Fake 'Order/ Payment' SPAM, Fake job offer SPAM
FYI...
Fake 'Order/ Payment' SPAM – Java malware
- http://myonlinesecurity.co.uk/lucy-c...-java-malware/
1 Mar 2015 - "'lucy C Ulngaro New Order/ Payment' pretending to come from Admin <tareq@ msp .com.sa> with a jar attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...er-Payment.png
1 March 2015: PO-2015-0123.jar: Current Virus total detections: 22/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a zip file instead of the java file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1425193109/
___
Fake job offer SPAM
- http://blog.dynamoo.com/2015/02/fake...ctioncouk.html
28 Feb 2015 - "This -fake- job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction .co .uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are -not- involved in this scam at all.
From: JOB ALERT [klakogroups@ gmail .com]
Reply-To: klakogroups@ gmail .com
To: Recipients [klakogroups@ gmail .com]
Date: 27 February 2015 at 18:37
Subject: NEW JOB VACANCIES IN LONDON.
Trade Construction Company,
L.L.C,
70 Gracechurch Street.
EC3V 0XL, London. UK
We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.
Available Positions...
... The tradeconstruction .co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction .com website.
> https://4.bp.blogspot.com/-SqBEq8BOc...struction1.jpg
... Nothing about this job offer is legitimate. It does -not- come from who it appears to come from and should be considered to be a -scam- and avoided."
:fear: :mad:
Fake 'Secure Message' SPAM – malware
FYI...
Fake 'Secure Message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/jp-mor...e-pdf-malware/
2 Mar 2015 - "'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com> with a zip attachment is another one from the current bot runs... The email looks like:
Please check attached file(s) for your latest account documents regarding your online account.
Forrest Blackwell
Level III Account Management Officer
817-140-6313 office
817-663-8851 cell
Forrest .Blackwell@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...
2 March 2015: JP Morgan Access – Secure.zip : Extracts to: JP Morgan Access – Secure.scr
Current Virus total detections: 9/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1425314842/
:fear: :mad:
Fake 'Apple ID' – phish, Android malware
FYI...
Fake 'Apple ID' – phish...
- http://myonlinesecurity.co.uk/your-r...e-id-phishing/
2 Mar 2015 - "'Your recent download with your Apple ID' pretending to come from Apple iTunes <orders@ tunes .co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details... This one has a short url link in the email which -redirects- you...
Screenshot: http://myonlinesecurity.co.uk/wp-con...r-Apple-ID.png
If you follow-the-link (don't) you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-con...y_apple_ID.png
... fill in your user name and password you get a page looking very similar to this one (split into sections), where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecurity.co.uk/wp-con...apple_ID_2.png
...
> http://myonlinesecurity.co.uk/wp-con...apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___
Fraud Alert: Unauthorised Appstore Payment – phish
- http://myonlinesecurity.co.uk/fraud-...ment-phishing/
3 Mar 2015 - "Fraud Alert: Unauthorised Appstore Payment' pretending to come from iTunes <datacareapsecurity@ apple. co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details...
Screenshot: http://myonlinesecurity.co.uk/wp-con...re-Payment.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email...:
___
Worm.Gazon: Want Gift Card? Get Malware
- http://www.adaptivemobile.com/blog/w...rd-get-malware
2 Mar 2015 - "... A simple piece of -malware- is on the way to become one of the 'spammiest' mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page:
Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https ://bit .ly/ getAmazon[redactedD]
> http://www.adaptivemobile.com/images...n-download.jpg
The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the -survey- ... Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.
> http://www.adaptivemobile.com/images...azon-scam1.png
However, in the background this malware harvests all your contacts and sends a -spam- message to each of them with the URL pointing to the body of the worm... Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we've blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user's contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide. At the moment none of the AV engines detect this malware according to VirusTotal.
> http://www.adaptivemobile.com/images...virustotal.png
... users should be aware of this -scam- and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities..."
:fear: :mad:
Fake no body text SPAM - malicious, 'Remittance advice' SPAM – doc/excel malware
FYI...
Fake no body text SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...hn-donald.html
4 Mar 2015 - "This rather terse email comes with a malicious attachment:
From: John Donald [john@ kingfishermanagement .uk .com]
Date: 4 March 2015 at 09:09
Subject: Document1
There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors*, in turn it contains this malicious macro... which downloads another component from the following location:
http ://retro-moto .cba .pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57*** plus a DLL with a detection rate of 7/56****.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33 "
* https://www.virustotal.com/en/file/2...is/1425464228/
** https://www.virustotal.com/en/file/1...is/1425464153/
*** https://www.virustotal.com/en/file/7...is/1425466045/
**** https://www.virustotal.com/en/file/0...is/1425466059/
- http://myonlinesecurity.co.uk/john-d...sheet-malware/
4 Mar 2015
> Document1.docx: https://www.virustotal.com/en/file/b...is/1425459634/
> https://www.virustotal.com/en/file/1...is/1425460757/
... Behavioural information
TCP connections
92.63.87.13: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'Remittance advice' SPAM – word doc or excel xls malware
- http://myonlinesecurity.co.uk/remitt...sheet-malware/
4 Mar 2015 - "'Remittance advice [Rem_5556YJ.xml] (random numbers)' pretending to come from random addresses and random companies with a malicious word doc or Excel XLS spreadsheet attachment, these are actually XLM word files is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them... The email looks like:
Good morning
You can find remittance advice [Rem_5556YJ.xml] in the attachment
Kind Regards
Lenny Madden
GLAXOSMITHKLINE
4 March 2015 : Rem_5892GV.xml Current Virus total detections: 0/56* | 0/56**
So far I have only seen 2 versions of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1425470968/
** https://www.virustotal.com/en/file/5...is/1425471785/
- http://blog.dynamoo.com/2015/03/remi...stery-xml.html
4 Mar 2015
"... recommend blocking them:
62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111 "
___
Fake 'UPS Tracking' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ups-sh...e-pdf-malware/
4 Mar 2015 - "'UPS Ship Notification, Tracking Number 1Z06E18A6840121864 pretending to come from UPS <no-replay@ upsi .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...6840121864.png
04 March 2015: Details.zip: Extracts to: Details.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1425482799/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
108.174.149.222: https://www.virustotal.com/en/ip-add...2/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
212.79.111.155: https://www.virustotal.com/en/ip-add...5/information/
212.79.111.156: https://www.virustotal.com/en/ip-add...6/information/
___
Fake 'invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ron-mi...e-pdf-malware/
4 Mar 2015 - "'RMPD#7989 – invoices' pretending to come from Rothn-Ron <ron@ bellsouth .net> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...9-invoices.png
04 March 2015: RMPD#7989 INVOICES.zip: Extracts to: RMPD#7989 INVOICES.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1425486885/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
108.174.149.222: https://www.virustotal.com/en/ip-add...2/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
217.116.122.136: https://www.virustotal.com/en/ip-add...6/information/
___
Many common sites might be temporarily offline
- http://myonlinesecurity.co.uk/many-c...arily-offline/
4 Mar 2015 - "... Amazon and Rackspace have both announced that they will need to -reboot- some of their servers to address the issue before March 10, when the Xen Project plans to disclose the latest bugs*. Details of the vulns are being withheld for now, to give the cloud vendors time to patch. In a FAQ** about the upcoming maintenance, Amazon Web Services said that only some of its earliest Elastic Compute Cloud (EC2) customers should be affected."
* http://xenbits.xen.org/xsa/
** https://aws.amazon.com/premiumsuppor...nance-2015-03/
- http://blog.trendmicro.com/trendlabs...er-encryption/
Mar 4, 2015 - "... We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected. According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption... Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test*..."
* https://www.ssllabs.com/ssltest/
- http://www.bloomberg.com/news/videos...ak-attack-hole
Mar 4, 2015 - Video 2:40
:fear::fear: :mad:
Fake 'Brochure' SPAM - doc/xls malware
FYI...
Fake 'Brochure' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/bobby-...sheet-malware/
5 Mar 2015 - "'Brochure2.doc' pretending to come from Bobby Drell <rob@ abbottpainting .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell
5 March 2015 : Brochure2.doc - Current Virus total detections: 1/57* ... the malicious macro connects to & downloads data.gmsllp.com/js/bin.exe (dridex banking Trojan) which is saved as %Temp%\324235235.exe that has a virus total rate of 2/57** ... So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1425549729/
** https://www.virustotal.com/en/file/3...is/1425550694/
- http://blog.dynamoo.com/2015/03/malw...bby-drell.html
5 Mar 2015
"... Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24 "
___
Fake Natwest SPAM - PDF malware
- http://myonlinesecurity.co.uk/natwes...e-pdf-malware/
5 Mar 2015 - "'RE: Incident IM00491288' pretending to come from Kevin Otero <Kevin.Otero@ bankline .natwest .com> with a zip attachment is another one from the current bot runs... different random names. So far names and email addresses seen are
Kevin Otero <Kevin.Otero@ bankline .natwest .com>
Collin Stovall <Collin.Stovall@ bankline .natwest .com>
Lavern Olsen <Lavern.Olsen@ bankline .natwest .com>
Rae Bouchard <Rae.Bouchard@ bankline .natwest .com>
Nadine Kerr <Nadine.Kerr@bankline .natwest .com>
... The email looks like:
Good Afternoon ,
Attached are more details regarding your account incident.
Please extract the attached content and check the details.
Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM00491288.
We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.
Kind Regards,
Kevin Otero
Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1 ...
5 March 2015: Incident IM00491288.zip: Extracts to: IM0743436407_pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1425548558/
___
Fake Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/carmel...e-pdf-malware/
5 Mar 2015 - "'Alpro Invoice(s): 7985974765' pretending to come from Alpro <carmel@ alpro .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...5/03/Alpro.png
5 March 2015 : invoice7985974765.zip: Extracts to: invoice7985974765.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1425547819/
:fear: :mad:
Fake IRS SPAM - doc/xls malware
FYI...
Fake IRS SPAM - doc malware
- http://blog.dynamoo.com/2015/03/malw...tronic-ip.html
6 Mar 2015 - "This -fake- IRS email comes with a malicious attachment.
From: Internal Revenue Service [refund.noreply@ irs .gov]
Date: 6 March 2015 at 08:48
Subject: Your 2015 Electronic IP Pin!
Dear Member
This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
Please kindly download the microsoft file to securely review it.
Thanks
Internal Revenue Service ...
... attachment TaxReport(IP_PIN).doc ... there are usually several different versions[1]. Currently this is -undetected- by AV vendors*. This contains a malicious macro... which downloads a component from the following location:
http ://chihoiphunumos .ru/js/bin.exe
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55**. Automated analysis tools... show attempted connections to:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56***] and a malicious DLL [VT 2/56****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103 "
* https://www.virustotal.com/en/file/d...is/1425632162/
** https://www.virustotal.com/en/file/8...is/1425632174/
*** https://www.virustotal.com/en/file/a...is/1425632946/
**** https://www.virustotal.com/en/file/8...is/1425632950/
1] http://myonlinesecurity.co.uk/intern...sheet-malware/
6 Mar 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...nic-IP-Pin.png
___
Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/mick-g...sheet-malware/
6 Mar 2015 - "'Mick George Invoice 395687 for Dudley Construction Ltd' pretending to come from Mick George Invoicing <mginv@ mickgeorge .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These emails today, so far, are all malformed and broken. Every copy that I have received appears garbled and doesn’t actually have an attachment. Some mail servers will be configured to repair the damage and deliver the email in its full glory, where it will potentially infect you. This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...
Screenshot: http://myonlinesecurity.co.uk/wp-con...ge-invoice.png
... the malware payload will be identical to today’s other malicious office document run Internal Revenue Service Your 2015 Electronic IP Pin! – word doc or excel xls spreadsheet malware*. We do notice that the bad guys are using 2 or 3 subjects and email templates but using the same malware that has been -renamed- ...
Edit: I have managed to extract the malware payload from a quarantined copy on the server and can confirm that it is the -same- malware payload as today’s other run although renamed as Invoice395687.DOC . So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* http://myonlinesecurity.co.uk/intern...sheet-malware/
- http://blog.dynamoo.com/2015/03/malw...ce-395687.html
6 Mar 2015 - "This -malformed- spam is meant to have a malicious attachment... This malware and the payload it drops is identical to the one found in this -fake- IRS spam run* earlier today..."
* http://blog.dynamoo.com/2015/03/malw...tronic-ip.html
___
Fake Bankline SPAM - malware
- http://blog.dynamoo.com/2015/03/malw...eived-new.html
6 Mar 2015 - "This fake banking spam leads to malware.
From: Bankline [secure.message@ business .natwest .com]
Date: 6 March 2015 at 10:36
Subject: You have received a new secure message from BankLine
You have received a secure message.
Your Documents have been uploaded to Cubby cloud storage.
Cubby cloud storage is a cloud data service powered by LogMeIn, Inc.
Read your secure message by following the link bellow: ...
<redacted> ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.
First time users - will need to register after opening the attachment...
This downloads a ZIP file from cubbyusercontent .com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57*. Automated analysis tools... show attempted connections to the following URLs:
http ://all-about-weightloss .org/wp-includes/images/vikun.png
http ://bestcoveragefoundation .com/wp-includes/images/vikun.png
http ://190.111.9.129 :14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://190.111.9.129 :14249/0603no11/HOME/41/7/4/
It also appears that there is an attempted connection to 212.56.214.203.
Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to -block-.
It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns .org to work out the IP address of the infected machine, it is worth checking for traffic to this domain. The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57**."
* https://www.virustotal.com/en/file/d...is/1425640773/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
192.254.186.169: https://www.virustotal.com/en/ip-add...9/information/
46.151.254.183: https://www.virustotal.com/en/ip-add...3/information/
5.178.43.49: https://www.virustotal.com/en/ip-add...9/information/
212.56.214.203: https://www.virustotal.com/en/ip-add...3/information/
UDP communications
74.125.200.127: https://www.virustotal.com/en/ip-add...7/information/
** https://www.virustotal.com/en/file/8...is/1425641282/
... Behavioural information
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
217.116.122.136: https://www.virustotal.com/en/ip-add...6/information/
___
Fake HSBC SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
6 Mar 2015 - "'HSBC Payment' pretending to come from HSBC <no-replay@ hsbc .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...BC-Payment.png
6 March 2015: HSBC-2739.zip: Extracts to: HSBC-2739.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1425636158/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
5.10.69.232: https://www.virustotal.com/en/ip-add...2/information/
190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
77.72.169.167: https://www.virustotal.com/en/ip-add...7/information/
77.72.169.166: https://www.virustotal.com/en/ip-add...6/information/
___
Fake Gateway SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-o...e-pdf-malware/
6 Mar 2015 - "'Your online Gateway .gov .uk Submission' pretending to come from Gateway .gov.uk <ruyp@ bmtrgroup .com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
Your online Gateway .gov.uk Submission
Government Gateway logo
Electronic Submission Gateway
Thank you for your submission for the Government Gateway.
The Government Gateway is the UK’s centralized registration service for e-Government services.
To view/download your form to the Government Gateway please visit http ://www.gateway .gov.uk/
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
gov .uk - the best place to find government services and information - Opens in new window
The best place to find government services and information
The link in the email leads to... the same malware as today’s run of 'You have received a new secure message from BankLine' -fake- PDF malware*.
* http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Cryptowall, again!
- https://isc.sans.edu/diary.html?storyid=19427
Last Updated: 2015-03-06 - "A new variant of Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems. According to net-security.org*, Bitdefender labs has found a -spam- wave that spread a malicious .chm attachments. CHM is the compiled version of html that support technologies such as JavaScript which can -redirect- a user to an external link. “Once the content of the .chm archive is accessed, the malicious code downloads from this location http :// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process”..."
* http://net-security.org/malware_news.php?id=2981
Mar 5, 2015
> http://www.net-security.org/images/a...owall-calc.jpg
:fear::fear: :mad:
Fake 'Statement' SPAM, Paypal PHISH
FYI...
Fake 'Statement' SPAM - doc malware
- http://myonlinesecurity.co.uk/statem...e-pdf-malware/
9 Mar 2015 - "'Statement from MARKETING & TECHNOLOGY GROUP, INC. pretending to come from TECHNOLOGY GROUP <rwilborn@ mtgmediagroup .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer :
Your statement is attached. Please remit payment at your
earliest convenience.
Thank you for your business – we appreciate it very
much.
Sincerely,
MARKETING & TECHNOLOGY GROUP, INC
9 March 2015: docs2015.zip: Extracts to: docs2015.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1425899308/
___
Fake 'Credit Application' SPAM – PDF malware
- http://myonlinesecurity.co.uk/emaili...e-pdf-malware/
9 Mar 2015 - "'Emailing: Serv-Ware Credit Application.pdf' with a zip attachment pretending to come from clint@ servware .com is another one from the current bot runs... The email looks like:
—
Thanks,
Clint Winstead
Manager
Serv-Ware Products
clint@ servware .com
phone: 800.768.5953
fax : 800.976.1299 ...
9 March 2015: Serv-WareCreditApplication.zip: Extracts to: Serv-WareCreditApplication.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1425915088/
... Behavioural information
TCP connections
75.127.114.162: https://www.virustotal.com/en/ip-add...2/information/
UDP communications
77.72.174.163: https://www.virustotal.com/en/ip-add...3/information/
77.72.174.162: https://www.virustotal.com/en/ip-add...2/information/
___
Paypal PHISH
- http://myonlinesecurity.co.uk/your-p...0%8F-phishing/
8 Mar 2015 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
your PayPal account is limited – take action now
Screenshot: http://myonlinesecurity.co.uk/wp-con...action-now.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
:fear: :mad:
Fake 'PMQ agreement' SPAM - PDF malware
FYI...
Fake 'PMQ agreement' SPAM - PDF malware
- http://myonlinesecurity.co.uk/2015-p...e-pdf-malware/
10 Mar 2015 - "'2015 PMQ agreement' pretending to come from linda@ pmq .com with a zip attachment is another one from the current bot runs... The email looks like:
HI
I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.
Thank you
Linda
—
Watch our 2015 PMQ Media Kit here ...
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 / linda.pmq@ gmail .com
cell (662)801-5495
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655 ...
Don’t forget to renew your subscription to the magazine at ...
10 March 2015 : American_Wholesale.zip: Extracts to: American_Wholesale.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1425997192/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
95.181.53.78: https://www.virustotal.com/en/ip-add...8/information/
122.155.1.42: https://www.virustotal.com/en/ip-add...2/information/
77.85.204.114: https://www.virustotal.com/en/ip-add...4/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
208.91.197.54: https://www.virustotal.com/en/ip-add...4/information/
173.194.71.127: https://www.virustotal.com/en/ip-add...7/information/
___
Apple Watch Giveaway Spam Clocks In on Twitter
- https://blog.malwarebytes.org/privac...in-on-twitter/
Mar 10, 2015 - "Twitter users should be aware that mentioning the new Apple Watch could result in -spam- headed their way:
> https://blog.malwarebytes.org/wp-con.../watchspm0.jpg
... The so-called Apple Giveaways profile says the following in its Bio space:
> https://blog.malwarebytes.org/wp-con.../watchspm6.jpg
It may sound promising, but what follows is a semi-exhausting jaunt around a couple of different websites with instructions to follow along the way... What we do end up with is a wall of text on a Facebook page with some very specific hoops to jump through in order to obtain the watch... they claim they’ll direct message within 72 hours with a “confirmation link”. The creation date for the website is listed as March 9th, and the Whois details are hidden behind a Whoisguard so there’s no way to know who you’re sending your information to... this seems like a long shot in terms of “winning” the incredibly expensive watch..."
:fear::fear: :mad:
Fake 'Tax rebate', 'Remittance', blank body, 'admin.scanner' SPAM...
FYI...
Fake 'Tax rebate' SPAM – doc or xls malware
- http://myonlinesecurity.co.uk/your-t...sheet-malware/
11 Mar 2015 - "'Your Tax rebate' pretending to come from HMRC Revenue&Customs with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
HM revenue
Dear ...
After the last yearly computations of your financial functioning we have defined that you
have the right to obtain a tax rebate of 934.80.
Please confirm the tax rebate claim and permit us have
6-9 days so that we execute it.
A rebate can be postponed for a variety of reasons.
For instance confirming unfounded data or applying
not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (983EMI).
Regards,
HM Revenue Service. We apologize for the inconvenience...
The malware payload with this template is same as today’s "Your Remittance Advice [FPAEEKBYQU] – Word doc malware"* . So far I am only seeing 1 version of this malware..."
* http://myonlinesecurity.co.uk/your-r...d-doc-malware/
- http://blog.dynamoo.com/2015/03/malw...ce-advice.html
11 Mar 2015
"... Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177 "
___
Fake 'Remittance' SPAM - doc or xml malware
- http://myonlinesecurity.co.uk/your-r...d-doc-malware/
11 Mar 2015 - "'Your Remittance Advice [FPAEEKBYQU] (random characters)' coming from random names and email addresses with a malicious word doc or xml attachment is another one from the current bot runs... The email looks like:
Good Morning,
Please find attached the BACS Remittance Advice for payment made by FORUM ENERGY.
Please note this may show on your account as a payment reference of FPANJRCXFM.
Kind Regards
Marilyn Aguilar
Accounts Payable
11 March 2015 : Rem_7656CN.xml - Current Virus total detections: 2/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1426068203/
___
Fake blank body SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/inv-09...sheet-malware/
11 Mar 2015 - "'inv.09.03' pretending to come from Jora Service <jora.service@ yahoo .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally empty-body with just the attachment.
11 March 2015 : INV 86-09.03.2015.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
* https://www.virustotal.com/en/file/5...is/1426067908/
___
Fake 'admin.scanner' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/messag...sheet-malware/
11 Mar 2015 - "'Message from RNP0026735991E2' pretending to come from admin.scanner@ <your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
This E-mail was sent from “RNP0026735991E2″ (MP C305).
Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@ ...
11 March 2015 : 201503071457.xls - Current Virus total detections: 0/56*
This looks like it is the same malware payload as today’s 'inv.09.03 Jora Service' – word doc or excel xls spreadsheet malware**..."
* https://www.virustotal.com/en/file/1...is/1426068752/
** http://myonlinesecurity.co.uk/inv-09...sheet-malware/
- http://blog.dynamoo.com/2015/03/malw...sage-from.html
11 Mar 2015
"... Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159 "
___
Fake 'Rate Increase' SPAM - PDF malware
- http://myonlinesecurity.co.uk/please...e-pdf-malware/
11 Mar 2015 - "'Please' pretending to come from Phoenix <phoenix@ pnjinternational .com> with a zip attachment is another one from the current bot runs... The email looks like:
Good Afternoon,
Please find attached notice regarding carriers pre-filing for an additional General Rate Increase for effective date of April 9, 2015. Please note, we are advising you of this filing in order to comply with FMC regulations. However, we feel it is unlikely that the carriers will be successful in implementing this increase, especially since the March 9th GRI has already been postponed to March 17th. We will continue to keep you updated as we receive additional information pertaining to these filed rate increases.
Phoenix Zhang-Shin
Director
P & J International Ltd
Calverley House, 55 Calverley Road
Tunbridge Wells, Kent, UK TN1 2TU ...
11 March 2015: documents-id323.zip: Extracts to: documents-id323.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1426081018/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustotal.com/en/ip-add...0/information/
95.181.53.78: https://www.virustotal.com/en/ip-add...8/information/
209.126.254.152: https://www.virustotal.com/en/ip-add...2/information/
185.30.40.44: https://www.virustotal.com/en/ip-add...4/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
74.125.204.127: https://www.virustotal.com/en/ip-add...7/information/
___
Fake Voicemail SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...l-message.html
11 Mar 2015 - "When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From: Voicemail admin@ victimdomain
Date: 11/03/2015 11:48
Subject: Voicemail Message (07813297716) From:07813297716
IP Office Voicemail redirected message
Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57*. According to the Malwr report, it pulls down another executable and some config files from:
http ://wqg64j0ei .homepage.t-online .de/data/log.exe
http ://cosmeticvet .su/conlib.php
This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicious macros rather than EXE-in-ZIP attacks.
The executable it drops has a detection rate of 2/54**... Malwr reports ... show a further component download from:
http ://muscleshop15 .ru/js/jre.exe
http ://test1.thienduongweb .com/js/jre.exe
This component has a detection rate of 5/57***. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57**** which is the same Dridex binary we've been seeing all day. Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
... Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159 "
* https://www.virustotal.com/en/file/2...is/1426091260/
** https://www.virustotal.com/en/file/e...is/1426091556/
*** https://www.virustotal.com/en/file/1...is/1426092316/
**** https://www.virustotal.com/en/file/5...is/1426093429/
:fear: :mad:
Fake Invoice SPAM - doc or xls malware, Facebook Worm
FYI...
Fake Invoice SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
12 Mar 2015 - "'Invoice [random numbers] for payment to <random company>' coming from random names and companies with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally blank-body and just a word or excel attachment with a random name...
11 March 2015 : 6780MHH.doc - Current Virus total detections: 0/56*
... which connects to & downloads https ://92.63.88.102 /api/gb1.exe which in turn is saved as %temp%\dsfsdfsdf.exe (virus total**). So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1426151513/
** https://www.virustotal.com/en/file/2...is/1426156982/
... Behavioural information
TCP connections
95.163.121.33: https://www.virustotal.com/en/ip-add...3/information/
92.63.88.102: https://www.virustotal.com/en/ip-add...2/information/
- http://blog.dynamoo.com/2015/03/malw...34xyz-for.html
12 March 2015
"...Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24 "
___
Fake Voicemail SPAM - malware
- http://myonlinesecurity.co.uk/you-ha...-mail-malware/
12 Mar 2015 - "'You have received a voice mail' pretending to come from Voicemail Report <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...voice-mail.png
12 March 2015: VOICE8411-263-481.zip: Extracts to: VOICE8411-263-481.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper sound file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1426165959/
___
Facebook Worm variant leverages Multiple Cloud Services
- https://blog.malwarebytes.org/fraud-...loud-services/
Mar 12, 2015 - "... We came across a worm that we think belongs to the -Kilim- family and whose purpose is to compromise a user and spread via Facebook. The lure is the promise of pornographic material that comes as what appears to be a video file named Videos_New.mp4_2942281629029.exe, which in reality is a malicious program. Once infected, the victim spreads the worm to all of his contacts and groups that he belongs to... The bad guys have built a multi-layer redirection architecture that uses the ow.ly URL shortener, Amazon Web Services and Box.com cloud storage.
> https://blog.malwarebytes.org/wp-con...15/03/flow.png
... We identified three domains involved in the configuration and update mechanism for the worm:
- videomasars .healthcare | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- porschealacam .com | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
- hahahahaa .com | Enom, whoisguard Protected, Panama |AS13335 CLOUDFLARENET
... This is a malicious file (Trojan) hosted on the popular cloud storage Box. Malwarebytes Anti-Malware detects it as Trojan.Agent.ED (VirusTotal link*). This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam .com). Here we find a malicious Chrome extension (VirusTotal link**) and additional binaries (scvhost.exe*** and son.exe****). Additional code is retrieve by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa .com, to spread the worm via Facebook ... a rogue Chrome extension is injected but that is not all. The malware also creates a shortcut for Chrome that actually launches a malicious app in the browser directly to the Facebook website... In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features. For example, they have disabled the extensions page that once can normally access by typing chrome://extensions/, possibly in an attempt to -not- let the user disable or remove the malicious extension. Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.
We have reported the various URLs to their respective owners and some have already been shutdown. However, we still urge caution before clicking on any link that promises free prizes or sensational items. Once again the bad guys are leveraging human nature and while we do not know how many people fell for this threat, we can guess that it most likely affected a significant number of Facebook users."
(More detail at the malwarebytes URL above.)
* https://www.virustotal.com/en/file/6...is/1426093312/
** https://www.virustotal.com/en/file/7...is/1426051972/
*** https://www.virustotal.com/en/file/6...is/1426093308/
**** https://www.virustotal.com/en/file/4...is/1426093310/
91.121.114.211: https://www.virustotal.com/en/ip-add...1/information/
:fear: :mad: