Fake UPS, Facebook, ADP emails lead to malware ...
FYI... multiple entries:
Fake UPS emails serve malware ...
- http://blog.webroot.com/2012/10/25/y...serve-malware/
Oct 25, 2012 - "... cybercriminals launched yet another massive spam campaign, impersonating the United Parcel Service (UPS), in an attempt to trick its current and prospective customers into downloading and executing the malicious attachment found in the email. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the victim’s host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw.
* https://www.virustotal.com/file/d9e1...is/1350581761/
File name: UPS_Delivery_Confirmation.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___
Fake Facebook emails lead to malware
- https://www.net-security.org/malware_news.php?id=2302
25.10.2012 - "If you receive an email seemingly sent by Facebook, sharing an offensive comment that has seemingly been left on your Wall by an unknown user, please don't be tempted to follow the link.
> https://www.net-security.org/images/...nsive-scam.jpg
... If you do, you'll be -redirected- to a -fake- Facebook page hosting a malicious iFrame script that triggers the infamous Blackhole exploit kit, and if it finds a vulnerability to exploit, you will be automatically saddled with some or other malicious software. The attackers will try to hide the fact by automatically redirecting you to another legitimate Facebook page, belonging to a Facebook users that, according to Sophos*, does not seem to be related to the attack."
* http://nakedsecurity.sophos.com/2012...alware-attack/
___
ADP SPAM / openpolygons .net
- http://blog.dynamoo.com/2012/10/adp-...lygonsnet.html
25 Oct 2012 - "This fake ADP spam leads to malware on openpolygons .net:
From: warning @adp .com
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message
ADP Pressing Communication
Reference No.: 27711
Respected ADP Client October, 25 2012
Your Transaction Report(s) have been uploaded to the web site:
Click Here to access
Please overview the following information:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This email was sent to existing users in your company that access ADP Netsecure.
As general, thank you for using ADP as your business affiliate!
Ref: 27711
> https://lh3.ggpht.com/-xEHpgbIAYcs/U...0/adp-spam.png
The malicious payload is at [donotclick]openpolygons .net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before. That IP also hosts the fake AV application win8ss .com and another malware site of legacywins .com...
Plain list for copy-and-pasting:
195.198.124.60
openpolygons .net
win8ss .com
legacywins .com ..."
___
"End of Aug. Statement required" SPAM / kiladopje .ru
- http://blog.dynamoo.com/2012/10/end-...ired-spam.html
25 Oct 2012 - "This spam leads to malware on kiladopje .ru:
From: ZaireLomay @mail .com
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required
Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje .ru:8080/forum/links/column.php hosted on:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domains are all related and should be blocked if you can:
68.67.42.41, 72.18.203.140, 79.98.27.9, 84.22.100.108, 85.143.166.170, 132.248.49.112, 190.10.14.196, 202.3.245.13, 203.80.16.81, 209.51.221.247
fidelocastroo .ru
finitolaco .ru
kennedyana .ru
kiladopje .ru
lemonadiom .ru
leprasmotra .ru
ponowseniks .ru
secondhand4u .ru
windowonu .ru ..."
___
Vast email -malware- outbreaks – efaxCorporate and Xerox copiers
- http://blog.commtouch.com/cafe/email...xerox-copiers/
Oct 25, 2012 - "... huge of amounts of email-attached malware distributed – all with an “office” theme. The attacks pushed the amount of email up by several hundred percent and totaled near five billion emails sent worldwide.
> http://blog.commtouch.com/cafe/wp-co...4-Oct-2012.jpg
The first part of the day saw emails describing an attachment as being the scan from a Xerox Workcenter... Yesterday’s file was a zipped executable. The second part of the attack moved on to eFaxCorporate, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file is detected as W32/Trojan2.NTLB... The malware scans the infected system for FTP programs – no doubt looking for FTP credentials that can be stolen to access and compromise Web servers (which can then be used to serve malware links).
> http://blog.commtouch.com/cafe/wp-co...ax-message.jpg ..."
:mad:
Bogus Skype, ADP emails lead to malware ...
FYI... multiple entries:
Share of malicious email by country
- http://www.h-online.com/security/new...ew=zoom;zoom=1
26 Oct 2012
___
Bogus Skype emails lead to malware...
- http://blog.webroot.com/2012/10/26/b...ad-to-malware/
Oct 26, 2012 - "... millions of emails impersonating Skype, in an attempt to trick Skype users that their password has been successfully changed, and that in order to view their call history and change their account settings, they would need to execute the malicious attachment found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....am_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw. Upon execution, the malware opens a backdoor allowing the cybercriminals behind the campaign complete access to the affected user’s host..."
* https://www.virustotal.com/file/d9e1...is/1350584221/
File name: Skype_Password_inscturtions.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___
apl.de.ap SPAM
- http://blog.dynamoo.com/2012/10/apldeap-spam.html
26 Oct 2012 - "I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap ( http://en.wikipedia.org/wiki/Apl.de.ap ) until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east. Although those look like tinyurl links, they're not... they go through a redirector at ykadl .net on 109.236.88.71, the same IP used to send the spam... here's the spam in case you really want to buy tickets from a shady bunch of spammers (NOT)...
From: DNA alex @ ykadl .net
Date: 26 October 2012 04:48
Subject: Black Eyed Peas/ APL DE AP in Dubai
Signed by: ykadl.net
BLACK EYE PEAS founding member APL DE AP heads to Dubai
BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
APL DE AP and the other members of the Black Eyed Peas have been on a hiatus ..."
___
ADP SPAM / steamedboasting .info
- http://blog.dynamoo.com/2012/10/adp-...stinginfo.html
26 Oct 2012 - "This fake ADP spam leads to malware on steamedboasting.info:
From: ClientService @adp .com
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification
ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https ://www.flexdirect.adp .com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting .info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting .info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
This is an alternative variant with the same malicious payload:
Date: Fri, 26 Oct 2012 16:32:10 +0530
From: "noreply @adp .com"
Subject: ADP Prompt Communication
ADP Speedy Notification
Reference #: 27585
Dear ADP Client October, 25 2012
Your Transaction Statement(s) have been put onto the web site:
Web site link
Please see the following notes:
• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
This message was sent to operating users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Ref: 27585 [redacted] ..."
___
"Your Photos" SPAM / manekenppa .ru
- http://blog.dynamoo.com/2012/10/your...ekenpparu.html
26 Oct 2012 - "This fake "photos" spam leads to malware on manekenppa .ru:
From: Acacia @redacted .com
Sent: 26 October 2012 10:14
Subject: Your Photos
Hi,
I have attached your photos to the mail (Open with Internet Explorer).
In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa .ru:8080/forum/links/column.php hosted on some familiar looking IPs:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
We've seen these IPs before and they are well worth blocking."
:mad:
Fake BT-Business, Verizon emails lead to malware
FYI...
Fake BT-Business emails lead to malware ...
- http://blog.webroot.com/2012/10/28/s...ad-to-malware/
Oct 28, 2012 - "Over the past 24 hours, cybercriminals have been spamvertising millions of emails targeting customers of BT’s Business Direct in an attempt to trick its users into executing the malicious attachment found in the emails. Upon executing it, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious attachment: MD5: 8d0e220ce56ebd5a03c389bedd116ac5 * ... Trojan-Ransom.Win32.Gimemo.ashm ..."
* https://www.virustotal.com/file/8f42...7c48/analysis/
File name: 8D0E220CE56EBD5A03C389BEDD116AC5.fil
Detection ratio: 32/42
Analysis date: 2012-10-25
___
Fake Verizon Wireless emails serve client-side exploits and malware ...
- http://blog.webroot.com/2012/10/27/c...s-and-malware/
Oct 27, 2012 - "... For over a week now, cybercriminals have been persistently spamvertising millions of emails impersonating the company, in an attempt to trick current and prospective customers into clicking on the client-side exploits and malware serving links found in the malicious email. Upon clicking on any of the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
Spamvertised malicious URLs:
hxxp ://coaseguros .com/components/com_ag_google_analytics2/notifiedvzn.html;
hxxp ://clinflows .com/components/com_ag_google_analytics2/vznnotifycheck.html
Client-side exploits serving URL: hxxp ://strangernaturallanguage .net/detects/notification-status_login.php?mzuilm=073707340a&awi=45&dawn=04083703023407370609&iwnjdt=0a000300040002
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: b8d6532dd17c3c6f91de5cc13266f374 * ... Trojan-Spy.Win32.Zbot.fkth
Once executed, the sample phones back to tuningmurcelagoglamour .ru, tuningfordmustangxtremee .ru - 146.185.220.28, AS58014 ..."
* https://www.virustotal.com/file/2d17...61f4/analysis/
File name: b8d6532dd17c3c6f91de5cc13266f374.malware
Detection ratio: 26/44
Analysis date: 2012-10-09 ..."
:mad:
Fake British Airways emails serve malware
FYI...
Fake British Airways emails serve malware
- http://blog.webroot.com/2012/10/29/c...serve-malware/
Oct 29, 2012 - "Cybercriminals are currently mass mailing millions of emails in an attempt to trick British Airways customers into executing the malicious attachment found in the spamvertised emails. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the infected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious attachment: MD5: 4a3a345c24fda6987bbe5411269e26b7 * ... Trojan-Downloader.Win32.Andromeda.aey..."
* https://www.virustotal.com/file/39f5...5c21/analysis/
File name: BritishAirways-eticket.pdf.exe
Detection ratio: 30/43
Analysis date: 2012-10-23
___
.com malware pretends to be naughty .com website
- http://blog.commtouch.com/cafe/email...y-com-website/
Oct 28, 2012 - "... The email doesn’t include much text – simply asking that you 'Pay attention at the attach':
Screenshot: http://blog.commtouch.com/cafe/wp-co...ck-blurred.jpg
... As shown in the screenshot it’s www .——-face .com. Those tempted to double-click the “link” in order to visit a porn site would find themselves attacked by malware."
:mad:
Bogus Facebook notifications serve malware
FYI...
Bogus Facebook notifications serve malware
- http://blog.webroot.com/2012/10/30/c...serve-malware/
Oct 30, 2012 - "... cybercriminals spamvertised yet another massive email campaign, impersonating the world’s most popular social network – Facebook. It was similar to a previously profiled spam campaign imitating Facebook. However, in this case the cybercriminals behind it relied on attached malicious archives, compared to including exploits and malware serving links in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious archive: MD5: 0938302fbf8f7db161e46c558660ae0b * ... Trojan.Generic.KDV.753880; Trojan-Ransom.Win32.Gimemo.arsu. Upon execution, the sample opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain full access to the affected host..."
* https://www.virustotal.com/file/79f9...is/1350575670/
File name: FacebookPhoto_album.jpeg.exe
Detection ratio: 34/43
Analysis date: 2012-10-18
___
Blackhat SEO poisoning: Halloween tricks and holiday malware ...
- http://blogs.computerworld.com/cyber...ware-interview
Oct 29, 2012 - "... things like blackhat SEO poisoning to successfully infect devices. Blackhat SEO link poisoning, scams, tricks. Although the poisonous pranks and tainted tricks go far beyond Halloween, this seemed a great time to get insight into these trends as well as tips to avoid them. You might know about it, but how about your parents or other people who are not nearly so security-savvy? You might want to warn them that their simple searches could infect their computers... especially if you will be the one called upon to fix them for free ;-) ..."
(More detail at the URL above.)
:mad:
Bogus BofA, Discover emails serve exploits and malware
FYI...
Bogus BofA ‘Online Banking Passcode Reset’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/01/b...s-and-malware/
Nov 1, 2012 - "Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress....e_exploits.png
... Client-side exploits serving URL: hxxp ://the-mesgate .net/detects/signOn_go.php – 183.81.133.121, AS38442 ... Also responding to the same IP are the following malicious domains:
stafffire .net – 183.81.133.121, AS38442
hotsecrete .net – Email: counseling1 @ yahoo .com
formexiting .net – suspended domain
navisiteseparation .net – suspended domain ...
Related malicious domains responding the these IPs:
change-hot .net
locksmack .net
Money mule recruitment domains using the same IP as a mailserver:
aurafinancialgroup .com
epscareers .com
As you can see, this campaign is great example of the very existence of the cybercrime ecosystem. Not only are they spamvertising millions of exploits and malware serving emails, they’re also multitasking on multiple fronts, as these two domains are recruiting money mules to process fraudulently obtained assets from the affected victims..."
___
Discover card SPAM / netgear-india.net
- http://blog.dynamoo.com/2012/11/disc...-indianet.html
1 Nov 2012 - "This fake Discover Card spam leads to malware on netgear-india .net:
From: Discover Account Notes [mailto:no-reply @ notify .discover .com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms
Account Services | Customer Care Services
Account ending in XXX1
An substantial communication regarding latest Declined Transfers is waiting for you.
Log In to Read Information
Honored Discover Client,
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.
To ensure optimal privacy, please log in to view your message at Discover.com.
Please click on this link if you have forgotten your UserID or Password.
Add information @ service .discover .com to your address book to ensure delivery of these notifications.
VITAL NOTE
This message was delivered to [redacted] for Discover debit card account number ending with XXX1.
You are receiving this e-mail because you have account at Discover.com.
Log in to change your e-mail address or overview your account e-mail options.
If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.
Please DO NOT reply to this message. auto informer system cannot accept incoming email.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]
========
From: Discover Account Notes [mailto:donotreply @service .discover .com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account
Account Center | Customer Center
Account ending in XXX9
An significant message regarding latest Approved Activity is waiting for you.
Log In to Overview Details
Respective Cardholder,
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.
To ensure optimal privacy, please sign in to read your data at Discover.com.
Please visit discover .com if you have forgotten your Login ID or Password.
Add discover @ information .discover .com to your trusted emails to ensure delivery of these messages.
VITAL NOTIFICATION
This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.
You are receiving this e-mail because you member of Discover.com.
Log in to change your e-mail address or view your account e-mail settings.
If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.
Please don't reply to this message. auto-notification system cannot accept incoming mail.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]
The malicious payload is at [donotclick]netgear-india .net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions .pl
radiovaweonearch .com
steamedboasting .info
solla .at
netgear-india .net
puzzledbased .net
stempare .net
questionscharges .net
bootingbluray .net ..."
___
Hurricane Sandy SPAMs lead to survey scams
- http://nakedsecurity.sophos.com/2012...-survey-scams/
Nov 1, 2012 - "... we began to see the first online criminals trying to cash in on the interest in Hurricane Sandy. The good news is they are not trying to spread malware (yet), but the bad news is they are trying to take advantage of a natural disaster affecting millions. The subject lines of the scam messages -- "Sandy Got you down? We've got you covered!", "Don't let the storm ruin your diner plans" and "Avoid the Storm, Eat at chilis!" -- appear to be targeting people who may need to file insurance claims related to damages from the "super storm" and other people who are simply hungry. The bodies of the emails aren't terribly interesting, but every place in the message is a link to a site called "remain watery." The domain was registered on October 15th, clearly in anticipation of creating more victims from this crisis... For those who are affected by the hurricane, stay safe, stay secure, and don't fall for it. The last thing you need right now is another thing to worry about cleaning up after."
___
Hurricane Sandy pump and dump SPAM
- http://blog.commtouch.com/cafe/anti-...rricane-sandy/
Oct 31, 2012 - "... recipients are encouraged to buy into low-priced shares now that Hurricane Sandy has passed and trading has resumed.
> http://blog.commtouch.com/cafe/wp-co...stock-spam.jpg
... we see less topical spam than we used to. In the past spammers would use current events in subjects and in the text of emails to create interest and generate visits to pharmacy and replica websites..."
:mad:
Fake ADP, inTuit SPAM emails lead to malware...
FYI...
Fake ADP SPAM emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/02/a...e-exploit-kit/
Nov 2, 2012 - "... cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Client-side exploits serving URL: hxxp ://reasonedblitzing .net/detects/lorrys_implication.php – 195.198.124.60, AS3301 – Email: monteene_forbrich8029 @ mauritius.com; hxxp ://nfcmpaa .info/detects/burying_releases-degree.php – 195.198.124.60, AS3301 – Email: nevein_standrin35 @ kube93mail .com...
Responding to the same IP are also the following malicious domains:
win8ss .com – Email: fermetnolega @ hotmail .com
legacywins .com – Email: fermetnolega @hotmail .com
openpolygons .net – Email: cordey_yabe139 @ flashmail .net
steamedboasting .info – Email: mauro_borozny655 @ medical .net.au
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives..."
___
Fake "Payroll Account Cancelled by Intuit" email
- http://security.intuit.com/alert.php?a=67
11/2/2012 - "People are receiving emails with the title "Notification Only: Payroll Account Cancelled by Intuit." Below is a copy of the email people are receiving.
Direct Deposit Service Informer
Informational Only
We processed your payroll on November 1, 2012 at 365 PM Pacific Time.
Money would be revoked from the Checking account number ending in: XXX3 on November 2, 2012.
total to be left: $2 465.98
Paychecks would be deferred to your workforce' accounts on: November, 2, 2012
Sign In to Overview Details
Funds are typically departed before business banking hours so please be sure you have enough Cash on the account by 12 a.m. on the date Funds are to be withdrawn.
Intuit must process your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your personnel will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
This is the end of the fake email..."
- http://blog.dynamoo.com/2012/11/intu...catesinfo.html
2 Nov 2012 - "... fake Intuit spam leads to malware on savedordercommunicates .info:
... Subject: Notification Only: Transaction Received by Intuit"...
The malicious payload is at [donotclick]savedordercommunicates .info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich .org. Blocking this IP would be wise."
___
Wire Transfer SPAM / webmoniacs .ru
- http://blog.dynamoo.com/2012/11/wire...moniacsru.html
2 Nov 2012 - "This fake wire transfer spam leads to malware on webmoniacs .ru:
Date: Fri, 2 Nov 2012 06:23:10 +0700
From: service @ paypal .com
Subject: RE: Wire Transfer cancelled
Dear Sirs,
The Wire transfer was canceled by the other bank.
Canceled transaction:
FED REFERENCE NUMBER: 628591160ACH34584
Transaction Report: View
The Federal Reserve Wire Network
The malicious payload is at [donotclick]webmoniacs .ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete .ru
dianadrau .ru
donkihotik .ru
fidelocastroo .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
kiladopje .ru
lemonadiom .ru
manekenppa .ru
panacealeon .ru
panalkinew .ru
pionierspokemon .ru
ponowseniks .ru
rumyniaonline .ru
webmoniacs .ru
windowonu .ru ..."
- https://www.ic3.gov/media/2012/121101.aspx
Nov 1, 2012
:mad:
Fake Vodafone msg / Something evil on 31.193.12.3 ...
FYI...
Malware... as a Vodafone MMS message
- http://h-online.com/-1743608
5 Nov 2012 - "The phone number from which the message was supposedly sent varies... Cyber criminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer. The Vodafone email address used and the supposed telephone number sending the messages varies*; even the country code is changed based on the location being targeted...
* http://www.h-online.com/security/new...ew=zoom;zoom=1
The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched... VirusTotal*... To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown**..."
* https://www.virustotal.com/file/bb2f...f9a7/analysis/
File name: Vodafone_MMS.zip
Detection ratio: 11/43
Analysis date: 2012-11-05
** https://en.wikipedia.org/wiki/Filena...ecurity_issues
"... default behavior of Windows Explorer... is for filename extensions -not- to be shown... without alerting the user to the fact that (it may be) a harmful computer program..."
___
Wire Transfer & PayPal SPAM / forumibiza .ru
- http://blog.dynamoo.com/2012/11/wire...umibizaru.html
5 Nov 2012 - "These two spam campaigns lead to malware on forumibiza .ru:
Date: Mon, 5 Nov 2012 12:54:44 +0530
From: Declan Benjamin via LinkedIn ...
Subject: Wire Transfer Confirmation (FED 27845UL095)
Good afternoon,
Your Wire Transfer Amount: USD 85,714.01
Wire Transfer Report: View
ELOISA STRICKLAND,
The Federal Reserve Wire Network
==============
From: JoyceMillwee @ mail .com
Sent: 05 November 2012 01:48
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello [redacted],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
5693-0930-8767-9350-6794
Transfer Information
Amount: 27380.54 $
Reciever: Gracia Cooley
E-mail: Gage97742 @[redacted] .com
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP6118
The malicious payload in both cases is [donotclick]forumibiza .ru:8080/forum/links/column.php hosted on the following IPs:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia) ..."
___
Something evil on 31.193.12.3
- http://blog.dynamoo.com/2012/11/some...-31193123.html
4 Nov 2012 - "These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK**) and suballocated to:
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant ID:DI_23063626
Registrant Name: Javier
Registrant Organization: n/a
Registrant Address: Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City: Belgorad
Registrant State/Province: Belgorodskaya oblast
Registrant Country/Economy: RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007 @mail .ru
... I've broken the list into three parts, it's a bit messy sorry... this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment. Many of these domains show as evil in Google's Safe Browsing Diagnostics (example*) and I can find -zero- legitimate domains on this IP..."
* https://www.google.com/safebrowsing/...acutefile.asia
** https://www.google.com/safebrowsing/...?site=AS:29550
** https://www.google.com/safebrowsing/...?site=AS:51377
___
Fake statistics domains lead to malware
- http://blog.dynamoo.com/2012/11/fake...o-malware.html
5 Nov 2012 - "The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.
bilingstats .org
bombast-atse .org
bombastatse .org
ceastats .org
colinstats .org
expertstats .org
informazionestatistica .org
melestats .org
nonolite .org
statisticaeconomica .org
statspps .org
superbombastatse .org
topbombastatse .org
ufficiostatistica .org
Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands) ..."
___
Dynamic DNS sites you might want to block
- http://blog.dynamoo.com/2012/11/dyna...t-want-to.html
5 Nov 2012 - "These domains belong to ChangeIP .com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP .com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.
There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them. The second one is a plain list of everything in case you want to block them completely. You might notice one of the domains is called b0tnet .com which is a peculiar name for a legitimate business to register..."
(More detail at the URL above.)
:mad::mad::mad: