Fake resume, Company Reports SPAM ...
FYI...
Fake resume SPAM / Resume_LinkedIn.exe
- http://blog.dynamoo.com/2013/10/my-r...nkedinexe.html
24 Oct 2013 - "This rather terse spam email message has a malicious attachment:
Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From: Elijah Parr [Elijah.Parr@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Elijah Parr
------------------------
Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From: Greg Barnes [Greg.Barnes@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Greg Barnes
The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable. VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools... show an attempted connection to homevisitor .co .uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1]* [2]**."
* https://www.virustotal.com/en-gb/ip-...2/information/
** http://urlquery.net/search.php?q=64....3-10-24&max=50
- http://threattrack.tumblr.com/post/6...in-resume-spam
Oct 24, 2013 - "Subjects Seen:
My resume
Typical e-mail details:
Attached is my resume, let me know if its ok.
Thanks,
Mike Whalen
Malicious File Name and MD5:
Resume_LinkedIn.zip (AF04ED38D97867F8E773B6AFC14ED9F0)
Resume_LinkedIn.exe
(62F4A3DFE059E9030E2450D608C82899)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...rta1r6pupn.png
___
Fake Company Reports emails lead to malware ...
- http://www.webroot.com/blog/2013/10/...-lead-malware/
Oct 24, 2013 - "A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.
Sample screenshots of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...ny_Reports.png
Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 * ... Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH ... The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to... C&C servers (-many- listed at the webroot URL above)... MD5s are known to have phoned back to the same IP (38.102.226.14)... MD5s known to have phoned back to the same C&C servers over the last couple of days..."
* https://www.virustotal.com/en/file/7...360f/analysis/
File name: Company_Report_10222013.exe
Detection ratio: 28/44
- https://www.virustotal.com/en/ip-add...4/information/
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Faxed Document Delivery Email Messages - 2013 Oct 24
Fake Payroll Report Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake UPS Payment Document Attachment Email Messages - 2013 Oct 24
Fake Financial Account Statement Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 24
Fake Invoice Statement Attachment Email Messages - 2013 Oct 24
Fake Payroll Invoice Notification Email Messages - 2013 Oct 24
Fake Product Purchase Order Email Messages - 2013 Oct 24
Fake Payment Confirmation Notification Email Messages - 2013 Oct 24
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 24
Fake Resume Delivery Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Product Quote Request Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Money Transfer Notification Email Messages - 2013 Oct 23
Fake Xerox Scanned Attachment Email Messages - 2013 Oct 23
(More detail and links at the cisco URL above.)
:mad: :fear:
Survey Scams - Halloween freebies ...
FYI...
Survey Scams - Halloween freebies ...
- http://blog.trendmicro.com/trendlabs...-survey-scams/
Oct 24, 2013 - "... scams we saw used free Halloween products as bait. Searching for the phrase “Halloween GET FREE” leads to a suspicious YouTube video:
Suspicious YouTube video
> http://blog.trendmicro.com/trendlabs...n-youtube1.jpg
The URL advertised on the video’s page leads users to a scam site that asks for your personal information, including your email address.
Survey site
> http://blog.trendmicro.com/trendlabs...n-youtube2.jpg
Survey scam
> http://blog.trendmicro.com/trendlabs...n-youtube3.jpg
Using similar keywords on Twitter yielded two suspicious accounts. Each account had a Halloween-themed Twitter handle, perhaps to entice users into checking out the accounts.
Two suspicious Twitter accounts
> http://blog.trendmicro.com/trendlabs...-twitter11.jpg
Each account advertises free Halloween candy with a corresponding URL to get the said candy. The advertised website leads users to survey scams, rather than candy. Facebook also became home to a Halloween-themed survey scam. We spotted a Facebook page that advertises free Halloween candy, like the scam on Twitter. To get the candy, users are supposed to click a link on the page.
Website advertising free candy
> http://blog.trendmicro.com/trendlabs...-facebook1.jpg
But much like the other scams, this simply leads to a survey site. It’s interesting to note that users are directed to the page used in the YouTube scam mentioned earlier. To further entice users, the site promises Apple products in exchange for finishing the survey.
Apple products as “reward” for completed surveys
> http://blog.trendmicro.com/trendlabs...-facebook3.jpg
It might be tempting to get free stuff online, but users should always be cautious when encountering these types of promos or deals. Cybercriminals are willing to promise anything and everything just to get what they want. When encountering deals that are too good to be true, users should err on the side of caution and assume that they are..."
* http://blog.trendmicro.com/trendlabs...s-infographic/
"... Oct 29, 2011... filed under Bad Sites"
___
Fake Lloyds SPAM - Lloyds TSB msg...
- http://blog.dynamoo.com/2013/10/you-...loyds-tsb.html
25 Oct 2013 - "This fake Lloyds TSB message has a malicious attachment:
Date: Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From: LloydsTSB [noreply@ lloydstsb .co .uk]
Subject: You have received a new debit
Priority: High Priority 1 (High)
This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
The details of the payment are attached...
Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't. The VirusTotal detection rate is a so-so 13/47*. Automated analysis... shows an attempted connection to www .baufie .com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box."
* https://www.virustotal.com/en-gb/fil...is/1382702941/
- https://www.virustotal.com/en/ip-add...1/information/
:mad: :fear::fear:
Fake Mercedes-Benz winner SPAM ...
FYI...
Fake "You're a Mercedes-Benz winner!" SPAM
- http://blog.dynamoo.com/2013/10/you-...nner-spam.html
27 Oct 2013 - "This is a slightly novel twist on an advanced fee fraud scam:
From: Mercedes-Benz [desk_notification@ yahoo .com]
Reply-To: bmlot20137@ live .com
Date: 27 October 2013 13:44
Subject: You are a Mercedes-Benz winner !!!
Dear Recipient,
You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner...
Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.
Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator
The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq). You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise."
Labels: 419, Advanced Fee Fraud, Scam, Spam
:fear: :mad:
Fake WhatsApp Voice msg. emails lead to malware
FYI...
Fake WhatsApp Voice msg. emails lead to malware
- http://www.webroot.com/blog/2013/10/...ead-malware-2/
Oct 28, 2013 - "... The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...Cybercrime.png
Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 * ... Trojan.Win32.Sharik.qhd
... attempts to download additional malware from the well known C&C server at networksecurityx.hopto .org ..."
* https://www.virustotal.com/en/file/a...6964/analysis/
___
Fake AMEX "Fraud Alert" SPAM / steelhorsecomputers .net
- http://blog.dynamoo.com/2013/10/amer...lert-spam.html
28 Oct 2013 - "This fake Amex spam leads to malware on steelhorsecomputers .net:
From: American Express [fraud@ aexp .com]
Date: 28 October 2013 14:14
Subject: Fraud Alert : Irregular Card Activity
Irregular Card Activity
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 28th October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
https ://www .americanexpress .com/
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.
© 2013 American Express Company. All rights reserved.
AMEX Fraud Department
Screenshot: https://lh3.ggpht.com/-NyKdfJqQV8A/U...s1600/amex.png
The link in the email goes through a legitimate but -hacked- site and then runs of of the following three scripts:
[donotclick]kaindustries .comcastbiz .net/imaginable/emulsion.js
[donotclick]naturesfinest .eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse .com/handmade/analects.js
From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers .net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too..."
Recommended blocklist:
96.126.102.8
8353333 .com ..."
- https://www.virustotal.com/en/ip-add...8/information/
___
Past Due Invoice Spam
- http://threattrack.tumblr.com/post/6...e-invoice-spam
Oct 28, 2013 - "Subjects Seen:
Past Due Invoice
Typical e-mail details:
Your invoice is attached. Please remit payment at your earliest convenience.
Malicious File Name and MD5:
invoice_95836_10282013.zip (7CDBF5827161838D7C5BD0E5B98E01C1)
invoice_95836_10282013.exe (C277EA5A86F25AC0B704CAF5832FC614)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...8gD1r6pupn.png
:mad: :fear:
Fake Wells Fargo SPAM, 82.211.31.147, CookieBomb toolkit ...
FYI...
Fake Wells Fargo SPAM / Copy_10292013.zip
- http://blog.dynamoo.com/2013/10/well...copy-spam.html
29 Oct 2013 - "These fake Wells Fargo spam messages have a malicious attachment:
Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From: Wells Fargo [Emilio.Hendrix@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
--------------------
Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From: Wells Fargo [Leroy.Dale@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary. The VirusTotal detection rate is just 3/47*. Automated analysis... shows an attempted connection to allisontravels .com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these."
* https://www.virustotal.com/en-gb/fil...is/1383058267/
- http://threattrack.tumblr.com/post/6...heck-copy-spam
Oct 29, 2013 - "Subjects Seen:
FW: Check copy
Typical e-mail details:
We had problems processing your latest check, attached is a image copy...
Malicious File Name and MD5:
Copy_10292013.zip (E0D3B0A7BCCDD0AA79A1F81C79A83784)
Copy_10292013.exe (93CCC1B516EFC3365CECED8AE0B57EE2)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Faj1r6pupn.png
___
Something evil on 82.211.31.147
- http://blog.dynamoo.com/2013/10/some...221131147.html
29 Oct 2013 - "Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2]... domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself."
(Long list at the dynamoo URL above.)
1) http://urlquery.net/search.php?q=82....3-10-29&max=50
2) https://www.virustotal.com/en-gb/ip-...7/information/
___
CookieBomb toolkit ...
- http://community.websense.com/blogs/...b-toolkit.aspx
Oct 29, 2013 - "... source of this message is a spambot or script. When looked over with an experienced eye, it becomes apparent this email may just have come from the Kelihos botnet...
46.180.44.231
46.185.22.123
109.162.98.248
Malware evolution is not new: indeed, since the days of Dark Avenger’s polymorphic engine, the Mutation Engine (MtE), obfuscation and evasion have been commonplace within most, if not all malware families... in as little as 6 months, a simple tool for delivering Exploit Kits to end users has not only had its code radically altered, but has split into two distinct campaigns. One campaign is as mentioned above, infecting legitimate hosts via the exploitation of vulnerabilities; the other... piggybacking on the Kelihos Botnet, which is an incredibly sophisticated and effective spam platform, as a means of exposing end users to EKs via blatantly malicious domains. Whether this tool was exclusively rented by/to the BHEK team, or whether in fact it was coded by them, remains to be seen."
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...8/information/
___
Suspect network: 69.26.171.176/28
- http://blog.dynamoo.com/2013/10/susp...617117628.html
29 Oct 2013 - "69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
%rwhois V-1.5:0000a0:00 rwhois.xeex .com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@ xeex .com
network:class-name:network
There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast .com
- https://malwr.com/analysis/MDMwMGY2Z...AyYmFjMWRhMTU/
69.26.171.181 - allisontravels .com
- https://malwr.com/analysis/ZWE1NDQ0M...JhNDNlZjVjMzA/
69.26.171.182 - robotvacuumhut .com
- https://malwr.com/analysis/MDVlNjJkN...Y5ODRiNWVhM2I/
As a precaution, I would recommend temporarily blocking the whole range... other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection..."
(More domains listed at the dynamoo URL above.)
:mad: :fear::sad:
Fake eFax message SPAM, Something evil on 144.76.207.224/28 ...
FYI...
Fake eFax message SPAM / bulkbacklinks .com and Xeex .com
- http://blog.dynamoo.com/2013/10/corp...sage-spam.html
30 Oct 2013 - "... do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.
Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From: eFax Corporate [message@ inbound . efax.com]
Subject: Corporate eFax message from "673-776-6455" - 2 pages
Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service..
-----------------------
Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From: eFax Corporate [message@ inbound .efax.com]
Subject: Corporate eFax message from "877-579-4466" - 5 pages
Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service...
Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file. This has a very low detection rate at VirusTotal of just 1/46*. Automated analysis tools... show an attempted connection to a domain bulkbacklinks .com on 69.26.171.187. This is part of the same compromised Xeex address range... Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list**."
* https://www.virustotal.com/en-gb/fil...is/1383148137/
** http://blog.dynamoo.com/2013/10/susp...617117628.html
___
Something evil on 144.76.207.224/28
- http://blog.dynamoo.com/2013/10/some...620722428.html
30 Oct 2013 - "The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report*)... This is a Hetzner IP range... Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious (Long list - see the dynamoo URL above)... I would recommend blocking all those domains plus the 144.76.207.224/28 range. Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges (Also listed at the dynamoo URL above)..."
* http://urlquery.net/report.php?id=7281185
:mad: :fear::fear:
Rogue Ads in Yahoo lead to Sirefef Infection
FYI...
Rogue Ads in Yahoo lead to Sirefef Infection
- http://www.threattracksecurity.com/i...fef-infection/
Oct 30, 2013 - "Our researchers in the AV Labs are continuing to see fake software being served on unfamiliar sponsored links or ads found in search results. Recently, we found an ad for a fake browser on Yahoo! after doing a search for “google chrome browser”.
> http://www.threattracksecurity.com/i...-search-ad.png
Clicking the first ad we highlighted above leads users to the website, softpack(dot)info/chrome/:
> http://www.threattracksecurity.com/i...hrome-page.png
Below this page are texts that read as follows:
> http://www.threattracksecurity.com/i...section-wm.png
... In case you’re not familiar, rogue sites like this usually serve free-to-download software that are modified to install adware. In this case, Google_Chrome_30.0.1599.69.exe, the -fake- browser file, is wholly malicious and belongs to the Sirefef/ZeroAccess malware family. We were able to retrieve two variants of this file...
MD5 9111ebfbf015c3096f650060819f744b – detected as Trojan.Win32.Generic!SB.0 (15/47*)
MD5 60a0e64fec6b5e509b666902e72833ea – detected as Trojan.Win32.Generic.pak!cobra (7/47**)
... We fed the files into our sandbox and found that -both- variants -disable- Windows security features and prevent the OS from updating automatically. Infected systems, especially those that run outdated software and have no added security software in place, face the risk of further infection from other malware. Users are advised to be careful in clicking ads for free software. It is still safer for you... to visit -official- pages of the software you wish to download and install onto your system. You may also consider installing AdBlock Plus*, a software that can be installed in the browser to prevent ads from appearing on sites while you surf..."
* https://www.virustotal.com/en/file/f...is/1383072130/
** https://www.virustotal.com/en/file/c...ffbd/analysis/
*** https://addons.mozilla.org/en-US/fir.../adblock-plus/
:mad: :fear::fear:
Fake Snapchat install leads to Adware
FYI...
Fake Snapchat install leads to Adware
- http://www.threattracksecurity.com/i...-leads-adware/
Nov 1. 2013 - "Our Labs recently identified numerous files claiming to be Snapchat.exe, which is a popular photo messaging application. These files were most assuredly not Snapchat, so we were curious to find out what was going on. As it turns out, a quick search in Bing brings forth answers:
> http://www.threattracksecurity.com/i...optimum-ad.png
The very first entry under the search is an ad, leading to videonechat(dot)com.
> http://www.threattracksecurity.com/i...chatdorgem.jpg
The website simultaneously talks about installing Snapchat, while listing the program as “Dorgem” in small letters in the grey box on the top right hand side. At this point, you might want to take a wild guess as to whether you’re going to end up with Snapchat, a hugely popular and current application, or a now discontinued webcam capture program called -Dorgem- which has been bundled with programs you likely don’t need... The install offers up a number of ad serving programs, media players and additional software offered up with no relation to Snapchat whatsoever. During testing, we saw Realplayer, GreatArcadeHits, Optimizer Pro, Scorpion Saver and Word Overview...
> http://www.threattracksecurity.com/i...dge-snap-7.png
Legitimate programs being bundled with Adware is a common enough tactic, but this is an Optimum Installer bundle where a website serves as clickbait for a deliberately misrepresented app – you most definitely do not get what you’re promised in return for installing numerous pieces of ad-serving software. Don’t fall for this one. VirusTotal pegs this one at 6/47*..."
* https://www.virustotal.com/en/file/3...is/1383232536/
___
Email Quota Limit Credentials Phish
- http://threattrack.tumblr.com/post/6...dentials-phish
Nov 1, 2013 - "Subjects Seen:
Email Quota Limit
Typical e-mail details:
Your mailbox has exceeded the storage limit, you may not be able to send or receive new mail until you re-validate your mailbox mail with the link below.
System Administrator
Malicious URLs
suppereasy.jimdo .com
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Ia01r6pupn.png
:mad: :fear:
Ads lead to SpyAlertApp PUA ...
FYI...
Ads lead to SpyAlertApp PUA ...
- http://www.webroot.com/blog/2013/11/...d-application/
Nov 1, 2013 - "... They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs...
Sample screenshots of the landing page:
> https://www.webroot.com/blog/wp-cont...n-896x1024.png
Landing URL: spyalertapp .com
Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 * ... Win32/ExFriendAlert.B; SearchDonkey (fs)
Once executed, it phones back to 66.135.34.182 and 66.135.34.181 ... PUA MD5s are known to have phoned back to these IPs... Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam**, a try."
* https://www.virustotal.com/en/file/5...is/1382979505/
** http://www.mozilla.org/en-US/lightbeam/
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...2/information/
:mad: :fear: