Bogus USPS, SMS SPAM lead to malware
FYI...
Bogus USPS emails lead to malware
- http://blog.webroot.com/2012/11/06/u...ad-to-malware/
Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....am_malware.jpg
Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to the following URLs...
(See the 1st webroot URL above - long list of IPs.) ... 64.151.87.152, 66.7.209.185, 173.224.211.194, 46.105.121.86, 222.255.237.132, 64.151.87.152, 79.170.89.209, 217.160.236.108, 88.84.137.174, 46.105.112.99, 50.22.136.150, 130.88.105.45, 91.205.63.194, 95.173.180.42, 217.160.236.108 ..."
* https://www.virustotal.com/file/372b...is/1351876562/
File name: Shipping_Label_USPS.exe
Detection ratio: 5/44
Analysis date: 2012-11-02
___
SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
- http://blog.dynamoo.com/2012/11/sms-...o-us-show.html
6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop
In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
___
Fake Apple "Account Info Change" SPAM / welnessmedical .com
- http://blog.dynamoo.com/2012/11/appl...ange-spam.html
6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
From: Apple [ appleid @ id.arcadiadesign .it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change
Hello,
The following information for your Apple ID [redacted] was updated on 11/06/2012:
Date of birth
Security question(s) and answer(s)
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
To review and update your security settings, sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
Thanks,
Apple Customer Support
TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID
The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44... Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
* http://en.wikipedia.org/wiki/CyberBunker
___
Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
- http://blog.dynamoo.com/2012/11/scan...entre-pro.html
6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
From: Keshawn Burns - MaribelParchment @ hotmail .com
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]
Xerox WorkCentre Location: machine location not set
The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin .ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
The following malicious domains are also hosted on the same servers:
forumibiza .ru
kiladopje .ru
donkihotik .ru
lemonadiom .ru
peneloipin .ru
panacealeon .ru
finitolaco .ru
fidelocastroo .ru
ponowseniks .ru
dianadrau .ru
panalkinew .ru
fionadix .ru ..."
:mad:
Fake ‘Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
FYI...
Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/07/f...e-exploit-kit/
Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshots of the spamvertised emails:
> https://webrootblog.files.wordpress....ts_malware.png
> https://webrootblog.files.wordpress....malware_01.png
... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M
... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
panalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."
* https://www.virustotal.com/file/c655...ea40/analysis/
File name: Scan_N13004.htm
Detection ratio: 24/44
Analysis date: 2012-11-05
** https://www.virustotal.com/file/f8aa...5ed8/analysis/
File name: d34c2e80562a36fb762be72e490b7793887c3192
Detection ratio: 25/43
Analysis date: 2012-11-01
___
Fake Intercompany Invoice SPAM / controlleramo .ru
- http://blog.dynamoo.com/2012/11/inte...oice-spam.html
7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
Date: Wed, 7 Nov 2012 07:29:44 -0500
From: LinkedIn [welcome@linkedin.com]
Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments: Invoice_e49580.htm
Hi
Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for supporting this process
Rihanna PEASE
Beazer Homes USA Corp.
The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
These IP addresses have been used in several attacks recently, and you should block access to them if you can."
___
Phishers take aim at USAA
- http://www.gfi.com/blog/phishers-take-aim-at-usaa/
Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
> http://www.gfi.com/blog/wp-content/u...AACred_115.png
From: {random}
To: {random}
Subject: USAA – Account Security Update
Message body:
Dear Valued Customer,
We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
[link] Click here to verify [/link]
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
reasons.
Thank you,
USAA Internet Banking.
Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
> http://www.gfi.com/blog/wp-content/u...11/usaa011.png
This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
* https://www.usaa.com/inet/ent_logon/Logon
>> https://www.usaa.com/inet/pages/advi...ishing%20email
>>> https://www.youtube.com/watch?featur...v=KYiKATvQvWw#!
:fear::mad:
Fake Discover Card emails - and more...
FYI...
Fake Discover Card emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/08/y...s-and-malware/
8 Nov 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to 200.169.13.84 :8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 – Email: anil_valiquette124 @ dawnsonmail .com
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90
netgear-india .net – 183.180.134.217, AS2519
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61
Name Server: NS2.TOPPAUDIO .COM - 173.234.9.89 ..."
* https://www.virustotal.com/file/44c3...0589/analysis/
File name: KB01474670.exe
Detection ratio: 4/44
Analysis date: 2012-11-02
___
getyourbet .org injection attack
- http://blog.dynamoo.com/2012/11/gety...on-attack.html
8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:
Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains @ yahoo .com
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
pin.panacheswimwear .co.uk
physical.oneandonlykanuhura .com
pig.onmailorder .com
picture.onlyplussizes .com
person.nypersonaltrainers .com
pipe.payday-loanstoday .com
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."
:mad:
Fake Intuit, Changelog emails lead to malware
FYI...
Fake Intuit emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/09/p...e-exploit-kit/
Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates .info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .net
Name Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .com
Name Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209
We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich .org..."
* https://www.virustotal.com/file/4619...1e14/analysis/
File name: download
Detection ratio: 29/44
Analysis date: 2012-11-08
___
Changelog SPAM / canadianpanakota .ru
- http://blog.dynamoo.com/2012/11/chan...anakotaru.html
9 Nov 2012 - "This spam leads to malware on canadianpanakota .ru:
Date: Fri, 9 Nov 2012 11:55:11 +0530
From: LinkedIn Password [password @ linkedin .com]
Subject: Re: Changlog 10.2011
Attachments: changelog4-2012.htm
Hello,
as promised changelog,(Internet Explorer File)
The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:
120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:
120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota .ru
controlleramo .ru
donkihotik .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
lemonadiom .ru
peneloipin .ru
moneymakergrow .ru ..."
:mad:
Fake AmExpress emails serve client-side exploits and malware
FYI...
Fake American Express emails serve client-side exploits and malware...
- http://blog.webroot.com/2012/11/12/a...s-and-malware/
Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Malicious domain name reconnaissance:
stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .com
Name Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...
Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...
Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:
210.56.23.100 :8080/asp/intro.php
210.56.23.100 :8080/za/v_01_a/in ...
The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."
* https://www.virustotal.com/file/06af...6182/analysis/
File name: c8c607bc630ee2fe6a8c31b8eb03ed43
Detection ratio: 15/43
Analysis date: 2012-11-02
___
Cableforum.co .uk hacked?
- http://blog.dynamoo.com/2012/11/cabl...uk-hacked.html
12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:
NatWest : Helpful Banking
Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access...
> https://lh3.ggpht.com/-v0aFooReF9M/U...00/natwest.png
This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, crap like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."
:mad:
Blackhole exploit kit - top threat by a large margin
FYI...
Blackhole exploit kit - top threat by a large margin
- https://blogs.technet.com/b/security...w-heights.aspx
12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."
* https://blogs.technet.com/cfs-filesy...-43/3683.2.jpg
** https://blogs.technet.com/cfs-filesy...-43/6443.1.jpg
*** http://www.microsoft.com/security/si...t/default.aspx
___
New Java attack introduced into "Cool Exploit Kit"
- https://threatpost.com/en_us/blogs/n...oit-kit-111212
Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-5076 - 10.0 (HIGH)
:mad::mad:
Fake "Your flight" / Wire transfer SPAM - monacofrm .ru
FYI...
Fake "Your flight" SPAM / monacofrm .ru
- http://blog.dynamoo.com/2012/11/your...nacofrmru.html
13 Nov 2012 - "These spam email messages lead to malware on monacofrm .ru:
From: sales1 @victimdomain .com
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581
Dear Customer,
FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
NAOMI PATTON,
==========
From: messages-noreply @bounce .linkedin .com On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733
Dear Customer,
FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Adon Walton,
(...etc.)
The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)
The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.
Added: There's a Wire Transfer SPAM using the same payload too:
From: Amazon.com / account-update @amazon .com
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation
Dear Bank Account Operator,
WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
___
Fake "End of Aug. Statmeent" SPAM / veneziolo .ru
- http://blog.dynamoo.com/2012/11/end-...nezioloru.html
13 Nov 2012 - "The spam never stops, this malicious email leads to malware at veneziolo .ru:
Date: Tue, 13 Nov 2012 12:27:15 -0500
From: Mathilda Allen via LinkedIn [member @linkedin .com]
Subject: Re: End of Aug. Statmeent required
Attachments: Invoices12-2012.htm
Good morning,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
The malicious payload is at [donotclick]veneziolo .ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:
41.168.5.140, 62.76.46.195, 62.76.178.233, 62.76.186.190, 62.76.188.246, 65.99.223.24, 84.22.100.108, 85.143.166.170, 87.120.41.155, 91.194.122.8, 103.6.238.9, 120.138.20.54, 132.248.49.112, 202.180.221.186,
203.80.16.81, 207.126.57.208, 209.51.221.247, 213.251.171.30, 216.24.194.66 ..."
:mad::mad:
Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit
FYI...
Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/14/p...e-exploit-kit/
Nov 14, 2012 - "A cybercriminal/group... continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Malicious domain name reconnaissance: puzzledbased .net – 183.180.134.217, AS2519 – Email: rodger_covach3060 @ spacewar .com
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
Although we couldn’t reproduce puzzledbased .net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp ://netgear-india .net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware analysis...
The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:
rovo .pl
itracrions .pl
superdmntre .com
chicwhite .com
radiovaweonearch .com
strili .com
superdmntwo .com
unitmusiceditior .com
newtimedescriptor .com
steamedboasting .info
solla.at votela .net
stempare .net
tradenext .net
bootingbluray .net
The following malicious domain (stempare .net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns..."
___
promotesmetasearch .net promotes malware
From the WeAreSpammers blog: http://wearespammers.blogspot.co.uk/...launch-of.html
- http://blog.dynamoo.com/2012/11/prom...s-malware.html
14 Nov 2012 - "This looks like a fake get-rich-quick scam email which is actually intended to distribute malware. Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer .com on 5.39.101.225 (OVH, Germany) and promotesmetasearch .net on 46.249.38.27 (Serverius Holding, Netherlands). This last one is kind of interesting, because 1) it's all in French and 2) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull .chickenkiller .com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.
The WHOIS details show a completely different name and address from the one quoted on the email:
Florence Buker
florence_buker05 @rockfan .com
7043 W Avenue A4
93536 Lancaster
United States
Tel: +1.4219588211
Clearly the owner of promotemetasearch .net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.
From: Anthony Tomei admin @8 mailer .com
Reply-To: info @ promotesmetasearch .net
To: donotemail @ wearespammers .com
Date: 14 November 2012 18:22
Subject: launch of
Dear Future Millionaire,
Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.
The first way is to...
Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques... You should probably regard the domain chickenkiller .com as compromised and block it. Additionally, all the following IPs and domains are related and a probably malicious.
46.249.38.21
46.249.78.23
46.249.38.27
deficiencieshiss .net
personaloverly .net
spaceyourfilesbig.chickenkiller .com
vodkkaredbuuull.chickenkiller .com
firefoxslacker .pro
personaloverly .net
wowteammy113 .org
logicalforced .org
flashkeyed .org
incidentindie .org
sufficeextensible .org
laughspadstyle .org
check-update .org
softtwareupdate .org
internallycontentchecking .org
cordlesssandboxing .org
westsearch .org
perclickbank .org
trayscoffeecup .org
agreedovetails .org
commencemessengers .org
dfgs453t .org
disappointmentcontent .org
whiskeyhdx .org
uhgng43fgjl82309dfg99df1 .com
rethnds732 .com
odiushb327 .com
a6q7 .com
makosl .com
noticablyccleaner .com
leisurelyadventures .com
invitedns .com
srv50 .in
flacleaderboard.in
frwdlink .in
tgy56fd3fj.firm .in
warrantynetwork .co .in
kclicksnet .in
reelshandsoff .info
scatteredavtestorg .info
ap34 .pro
trafficgid .pro
stop2crimepeople .pro
huge4floorhouse .pro
exportlite .pro
weeembedding .pro
layer-grosshandel .pro
firefoxslacker .pro
s1topcrimefor .pro
opera-soft .pro
brauser-soft .pro
mp3soft .pro
pornokuca .net
licencesoftwareupda .net
settlementstored .net
licencesoftwareuppd .net
compartmentalizationwere .net
seniorhog .net
coinbatches .net
isnbreathy .net
mrautorun .ru
askedvisor .ru
srv50b .biz
vimeosseeing .biz
threatwalkthrough .biz
promotemetasearch .net ..."
:mad:
Bogus BBB emails serve client-side exploits and malware
FYI...
Opera site served Blackhole malvertising...
- http://www.theregister.co.uk/2012/11...era_blackhole/
15 Nov 2012 - "Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm's home page. Malicious scripts loaded by portal .opera .com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender*, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted..."
* http://www.hotforsecurity.com/blog/o...page-4431.html
14 Nov 2012 - "... malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP..."
> http://www.hotforsecurity.com/wp-con...omepage-21.jpg
- http://www.h-online.com/security/new...ew=zoom;zoom=3
16 Nov 2012
___
Bogus BBB emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/15/b...s-and-malware/
Nov 15, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
2012-10-16 00:24:08 – hxxp ://navisiteseparation .net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp ://editdvsyourself .net/detects/beeweek_status-check.php
Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire .net
hotsecrete .net - Email: counseling1 @ yahoo .com
the-mesgate .net - also responds to 208.91.197.54 – Email: admin @ newvcorp .com
Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM - 29.217.45.138 – Email: windowclouse @ hotmail .com ..."
___
Changelog SPAM / feronialopam .ru
- http://blog.dynamoo.com/2012/11/chan...ialopamru.html
15 Nov 2012 - "This fake "Changelog" spam leads to malware on feronialopam .ru:
Date: Thu, 15 Nov 2012 10:43:59 +0300
From: "Xanga" [noreply@xanga.com]
Subject: Re: Changelog 2011 update
Attachments: changelog-12.htm
Hello,
as promised chnglog attached (Internet Explorer File)
==========
Date: Thu, 15 Nov 2012 05:43:09 -0500
From: Chaz Shea via LinkedIn [member@linkedin.com]
Subject: Re: Changelog as promised(updated)
Attachments: Changelog-12.htm
Hello,
as prmised changelog is attached (Internet Explorer File)
The malicious payload is at [donotclick]feronialopam .ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:
120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
:mad:
Bogus eFax Corporate messages serve multiple malware variants
FYI...
Malware sites to block - 16/11/12
- http://blog.dynamoo.com/2012/11/malw...ck-161112.html
16 Nov 2012 - "Some more evil domains and IPs, connected with this spam run*. (Thanks, GFI)
* http://gfisoftware.tumblr.com/post/3...nt-system-spam
chelseafun .net
cosmic-calls .net
dirtysludz .com
fixedmib .net
packleadingjacket .org
performingandroidtoios .info
65.131.100.90
75.127.15.39
82.145.36.69
108.171.243.172
218.102.23.220 ..."
___
Bogus eFax Corporate messages serve multiple malware variants
- http://blog.webroot.com/2012/11/16/c...ware-variants/
Nov 16, 2012 - "... mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....am_malware.png
Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e * ... Trojan-PSW.Win32.Tepfer.blbl
Upon execution, it attempts to connect to the following domains:
192.5.5.241
ser.foryourcatonly .com
ser.luckypetspetsitting .com
dechotheband .gr
barisdogalurunler .com
alpertarimurunleri .com
oneglobalexchange .com
rumanas .org
www .10130138 .wavelearn .de
visiosofttechnologies .com
sgisolution.com .br
plusloinart .be
marengoit .pl
It then downloads additional malicious payload...
Phone back URL:
hxxp ://oftechnologies.co .in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 ** – Email: melody_mccarroll38 @ indyracers .com
Name Server:NS1.INVITEDNS .COM
Name Server:NS2.INVITEDNS .COM
The following malicious domain responds to the same IP: updateswindowspc .net
The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/755d...is/1352078183/
File name: eFAX.CORPORATE.exe
Detection ratio: 37/43
Analysis date: 2012-11-05
** https://www.google.com/safebrowsing/...?site=AS:48434
Diagnostic page for AS48434 (TEBYAN) - "Of the 1723 site(s) we tested on this network over the past 90 days, 86 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-16, and the last time suspicious content was found was on 2012-11-16... Over the past 90 days, we found 2 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 5 site(s)... that infected 6 other site(s)..."
:mad: :fear: