Fake Apple email Phish Scam-SPAM ...
FYI...
Fake Apple Account 'Update to New SSL Servers' Phishing Scam/SPAM
- http://www.hoax-slayer.com/apple-new...ing-scam.shtml
Jan 21, 2014 - "Email purporting to be from Apple claims that the user's online access has been blocked because customers are required to update their information in order to use new ssl servers... The email is not from Apple. It is a phishing scam designed to trick recipients into giving their Apple account details and other personal and financial information to Internet criminals.
> http://www.hoax-slayer.com/images/ap...ers-scam-1.jpg
... According to an email that -appears- to come from Apple, the recipient's Apple account has been blocked until account information is updated. The email claims that Apple is implementing new SSL servers to increase customer protection and therefore all customers need to update their details or risk suspension of their accounts. The email includes a link to the "account update process". However, the message is -not- from Apple and the claim that users must update their details is a lie. Instead, the email is a phishing scam designed to steal Apple ID's and a large amount of other personal and financial information. Those who fall for the trick and click the update link in the email will be taken to a fake Apple login page as shown in the following screenshot:
> http://www.hoax-slayer.com/images/ap...ers-scam-3.jpg
... be wary of any message purporting to be from Apple that claims there is an issue with your account that needs to be rectified or you are required to perform an account update..."
... as in: DELETE.
___
Data-stealing malware targets Mac users in "undelivered courier item" attack
- http://nakedsecurity.sophos.com/2014...r-item-attack/
Jan 21, 2014 - "... you receive an email that claims to be a courier company that is having trouble delivering your article. In the email is a link to, or an attachment containing, what purports to be a tracking note for the item. You are invited to review the relevant document and respond so that delivery can be completed. We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website... Here's what the emails looked like in this attack, with some details changed or redacted for safety:
> http://sophosnews.files.wordpress.co...ng?w=500&h=446
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone... The link, of course, doesn't really lead to fedex .com .ch, but instead takes you to a domain name that is controlled by the attackers... If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware. But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file. By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an -empty- Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
> http://sophosnews.files.wordpress.co...ng?w=500&h=376
Clicking on the download button shows you what -looks- like a PDF file... There is no PDF file, as a visit to the Terminal windows quickly reveals. Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon... the temptation is to click on what looks like a PDF file to see what it contains. OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file... prevention is better than cure. And that "undelivered courier item" almost certainly doesn't exist."
___
Something evil on 5.254.96.240 and 185.5.55.75
- http://blog.dynamoo.com/2014/01/some...-18555575.html
21 Jan 2014 - "This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I -do- have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank. URLquery shows one such download in this example*, the victim has been directed to [donotclick]gf-58 .ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48**.
> https://lh3.ggpht.com/-icNtor0_pdM/U...00/telekom.png
The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server according to URLquery*** and VirusTotal****... The Anubis report and ThreatExpert report show that the malware calls home to dshfyyst .ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below). All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.
Recommended blocklist:
5.254.96.240
gf-58 .ru
uiuim .ru
okkurp .ru
gdevseesti .ru
goodwebtut .ru
mnogovsegotut .ru
185.5.55.75
gossldirect .ru
dshfyyst .ru ..."
* http://urlquery.net/report.php?id=8907792
** https://www.virustotal.com/en-gb/fil...is/1390310958/
*** http://urlquery.net/search.php?q=5.2...4-01-21&max=50
**** https://www.virustotal.com/en-gb/ip-...0/information/
Update: this appears to be Cridex aka Feodo: http://www.abuse.ch/?p=6713
:mad: :fear:
Fake "Legal Business Proposal" SPAM ...
FYI...
Fake "Legal Business Proposal" SPAM ...
- http://blog.dynamoo.com/2014/01/lega...-spam-has.html
23 Jan 2014 - "This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.
Date: Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
From: Webster Bank [WebsterWeb-LinkNotifications@ WebsterBank .com]
Subject: Legal Business Proposal
Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).
I have a Business worth $47.1M USD for you to handle with me.
Detailed scheme of business can be seen in the attached file.
Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49*. Automated analysis tools... show attempted connections to dallasautoinsurance1 .com on 38.102.226.239 and wiwab .com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName .com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21 "
* https://www.virustotal.com/en-gb/fil...is/1390482190/
- https://www.virustotal.com/en/ip-add...2/information/
___
Mint.Com.Uk 'Minimum Credit Card Payment Due' Phish
- http://www.hoax-slayer.com/mint-cred...phishing.shtml
Jan 23, 2014 - "Message, which pretends to be from UK based credit card provider Mint, claims that the recipient's minimum credit card payment is due and advises that the latest bill can be found in an attached file. The email is -not- from Mint. It is a -phishing- scam designed to trick recipients into divulging their account login details to cybercriminals... According to this message, which purports to be from UK credit card provider Mint, the recipient's minimum credit card payment is now due. The message instructs the recipient to open an attached file to view the latest Mint credit card bill. However, the email is not from Mint and the attachment does not contain a credit card bill. Instead, the email is a typical phishing scam designed to trick Mint customers into giving account login details to cybercriminals. Those taken in by the email will find that clicking the attachment loads a html file in their browser. The file contains a link supposedly leading to the credit card bill. However, clicking the link opens a fraudulent website that asks users to supply their account login details, ostensibly to access the "bill". However, users will never reach the supposed bill. They have instead sent their account login details to criminals who can then use it to hijack their accounts, steal information therein, and conduct further fraud..."
___
Gateway.gov.uk Spam
- http://threattrack.tumblr.com/post/7...ay-gov-uk-spam
Jan 23, 2014 - "Subjects Seen:
Your Online Submission for Reference 435/GB1678208 Could not process
Typical e-mail details:
The submission for reference 435/GB1678208 was successfully received and was not processed.
Check attached copy for more information.
Malicious File Name and MD5:
GB1678208.zip (1BD4797C93A4837777397CE9CB13FC8C)
GB001231401.exe (05FB8AD05E87E12F5E6E4DAE20168194)
Screenshot: https://31.media.tumblr.com/efe7c609...hEd1r6pupn.png
Tagged: UK Government, Upatre
:fear: :mad:
Fake Customer Service malware Emails ...
FYI...
Fake 'Customer Service Center' malware Emails
- http://www.hoax-slayer.com/customer-...e-emails.shtml
Jan 24, 2014 - "Email claiming to be from the "Customer Service Center" informs recipients that an order has been received and invites them to click a link to find out more about the order.
Brief Analysis: The email is not from any legitimate customer service center. The email is designed to trick users into installing a malicious file on their computer. Clicking the link in the email downloads a .zip file that contains a malware .exe file...
Example:
Subject: Customer Service Center
Hello, Customer
We have got your order and we will process it for 3 days.
You can find specification of the order:
[Link to .zip file removed]
Best regards
Customer Service Center
... The message makes no effort to identify either the company that supposedly sent the message or the product that the recipient supposedly ordered. The message is fraudulent and was not sent by any legitimate customer service center. The goal of the criminals who sent the email is to trick the recipient into downloading and installing malware... Details in different incarnations of the malware emails may vary. Some may claim to be from the "Client Management Department" rather than the "Customer Service Center"..."
___
Fake Amazon Local Spam
- http://threattrack.tumblr.com/post/7...zon-local-spam
Jan 24, 2014 - "Subjects Seen:
Fwd: Your order report id 2531
Typical e-mail details:
Hi,
Thank you for your order. We ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order DA6220062 Placed on December 11, 2013
Order details and invoice in attached file.
Malicious File Name and MD5:
report.creditcard2735.zip (333794D9592CE296A6FE15CDF58756EA)
report.9983.exe (3B81614E62963AC5336946B87F9487FE)
Screenshot: https://31.media.tumblr.com/747295f5...SLW1r6pupn.png
Tagged: Amazon Local, Androm
:fear: :mad:
Fake "MVL Company" job offer
FYI...
Fake "MVL Company" job offer
- http://blog.dynamoo.com/2014/01/mvl-...job-offer.html
25 Jan 2014 - "This job offer is a -fake- and in reality probably involves money laundering or handling stolen goods:
From: Downard Bergstrom [downardkrjbergstrom@ outlook .com]
Subject: Longmore
Date: Fri, 24 Jan 2014 18:52:49 +0000
Hello,
Today our Company, MVL Company, is in need of sales representatives in United Kingdom.
Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.
Part-time job salary constitutes 460GBP a week.
Full-time job is up to 750GBP per week .
Plus we have bonus system for the best workers!
To apply for the vacancy or to get more details about it, please email us directly back to this email.
Hope to hear from you soon!
Best regards,
Downard Bergstrom
The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a free Microsoft Outlook .com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.
Avoid."
:fear: :mad:
Fake Voice Message contains trojan in attachment
FYI...
Fake Voice Message contains trojan in attachment
- http://blog.mxlab.eu/2014/01/27/voic...ched-zip-file/
Jan 27, 2014 - "... intercepted a new trojan distribution campaign by email with the subject Voice Message from Unknown (xxx-xxx-xxxx) – where x is replaced by a phone number. This email is sent from the spoofed address “Unity Messaging System <Unity_UNITY5@ xxx .xxx>”and has the following very short body (where x is replaced by phone number):
From: xxx-xxx-xxxx
The attached ZIP file has the name VoiceMail.zip and contains the 18 kB large file VoiceMail.exe. At the time of writing, 0 of the 50 AV engines did detect the trojan at Virus Total. Use the Virus Total* permalink and Malwr** permalink for more detailed information..."
* https://www.virustotal.com/en/file/e...6fba/analysis/
** https://malwr.com/analysis/ZjU0NzBlZ...FjMGMxOTBkMmM/
___
Fake "Carnival Cruise Line Australia" job offer
- http://blog.dynamoo.com/2014/01/carn...-fake-job.html
27 Jan 2014 - "This -fake- job offer does NOT come from Carnival Cruise lines:
From: Mrs Vivian Mrs Vivian carnjob80@ wp .pl
Date: 27 January 2014 09:59
Subject: JOB ID: AU/CCL/AMPM/359/14-00
Signed by: wp.pl
Carnival Cruise Line Australia
15 Mount Street North Sydney
NSW 2060, Australia
Tel (2) 8424 88000
http ://www .carnival .com .au/
http ://www .carnivalaustralia .com/
carnivalcareer@ globomail .com
JOB ID: AU/CCL/AMPM/359/14-00
What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
PLEASE NOTE THESE FOLLOWING:
Employment Type: Full-Time/Part-Time
Salary: USD $45,000/ USD $125,000 per annual
Preferred Language of Resume/Application: English
Type of work: Permanent / Temporary
Status: All Vacancies
Job Location: Australia
Contract Period: 6 Months, 1 Year, 2 Years and 3 Years
Visa Type: Three Years working permit
The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@ globomail .com) so we can forward the list of positions available and our employment application form
Email: carnivalcareer@ globomail .com
Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.
Regards
Management
Carnival Cruise Line Australia
carnivalcareer@ globomail .com
Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland. The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate. More information on this type of scam can be found here* and here**."
* http://www.cruiseshipjobs.com/cruise-ship-job-scams.htm
** http://www.hoax-slayer.com/disney-cr...fer-scam.shtml
___
Fake "Your FED TAX payment" SPAM
- http://blog.dynamoo.com/2014/01/your...ment-spam.html
27 Jan 2014 - "This -fake- "Tax payment" spam comes with a malicious attachment:
Date: Mon, 27 Jan 2014 14:24:42 +0100 [08:24:42 EST]
From: "TaxPro_PTIN@ irs .gov" [TaxPro_PTIN@ irs .gov]
Subject: Your FED TAX payment ( ID : 34KIRS821217111 ) was Rejected
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 34KIRS821217111), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 34KIRS821217111
Payment Amount: $ 9712.00
Transaction status: Rejected
ACH Trace Number: 768339074172506
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.
Screenshot: https://lh3.ggpht.com/-UNIXkf1KrEo/U.../s1600/irs.png
Attached is a file Tax payment.zip which in turn contains a malicious executable Tax payment.exe which has a VirusTotal detection rate of 11/50*. Automated analysis by Malwr is inconclusive, other analysis tools are currently down or under DDOS at the moment.
* https://www.virustotal.com/en-gb/fil...is/1390837447/
___
TNT Courier Service Spam
- http://threattrack.tumblr.com/post/7...r-service-spam
Jan 27, 2014 - "Subjects Seen:
TNT UK Limited - Package tracking 525933498011
Typical e-mail details:
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 525933498011
Your package have been picked up and is ready for dispatch.
Connote # : 525933498011
Service Type : Export Non Documents - Intl
Shipped on : 25 Jan 13 00:00
Order No : 4134172
Status : Driver’s Return Description : Wrong Address
Service Options: You are required to select a service option below.
The options, together with their associated conditions
Malicious File Name and MD5:
Label_525933498011.zip (58985CC9AA284309262F4E59BC36E47A)
Label_27012014.exe (E0595C4F17056E5599B89F1F9CF52D83)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...n4u1r6pupn.png
Tagged: TNT Courier Service, Upatre
___
Fake "Skype Missed voice message" SPAM
- http://blog.dynamoo.com/2014/01/skyp...sage-spam.html
27 Jan 2014 - "This -fake- Skype email has a malicious attachment:
Date: Mon, 27 Jan 2014 19:37:11 +0300 [11:37:11 EST]
From: Administrator [docs1@ victimdomain .com]
Subject: Skype Missed voice message
Skype system:
You have received a voice mail message.
Date 01/27/2014
Message length is 00:01:18.
Attached to the email message is an archive file Skype-message.zip which in turn contains a malicious executable Voice_Mail_Message.exe which has a VirusTotal detection rate of 13/49*. Malwr reports** that the malware calls home to rockthecasbah .eu on 64.50.166.122 (LunarPages, US). This server has been compromised before and I recommend you -block- traffic to it."
* https://www.virustotal.com/en/file/b...is/1390858228/
** https://malwr.com/analysis/MzY1NTdiO...YwMWM1NzIwMDg/
- http://threattrack.tumblr.com/post/7...d-message-spam
Jan 27, 2014 - "Subjects Seen: Skype Missed voice message..."
Malicious File Name and MD5:
Skype-message.zip (79FB2E523FE515A6DAC229B236F796FF)
Voice_Mail_Message.exe (6E4857C995699C58D9E7B97BFF6E3EE6)
Tagged: Skype, Upatre
:fear::fear: :mad:
Fake Facebook 'Account Verification' Scam/SPAM
FYI...
Fake Facebook 'Account Verification' Scam/SPAM
- http://www.hoax-slayer.com/facebook-...014-scam.shtml
Jan 28, 2014 - "Message purporting to be from the "Facebook Verification Team" claims that users must verify their profiles by March 15th 2014 to comply with the SOPA and PIPA Act. The message is a -scam- and -not- from any official Facebook Verification Team. Those who follow the link will be tricked into installing a rogue Facebook app and participating in -bogus- online surveys. Some variants may attempt to trick users into divulging their Facebook email address and password to criminals. Example:
Warning: Announcement from Facebook Verification Team:
All profiles must be verified before 15th March 2014 to
avoid scams under SOPA and PIPA Act.
Verify your Account by steps below
Invite your friends.
> http://www.hoax-slayer.com/images/fa...ion-2014-1.jpg
According to a message currently moving round Facebook, all users must verify their profiles by March 15th 2014 in order to comply with the SOPA and PIPA Act. The message, which comes in the form of a graphic, claims to be an announcement from the "Facebook Verification Team". Users are instructed to click an "Invite your Friends" button to begin the verification process... Users who fall for the ruse and click the button will first be asked to give a Facebook application permission to access their details. Once installed, this rogue app will spam out more fake messages in the name of the user. Victims will then be taken to another fake page where they are again told that that they must verify their account by clicking a further link. However, clicking the link takes them to various survey pages or tries to entice them to sign up for online games. Many of the surveys claim that users must provide their mobile phone number to enter in a prize draw. But, by giving out their number, users are actually signing up for very expensive SMS "subscriptions" charged at several dollars per message sent. Other surveys may ask victims to provide personal and contact information that will later be shared with third parties and used to inundate them with junk mail, emails, phone calls and text messages. The scammers responsible for the bogus "verification" messages will earn commissions via dodgy affiliate marketing systems each and every time a person participates in a survey or provides their personal information in an online "offer". Reports indicate that some versions of the scam may try to trick victims into divulging their account login details to criminals. The criminals can then -hijack- the compromised accounts and use them to distribute further scam messages..."
___
Fake RingCentral Fax msg SPAM
- http://blog.dynamoo.com/2014/01/this...-spam-has.html
28 Jan 2014 - "This -fake- RingCentral fax spam has a malicious attachment:
Date: Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
From: Sheila Wise [client@ financesup .ru]
Subject: New Fax Message on 01/22/2013
You Have a New Fax Message
From: (691) 770-2954
Received: Wednesday, January 22, 2014 at 11:31 AM
Pages: 5
To view this message, please open the attachment
Thank you for using RingCentral.
Screenshot: https://lh3.ggpht.com/-96SG-7HQH2o/U...ingcentral.png
Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50*, and the Malwr analysis** shows an attempted callback to ren7oaks .co .uk on 91.238.164.2 (Enix Ltd, UK). The executable then downloads an apparently encrypted file..."
* https://www.virustotal.com/en-gb/fil...is/1390921856/
** https://malwr.com/analysis/NTIxYTE4Z...FhZmUyYzlmOTQ/
___
Fake flash update via .js injection and SkyDrive
- http://blog.dynamoo.com/2014/01/ongo...te-via-js.html
28 Jan 2014 - "... ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is -still- showing in the injection attacks themselves. F-Secure also covered the attacks* from a different aspect... this infection is -still- current..."
(More detail at the dynamoo URL above.)
* http://www.f-secure.com/weblog/archives/00002659.html
> http://www.f-secure.com/weblog/archives/5_flash1.PNG
___
Fake Flash Update aimed at Turkish users
- http://blog.trendmicro.com/trendlabs...turkish-users/
Jan 27, 2014 - "... A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle. This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey. The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would -not- work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.
> http://blog.trendmicro.com/trendlabs...lashplayer.jpg
... The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K. In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:
> http://blog.trendmicro.com/trendlabs...untupdated.jpg
Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users... this attack’s behavior – blocking antivirus sites – ... would leave them vulnerable to future attacks..."
___
Malformed FileZilla - login stealer
- http://blog.avast.com/2014/01/27/mal...login-stealer/
Jan 27, 2014 - "Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients. The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on -hacked- websites with -fake- content (for example texts and user comments are represented by images.)
> https://blog.avast.com/wp-content/up.../01/web_01.jpg
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same. The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.
> https://blog.avast.com/wp-content/up...ut_windows.jpg
We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code... The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections... Malware authors use very powerful and inconspicuous methods to steal FTP log in credentials in this case... We -strongly- recommend to download any software only from official, well-known or trusted sources. Avoid strange looking websites and portals offering software via their own downloaders or installers containing bundled adware and PUP applications..."
:fear: :mad:
Fake "Voice Message" SPAM again, Fake Flash Player installer, Fake Browser updates ..
FYI...
Fake "Voice Message" SPAM (again)
- http://blog.dynamoo.com/2014/01/voic...pam-again.html
29 Jan 2014 - "This -fake- voice message spam comes with a malicious attachment:
Date: Wed, 29 Jan 2014 14:45:36 +0100 [08:45:36 EST]
From: Administrator [docs0@ victimdomain .net]
Subject: Voice Message from Unknown (644-999-4348)
Unity Messaging System
- - -Original Message- - -
From: 644-999-4348
Sent: Wed, 29 Jan 2014 14:45:36 +0100
To: [redacted]
Subject: Important Message to All Employees
Attached is an archive Message.zip which in turn contains a malicious executable VoiceMessage.exe which has a VirusTotal detection rate of just 6/50*. Automated analysis tools... show attempted connections to kitchenrescue .com on 184.107.74.34 (iWeb, Canada) and ask-migration .com on 173.192.21.195 (Softlayer, US). In particular, it attempts to download some sort of -encrypted- file [donotclick]kitchenrescue .com/login.kitchenrescue.com/images/items/wav.enc which I have not been able to identify."
* https://www.virustotal.com/en/file/d...is/1391006188/
- https://www.virustotal.com/en/ip-add...4/information/
- https://www.virustotal.com/en/ip-add...5/information/
___
Neutrino delivers Fake Flash malware hosted on SkyDrive
- http://blog.malwarebytes.org/online-...d-on-skydrive/
Jan 29, 2014 - "As cloud computing becomes more popular, malware authors are also taking interest in using this technology to store their own files—except, of course, their files are usually bad. SkyDrive (recently renamed to OneDrive) is Microsoft’s cloud storage solution, and competes directly with other big-name storage products like Google Drive and Dropbox, all of which provide a convenient solution to accessing your files from virtually any location with internet access. Recently, I found a downloader collected from our honeypot that appears as a -fake- Flash Player installer. These type of programs usually deliver malware and are very successful at making people believe they’re installing or updating the real Flash Player. This particular downloader file currently is detected by 9/50 vendors on Virustotal* ... The downloader binary was a payload from the Neutrino Exploit Kit and delivered via a Java exploit... When the file runs, it beacons out to the SkyDrive URL and presents a dialog that states it’s installing Flash Player, and then says “Installation Finished!” if everything goes well.
> http://cdn.blog.malwarebytes.org/wp-...l_finished.jpg
I visited the download server multiple times and managed to get different samples, each with their own icon (including a creepy skull). Meaning the samples stored on the SkyDrive folder are constantly being updated.
> http://cdn.blog.malwarebytes.org/wp-...er_samples.png
... To be fair to Microsoft, this isn’t the only instance where cloud storage was used for bad things. Last November, we reported on a malicious script that was hosted on Google Drive, and similar things have happened with Dropbox. Regardless, it appears more security measures need to be into place to prevent various malicious files and programs from being uploaded to cloud storage services."
* https://www.virustotal.com/en/file/2...5be8/analysis/
___
Fake Browser updates ...
- http://blog.malwarebytes.org/fraud-s...date-warnings/
Jan 28, 2014 - "... Any message asking end users to update browsers to ward off security issues can cause problems both at home and in the workplace. Neither “Relative who knows about computers” or the stressed IT guy from the fourth floor wants to waste time rolling back / uninstalling / deleting things from the target PC... I came across a fake browser update site doing the rounds located at
newbrowserversion(dot)org
which has pages for Chrome (C), Firefox (F) and IE (I) users... Here’s what you can expect to see on each of the three pages.
Chrome: http://cdn.blog.malwarebytes.org/wp-...owsupdate2.jpg
.
Firefox: http://cdn.blog.malwarebytes.org/wp-...owsupdate3.jpg
.
IE: http://cdn.blog.malwarebytes.org/wp-...owsupdate4.jpg
.
Regardless of page viewed, they all say the same thing... Should the end-user run the executable file (and all three have a different MD5) the install procedure kicks into gear. Sort of. We’re presented with the standard splash screen, and one would expect to see various offers, programs, maybe the odd toolbar... If you want to check the update status of your browser, rely on the browser itself rather than third-party websites offering up random downloads. More often than not, your browser will tell you about updates by clicking into “Help” and / or “About this browser” options in the various settings menus..."
68.233.240.26
- https://www.virustotal.com/en/ip-add...6/information/
:mad: :mad:
Fake Vodafone MMS SPAM, Twitter Follower Scam ...
FYI...
Fake Vodafone MMS SPAM - malicious attachment
- http://blog.dynamoo.com/2014/01/fake...omes-with.html
30 Jan 2014 - "This -fake- Vodafone MMS spam comes with a nasty payload:
Date: Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
From: mms.service6885@ mms .Vodafone .co .uk
Subject: image Id 312109638-PicOS97F TYPE==MMS
Received from: 447219637920 | TYPE=MMS
Despite the Vodafone references in the header, this message comes from a random -infected- PC somewhere and not the Vodafone network. The email doesn't quite render properly in my sample:
> https://lh3.ggpht.com/-PSCY3ZpjEqc/U...dafone-mms.png
The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50*. Automated analysis tools are inconclusive... as the sample appears to time out."
* https://www.virustotal.com/en-gb/fil...is/1391073258/
___
Twitter Follower Scam ...
- http://blog.trendmicro.com/trendlabs...actually-work/
Jan 30 2014 - "... This -scam- tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a -redirector- to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.
Sample tweets promoting the site:
> http://blog.trendmicro.com/trendlabs...1/twitter1.jpg
When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts. The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.
> http://blog.trendmicro.com/trendlabs...1/twitter2.jpg
What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well. In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle... Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads. We’ve seen -35- separate domains in this attack... Users are encouraged to -avoid- clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known. Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts..."
___
s15443877[.]onlinehome-server[.]info ? ...
- http://blog.dynamoo.com/2014/01/wtf-...erverinfo.html
30 Jan 2014 - "Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server .info * ... Not only are (exactly) one third of the pages crawled hosting -malware- but there are a staggering -198- domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen. VirusTotal also shows some historical evil** going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish. It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and -blocking- s15443877.onlinehome-server .info or 212.227.141.247 might be prudent."
* http://www.google.com/safebrowsing/d...e-server.info/
"... over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29. Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine. Malicious software is hosted on 198 domain(s)... 155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site..."
** https://www.virustotal.com/en-gb/ip-...7/information/
AS8560 (ONEANDONE-AS)
- http://www.google.com/safebrowsing/d...c?site=AS:8560
___
Fake "Last Month Remit" SPAM
- http://blog.dynamoo.com/2014/01/last...emit-spam.html
30 Jan 2014 - "This -fake- "Last Month Remit" spam does a pretty good job of looking like it comes from your own organisation..
Date: Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
From: Administrator [victimdomain]
Subject: FW: Last Month Remit
File Validity: Thu, 30 Jan 2014 12:22:05 +0000
Company : http ://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...
Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realise that the attached ZIP file with an EXE in it was probably bad news. In this case, the attachment is called Remit_[victimdomain].zip which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.com/-BiMee-Y7Kt4/U...600/remit2.png
This file has a VirusTotal detection rate of 10/49*. Automated analysis tools... show an attempted connection to poragdas .com on 182.18.143.140 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions .com on 103.13.99.167 on (CtrlS Private, India).
Recommended blocklist:
103.13.99.167
182.18.143.140
poragdas .com
excelbizsolutions .com "
* https://www.virustotal.com/en-gb/fil...is/1391089282/
:mad: :fear::fear:
Fake Fax2Email SPAM, Lloyds Banking phish ...
FYI...
Fake Fax2Email SPAM
- http://blog.dynamoo.com/2014/01/wind...mail-spam.html
31 Jan 2014 - "... another -fake- Fax spam with a malicious payload:
Date: Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
From: Windsor Telecom Fax2Email [no-reply@ windsor-telecom .co .uk]
Subject: Fax Message on 08983092722 from FAX MESSAGE
You have received a fax on your fax number: 08983092722 from.
The fax is attached to this email.
PLEASE DO NOT REPLY BACK TO THIS MESSAGE.
Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50*. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does -not- mean that it will fail to run on all systems."
* https://www.virustotal.com/en-gb/fil...is/1391163988/
___
Something evil on 192.95.10.208/28
- http://blog.dynamoo.com/2014/01/some...951020828.html
31 Jan 2014 - "192.95.10.208/28 (OVH, Canada) is being used to deliver -exploit- kits utlising .pw domains, for an example see this URLquery report*. The following domains are being used in these attacks (although there may be more):
(Long list at the dynamoo URL above.)
The IP forms part of a /28 block belonging to a known bad actor:
NetRange: 192.95.10.208 - 192.95.10.223
CIDR: 192.95.10.208/28
OriginAS: AS16276 ... **
Country: RU
RegDate: 2014-01-24
I believe that these IPs are connected with a black hat host -r5x .org- and IPs with these WHOIS details are very often used in exploit kit attacks. I would -strongly- recommend that you -block- 192.95.10.208/28 in addition to the domains listed above."
* http://urlquery.net/report.php?id=9140970
Diagnostic page for AS16276 (OVH)
** http://google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 5074 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-01-31, and the last time suspicious content was found was on 2014-01-31... we found 776 site(s) on this network... that appeared to function as intermediaries for the infection of 2156 other site(s)... We found 1092 site(s)... that infected 7551 other site(s)..."
- http://centralops.net/co/DomainDossier.aspx
canonical name r5x .org ...
addresses 176.124.111.130 ...
- https://www.virustotal.com/en-gb/ip-...0/information/
___
Lloyds Banking Group 'Online Access Suspended' Phish
- http://www.hoax-slayer.com/lloyds-on...ing-scam.shtml
Jan 31, 2014 - "Email that pretends to come from Lloyds Banking Group -claims- that the recipient's online account access has been suspended because login details are incorrectly entered several times... The email is -not- from Lloyds. It is a -phishing- scam designed to trick users into giving their account login details and other personal information to Internet criminals. Example:
> http://www.hoax-slayer.com/images/ll...cam-2014.1.jpg
... According to this email, which purports to be from the UK's Lloyds Bank, the recipient's bank account has been suspended. Supposedly, account login details were entered several times, so the bank suspended access in order to protect the customer from online fraud attempts... the email itself is the online fraud attempt. The message is a typical phishing scam. Customers who are taken in by the false claims and click the link as instructed will be taken to a fake website where they will be asked to login to their Lloyds online account. After logging in on what they believe is the genuine Lloyds website, victims may then be asked to provide further personal data such as their credit card details and ID information. At the end of the sequence, victims may be automatically redirected to the genuine Lloyds website. Meanwhile, the criminals can hijack their bank accounts, transfer funds, conduct fraudulent transactions and perhaps even steal their identities..."
- http://www.lloydsbank.com/help-guida...y/phishing.asp
:fear: :mad: