Subject: You have received a secure message from Bank Of America
You have received a secure message.
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https ://securemail.bankofamerica .com/websafe/help?topic=Envelope
The zip file secure_message_02202013_01590106757637303 .zip unzips into secure_message_02202013_01590106757637303 .exe with a VirusTotal detection**... According to ThreatExpert***, the malware installs a keylogger and also tries to phone home to:
blog.ritual .ca
dontgetcaught .ca
These sites are hosted on 74.208.148.35 which I posted about yesterday*. Blocking access to this IP might mitigate against this particular threat somewhat."
* http://blog.dynamoo.com/2013/02/some...420814835.html
** https://www.virustotal.com/en/file/3...is/1361376818/
File name: secure_message_02202013_{DIGIT[17]}.exe
Detection ratio: 6/46
Analysis date: 2013-02-20
*** http://www.threatexpert.com/report.a...27e6479a4dffd3
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Airline Ticket Credit Card Processing E-mail Messages - February 20, 2013
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 20, 2013
Fake Tax Document Notification E-mail Messages - February 20, 2013
Fake Rejected Tax Form Notification E-mail Messages - February 20, 2013
Fake Bank Deposit Notification E-mail Messages - February 20, 2013
Fake Package Delivery Failure E-mail Messages - February 20, 2013
Fake Product Order E-mail Messages - February 20, 2013
(More info and links available at the cisco URL above.)
:fear::mad: