Zeus-SpyEye ATS module masks online Banking Theft
FYI...
Zeus-SpyEye ATS module masks online Banking Theft
Automated attack bypasses two-factor authentication
- http://www.darkreading.com/taxonomy/...e/id/240002267
Jun 18, 2012 - "A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS..."
* http://www.trendmicro.com/cloud-cont...king_fraud.pdf
- http://www.infosecisland.com/blogvie...e-Banking.html
June 21, 2012 - "... it is possible to detect various active ATSs in the wild that based on a common framework used by cybercriminals to conduct automated fraud. Typically the schemes use phishing emails with links to tainted pages, malware attachments or drive-by download attacks from malicious or even compromised legitimate sites..."
:mad:
AutoCAD malware - targeted for Industrial Espionage
FYI...
AutoCAD malware - targeted for Industrial Espionage
- https://isc.sans.edu/diary.html?storyid=13549
Last Updated: 2012-06-25 04:19:38 UTC - "A number of sites have published an analysis of relatively new malware, ACAD/Medre.A*... somewhat unique in that it seems to be highly targeted and specialized. The current version of ACAD/Medre.A seems to be targeted at AutoCAD files hosted at IP addresses in Peru. ACAD/Medre.A is not just thrown together, low quality malware. Analysis reveals it is well written; at a level that suggests an experienced malware writer wrote it... Either it is a limited test of a new malware concept that will be unleashed on the general world in the future. The malware is written using AutoLISP, the AutoCAD built in scripting language. To the best of my knowledge the first malware written in this language. Another possibility is that it is a targeted intellectual property attack by one of the organized malware groups..."
* http://thehackernews.com/2012/06/vir...d-perfect.html
6/24/2012
- http://www.gfi.com/blog/worm-found-i...stealing-data/
June 25, 2012
___
> http://blog.eset.com/2012/06/21/acad...cal-analysis-2
June 22, 2012
Removal tool here: http://download.eset.com/special/EACADMedreCleaner.exe
:mad: :sad:
UPS delivery tracking SPAM emails serving client-side exploits and malware
FYI...
UPS delivery tracking SPAM emails serving client-side exploits and malware
- http://blog.webroot.com/2012/06/25/s...s-and-malware/
June 25, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails... Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507...
> https://www.virustotal.com/file/267a...is/1339706944/
File name: Shipping, Freight, Logistics and Supply Chain Management from UPS.htm
Detection ratio: 2/42
Analysis date: 2012-06-14 20:49:04 UTC
... Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:
%AppData%\KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA - detected by 3 out of 42 antivirus scanners as PAK_Generic.001
Upon execution, the sample phones back to 123.49.61.59 /zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back..."
(More detail at the webroot URL above.)
:mad:
Fake PayPal account confirmation emails lead to phishing sites...
FYI...
Fake PayPal account confirmation emails lead to phishing sites
- http://blog.webroot.com/2012/06/26/s...hishing-sites/
June 26, 2012 - "... Phishers have just started spamvertising hundreds of thousands of legitimately-looking PayPal themed emails, in an attempt to trick users into entering their accounting data on the fraudulent web site linked in the emails...
Screenshot of the spamvertised PayPal themed campaign:
> https://webrootblog.files.wordpress....ng?w=458&h=250
... Sample spamvertised text:
Dear PayPal Costumer, It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records before June 12, 2012. Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.
Upon clicking on the link found in the phishing emails, users are presented with the following legitimately-looking PayPal login page:
> https://webrootblog.files.wordpress...._paypal_02.png
Users are advised to avoid interacting with the emails, and to report them as fraudulent/malicious as soon as they receive them."
:mad:
Fake email / SPAM leads to malware... 2012.06.28
GoPro is compromised serving malicious code
FYI...
GoPro is compromised serving malicious code
- http://community.websense.com/blogs/...ious-code.aspx
4 Jul 2012 - "... Websense... has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code. We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them... The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment... Once a user visits gopro .com the injected code gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise .net ... The malicious redirector at ad.fourtytwo.proadvertise .net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath .com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post... according to virustotal...
* https://www.virustotal.com/file/f277...b46b/analysis/
File name: !r033PlxM.exe
Detection ratio: 4/42
Analysis date: 2012-07-04 17:44:13 UTC
... The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website..."
___
- http://google.com/safebrowsing/diagn...advertise.net/
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 1 trojan...
- http://google.com/safebrowsing/diagn...banchoath.com/
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 7 trojan(s)...
:mad:
Java exploit-in-the-wild ...
FYI...
Java exploit-in-the-wild ...
- https://krebsonsecurity.com/2012/07/...-exploit-kits/
July 5, 2012 - "... more than 3 billion devices run Java and many these installations are months out of date... a malicious “.jar” file that — when scanned at Virustotal.com — was detected by just -one- antivirus product (Avira), which flagged it as Java/Dldr.Lamar.BD*. The description of that threat says it targets a Java vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5**..."
* https://www.avira.com/en/support-thr...FDldr.Lamar.BD
** http://forums.spybot.info/showpost.p...69&postcount=4
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-1723 - 10.0 (HIGH)
Verify: https://www.java.com/en/download/ins...tect=jre&try=1
___
- http://h-online.com/-1636577
11 July 2012
Ongoing...
- https://threatpost.com/en_us/blogs/b...23-flaw-071612
July 16, 2012 - "... Websense* said that they've seen the Black Hole exploit kit targeting this vulnerability and using a series of freshly registered domains... The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions..."
* http://community.websense.com/blogs/...2012-1723.aspx
15 Jul 2012
:fear: :mad:
Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail ...
FYI...
Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail ...
- http://blog.webroot.com/2012/07/09/p...d-in-the-wild/
July 9, 2012 - "... intercepted a currently active phishing campaign that’s a good example of a popular tactic used by cybercriminal known as ‘campaign optimization’. The reason this campaign is well optimized it due to the fact that as it simultaneously targets Gmail, Yahoo, AOL and Windows Hotmail email users... Sample screenshot of the spamvertised phishing email:
> https://webrootblog.files.wordpress....ng?w=333&h=159
Spamvertised URL hosted on a compromised Web server: tanitechnology .com/fb/includes/examples/properties/index .htm - the URL is currently -not- detected by any of the 28 phishing URL scanning services used by the VirusTotal service. Sample screenshot of the landing phishing page affecting multiple free email service providers:
> https://webrootblog.files.wordpress....ng?w=280&h=320
What makes an impression is the poor level of English applied to the campaign’s marketing creative. Moreover, it’s rather awkward to see that the landing phishing page is themed using the Online Real Estate brand Remax, a brand that has nothing to do with the enforcement of a particular marketing message related to the phishing campaign. Users are advised to avoid interacting with similar pages, and to always ensure that they’re on the right login page before entering their accounting data."
:fear::mad:
Virus Outbreak in Progress - 2012.07.11...
FYI...
http://www.ironport.com/toc/media/to...at_level_3.gif
Red - Virus Outbreak In Progress
- http://www.ironport.com/toc/
July 11, 2012
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Personal Photos E-mail Messages... Updated July 11, 2012
Fake Portuguese Contract Confirmation Email Messages... New July 11, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012
Unknown Malicious Files Distributed in E-mail Messages... New July 11, 2012
Fake USPS Parcel Delivery Failure Notification E-mail Messages... Updated July 11, 2012
Fake Warning Notification E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012 ...
:fear: :mad: