Pervasive malware activity - SPAM ...
FYI...
- https://www.net-security.org/malware_news.php?id=2455
4.04.2013 - "Malware activity has become so pervasive that organizations experience a malicious email file attachment or Web link as well as malware communication that evades legacy defenses up to once every three minutes, according to FireEye* ..."
* http://www.fireeye.com/blog/technica...at-report.html
> https://www.net-security.org/images/...e-042013-1.jpg
___
Fake "Bill Me Later" SPAM / PP_BillMeLater_Receipe04032013_4283422.zip
- http://blog.dynamoo.com/2013/04/bill...erreceipe.html
4 Apr 2013 - "This fake "Bill Me Later" spam comes with a malicious attachment:
Date: Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From: Bill Me Later [notification @billmelater .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later� statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.
For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
Here are the details:
Your Bill Me Later Account Number Ending in: 0014
You Paid: $1644.03
Your Payment Date*: 04/03/2013
Your Payment Confirmation Number: 228646660603545001
Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
BillMeLater
*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
PP10NDPP1
Screenshot: https://lh3.ggpht.com/-55gUxujP5q4/U...l-me-later.png
There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46*. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29
Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it."
* https://www.virustotal.com/en/file/a...is/1365065866/
File name: PP_BillMeLater_Receipe_04032013.exe
Detection ratio: 26/46
Analysis date: 2013-04-04
___
Fiserv Money Transfer Spam
- http://threattrack.tumblr.com/post/4...-transfer-spam
4 April 2013 - "Subjects seen:
Outgoing Money Transfer
Typical e-mail details:
An outgoing money transfer request has been received by your financial institution. In order to complete the money transfer please print and sign the attached form.
To avoid delays or additional fees please be sure Beneficiary Information including name, branch name, address, city, state, country, and RTN or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Joy_Farmer
Senior Officer
Cash Management Verification
Phone : [removed]
Email: [removed]
Malicious URLs
3ecompany .com:8080/ponyb/gate.php
23.wellness-health2day .com/ponyb/gate.php
23.ad-specialties .info/ponyb/gate.php
23.advertisingspecialties .biz/ponyb/gate.php
brightpacket .com/coS0GiKE .exe
u16432594.onlinehome-server .com/d8dTEXk.exe
thedryerventdude .com/2FKBSea .exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...rN91qz4rgp.png
___
Bank of America Trusteer Spam
- http://threattrack.tumblr.com/post/4...-trusteer-spam
4 April 2013 - "Subjects seen:
New Critical Update
Typical e-mail details:
Valued Customer:
As part of our continued effort to enhance online banking safety, Bank of America announced late last year that it has partnered with Trusteer Rapport to add an additional layer of security to our eBusiness platform and we recommend that all of our online banking customers install the software.
Malicious URLs
23.proautorepairdenver .com/forum/viewtopic.php
23.onqdenver .net/forum/viewtopic.php
23.onqdenver .com/forum/viewtopic.php
3ecompany .com:8080/forum/viewtopic.php
dev2.americanvisionwindows .com/rthsWe.exe
adr2009 .it/R4eFC.exe
easy .com.gr/2YcB2jL.exe
konyapalyaco .net/F6pKX68j.exe
homepage.osewald .de/ynWx1.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Mm31qz4rgp.png
___
Fake "British Airways" SPAM / igionkialo .ru
- http://blog.dynamoo.com/2013/04/brit...onkialoru.html
4 Apr 2013 - "This fake British Airways spam leads to malware on igionkialo .ru:
Date: Thu, 4 Apr 2013 10:19:48 +0330
From: Marleen Camacho via LinkedIn [member @linkedin .com]
Subject: British Airways E-ticket receipts
Attachments: E-Receipt.htm
e-ticket receipt
Booking reference: UMA7760047
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1805773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
___
Madi/Mahdi/Flashback OS X connected malware spreading through Skype
- http://blog.webroot.com/2013/04/04/m...through-skype/
April 4, 2013 - "Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable...
Sample screenshot of the campaign in action:
> https://webrootblog.files.wordpress....ngineering.png
Sample redirection chain: hxxp ://www.goo .gl/aMrTD?image=IMG0540250-JPG -> hxxp ://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef * ... Gen:Variant.Symmi.17255.
More malware is known to have been rotated on the same IP... Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp ://xlotxdxtorwfmvuzfuvtspel .com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103. What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/3...3b91/analysis/
File name: reznechek.exe
Detection ratio: 27/46
Analysis date: 2013-04-03
___
Legal Case Spam
- http://threattrack.tumblr.com/post/4...egal-case-spam
4 April 2013 - "Re: Our chances to win the case are better than ever.
Typical e-mail details:
We talked to the administration representatives, and if we acknowledge our minor defiance to improve their statistics, the major suit will be closed due to the lack of the government interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it seems unacceptable, let us know.
Speech.doc 332kb
With Best Wishes
Erica Bermudez
Malicious URLs
3ecompany .com:8080/ponyb/gate.php
lanos-info .ru/winadlor.htm
Screenshot: https://gs1.wac.edgecastcdn.net/8019...XcK1qz4rgp.png
___
Pennie stock SPAM
- https://isc.sans.edu/diary.html?storyid=15559
Last Updated: 2013-04-05 00:25:54 UTC - "Most of you will remember the pennie stock SPAM messages from a few years ago. The main aim of the game is to buy a bunch of pennie stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock. They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable. Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. It looks however like it is becoming popular again...
News!!!
Date: Thursday, Apr 4th, 2013
Name: Pac West Equities, Inc.
To buy: P_WEI
Current price: $.19
Long Term Target: $.55
OTC News Subscriber Reminder!!! Releases Breaking News This
Morning!
What is old is new again..."
:fear::mad:
Fake Legal, Facebook SPAM ...
FYI...
Fake Legal SPAM / itriopea .ru
- http://blog.dynamoo.com/2013/04/spee...triopearu.html
5 Apr 2013 - "This fake legal spam leads to malware on itriopea .ru:
Date: Thu, 4 Apr 2013 07:44:02 -0500
From: Malaki Brown via LinkedIn [member @linkedin .com]
Subject: Fwd: Our chances to gain a cause are better than ever.
We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.
Speech.doc 458kb
With respect to you
Malaki Brown
==============
Date: Thu, 4 Apr 2013 05:37:47 -0600
From: Talisha Sprague via LinkedIn [member @linkedin .com]
Subject: Re: Fwd: Our chances to gain a suit are higher than ever.
We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.
Speech.doc 698kb
With Best Regards
Talisha Sprague
The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)
Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1824890
... Detected suspicious URL pattern... Blackhole 2 Landing Page 93.187.200.250
___
Facebook Photo Share Spam
- http://threattrack.tumblr.com/post/4...oto-share-spam
5 Apr 2013 - "Subjects Seen:
[removed] shared photo of you.
Typical e-mail details:
[removed] commented on Your photo.
Reply to this email to comment on this photo.
Malicious URLs
barroj .info/images/cnnbrnews.html
craftypidor .info/complaints/arrangement-select.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019...G4I1qz4rgp.png
___
Fake Invoice SPAM / ijsiokolo .ru
- http://blog.dynamoo.com/2013/04/end-...siokoloru.html
5 Apr 2013 - "This fake invoice spam leads to malware on ijsiokolo .ru:
Date: Fri, 5 Apr 2013 07:57:37 +0300
From: "Account Services ups" [upsdelivercompanyb @ups .com]
Subject: Re: End of Aug. Statement Required
Attachments: Invoice_AF146989113.htm
Good morning,
I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
Regards
DAYLE PRIEST
===========
Date: Fri, 5 Apr 2013 07:56:53 -0300
From: "Tracking" [ups-account-services @ups .com]
Subject: Re: FW: End of Aug. Stat.
Hallo,
I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
Regards
Mariano LEE
The .htm attachment in the email leads to malware at [donotclick]ijsiokolo .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1829725
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
___
Fake "Copies of Policies" SPAM / ifikangloo .ru
- http://blog.dynamoo.com/2013/04/copi...kanglooru.html
5 April 2013 - "This spam leads to malware on ifikangloo .ru:
From: KaelSaine @mail .com [mailto:KaelSaine @mail .com]
Sent: 05 April 2013 11:43
Subject: Fwd: LATONYA - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
LATONYA Richmond,
The link in the email leads to a legitimate -hacked- site and then on to [donotclick]ifikangloo .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1831322
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
** http://blog.dynamoo.com/2013/04/end-...siokoloru.html
Variation - same theme: http://threattrack.tumblr.com/post/4...-policies-spam
5 Apr 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019...KJT1qz4rgp.png
___
Fake eFax Corpoprate Spam
- http://threattrack.tumblr.com/post/4...orpoprate-spam
5 April 2013 - "Subjects Seen:
Corporate eFax message from Caller ID : “[removed]” - 3 page(s)
Typical e-mail details:
You have received a 3 page(s) fax at 2013-04-05 02:31:33 CST.
* The reference number for this fax is [removed].
View this fax using your PDF reader.
Click here to view this message
Please visit eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Malicious URLs
estherashe .com/winching/index.html
23.frameless-glass-shower-enclosures .com/forum/viewtopic.php
23.frameless-glass-shower-enclosures .com/adobe/update_flash_player.exe
23.garryowen .biz/adobe/
albenden .com/F2SyzQtn.exe
globalinfocomgroup .com/r18Lm7RJ.exe
209.164.63.90 /otQw.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Wsl1qz4rgp.png
:mad::fear:
Fake pharmacy, Facebook SPAM ...
FYI...
Fake pharmacy SPAM / accooma .org / classic-pharmacy .com
- http://blog.dynamoo.com/2013/04/upda...ccoomaorg.html
6 April 2013 - "This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:
Date: Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
From: "Account Info Change" [info @virtualregistrar .com]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
The link in the email goes to a landing page on accooma .org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy .com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block. There does not appear to be any malware involved (see here* and here**) and of course nobody has changed any details on your account. You can safely ignore these emails. A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party... fake pharma sites are active in this range..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1850413
** http://urlquery.net/report.php?id=1850445
- https://www.google.com/safebrowsing/...?site=AS:21788
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-06, and the last time suspicious content was found was on 2013-04-06... we found 227 site(s) on this network... that appeared to function as intermediaries for the infection of 981 other site(s)... We found 384 site(s)... that infected 1772 other site(s)..."
___
Fake Facebook pwd reset SPAM / accooma .org
- http://blog.dynamoo.com/2013/04/face...-password.html
6 April 2013 - "Another very aggressive spam run promoting accooma .org which is a fake pharma site..
Date: Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From: Facebook
Subject: Reminder: Reset your password
facebook
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team
The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post* about another spam run for the same domain."
* http://blog.dynamoo.com/2013/04/upda...ccoomaorg.html
:mad:
Google scam, Malware sites, BBB, credit line SPAM...
FYI...
Massive Google scam sent by email to Colombian domains
- https://isc.sans.edu/diary.html?storyid=15586
Last Updated: 2013-04-10 21:01:28 UTC - "... supposedly good news from a resume they sent to google looking for open positions:
> https://isc.sans.edu/diaryimages/images/diary1.png
... The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection ratio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.com/virusinfo/vir...ey=153521#none and the backdoor description can be found at http://home.mcafee.com/virusinfo/vir...spx?key=100938 ... people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:
- Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
- Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
- Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid performing actions that could materialize such risks like dealing with p2p software."
___
Malware sites to block 10/4/13
- http://blog.dynamoo.com/2013/04/malw...ock-10413.html
10 April 2013 - "These domains and IPs are associated with the Amerika gang and are related to this spam run*. Blocking them would be prudent.
46.4.150.96/27
46.161.0.235
93.170.130.241 ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/04/ican...ware-spam.html
___
Fake credit line SPAM / judianko .ru
- http://blog.dynamoo.com/2013/04/your...s-changed.html
10 April 2013 - "I haven't seen this one before. It leads to malware on judianko.ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 10 April 2013 14:24
Subject: Re: Your credit line percent was changed.
We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.
Under this link you can view a details about changing of contract
The link goes through a legitimate but hacked site to [donotclick]judianko .ru:8080/forum/links/column.php (report here*) hosted on:
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/report.php?id=1915010
... Detected suspicious URL pattern... Blackholev2 redirection successful 188.65.178.27
Screenshot: https://gs1.wac.edgecastcdn.net/8019...9cq1qz4rgp.png
___
Fake BBB SPAM / jamiliean .ru
- http://blog.dynamoo.com/2013/04/bbb-...milieanru.html
10 April 2013 - "This fake BBB spam leads to malware on jamiliean .ru:
From: Habbo Hotel [mailto:auto-contact @habbo .com]
Sent: 10 April 2013 00:17
Subject: Re: Better Business Bureau Complaint
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)
to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
CHRISTI REAGAN
Dispute Counselor
Better Business Bureau
There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean .ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack* also running today."
* http://blog.dynamoo.com/2013/04/your...s-changed.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Jcz1qz4rgp.png
___
Fake Verizon Wireless SPAM / jamtientop .ru
- http://blog.dynamoo.com/2013/04/veri...tientopru.html
10 Apr 2013 - "This fake Verizon Wireless spam leads to malware on jamtientop .ru:
Date: Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
From: DorianBottom @hotmail .com
Subject: Verizon Wireless
IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.
Your account No. ending in 1332
Dear Client
For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
Please browse your informational message for more details relating to your new transaction.
Open Information Message
In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
Viewing your utilization
Upgrade your tariff
Manage Account Members
Pay for your bill
And much, much more...
© 2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
We respect your privacy. Please browse our policy for more information
The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/report.php?id=1919123
... Detected suspicious URL pattern... Blackholev2 redirection 185.5.185.129
Screenshot: https://gs1.wac.edgecastcdn.net/8019...aTS1qz4rgp.png
:mad: :fear:
Fake Changelog, Xanga SPAM ...
FYI...
Fake Changelog SPAM / juliaroberzs .ru
- http://blog.dynamoo.com/2013/04/chan...roberzsru.html
11 Apr 2013 - "This spam leads to malware on juliaroberzs .ru:
Date: Thu, 11 Apr 2013 02:46:13 +0100
From: Mayola Phipps via LinkedIn [member@linkedin.com]
Subject: Re: changelog UPD.
Attachments: changelog.htm
Good morning,
as promised changelog is attached (Internet Explorer format)
The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs .ru:8080/forum/links/column.php (report here*) hosted on some familiar IPs**:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/report.php?id=1927055
... Detected suspicious URL pattern... Blackhole 2 Landing Page
** http://blog.dynamoo.com/2013/04/veri...tientopru.html
___
Malicious Xanga Spam
- http://threattrack.tumblr.com/post/4...ous-xanga-spam
11 Apr 2013 - "Subjects Seen:
Gracelyn [removed] is your new friend!
Typical e-mail details:
Hey [removed]!
Now that you are friends with Gracelyn, you can:
• Share a memory of Gracelyn
• Post on Gracelyn’s Chatboard
• More…
Have fun!
The Xanga Team
Malicious URLs
degsme .lv/settingss.htm
janasika .ru:8080/forum/links/column.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019...AQw1qz4rgp.png
___
Fake UPS SPAM / juliamanako .ru
- http://blog.dynamoo.com/2013/04/ups-...amanakoru.html
11 Apr 2013 - "This fake UPS spam leads to malware on juliamanako .ru:
Date: Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
From: Aida Tackett via LinkedIn [member@linkedin.com]
Subject: United Postal Service Tracking Nr. H9544862721
Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
UPS - UPS Customer Services
UPS UPS SUPPORT 56
UPS - UPS MANAGER 67 >> UPS - UPS SUPPORT 501
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS Customer Services
Good day, [redacted].
DEAR CONSUMER , We were not able to delivery the postal package
Track your Shipment now!
Pack it. Ship ip. No calculating , UPS .com Customer Services.
Shipping Tracking Calculate Time & Cost Open an Account
@ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
Attn: Customer Communications Department
The link goes through a legitimate -hacked- site to a malicious landing page at [donotclick]juliamanako .ru:8080/forum/links/column.php hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
___
Malicious QuickBooks Overdue Payment SPAM
- http://threattrack.tumblr.com/post/4...e-payment-spam
April 11, 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 04/11/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Rusty Coffey
Screenshot: https://gs1.wac.edgecastcdn.net/8019...i9P1qz4rgp.png
Also: http://security.intuit.com/alert.php?a=79
Last updated 4/11/2013
:mad::fear:
Fake Chase Bank, American Airlines emails lead to malware
FYI...
Fake American Airlines emails lead to malware
- http://blog.webroot.com/2013/04/12/a...ad-to-malware/
April 12, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails impersonating American Airlines in an attempt to trick its customers into thinking that they’ve received a download link for their E-ticket. Once they download and execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ngineering.png
... Detection rate for the malicious executable: MD5: f17ee7f9a0ec3d7577a148ae79955d6a * ... Mal/Weelsof-D..."
(Long list of malware C&C IP's available at the webroot URL above.)
* https://www.virustotal.com/en/file/c...d3ac/analysis/
File name: f17ee7f9a0ec3d7577a148ae79955d6a
Detection ratio: 27/46
Analysis date: 2013-04-11
___
Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/4...dentials-phish
April 12, 2013 - "Subjects Seen:
Chase Online: Site Maintenance Notification
Typical e-mail details:
Dear Customer:
As part of our commitment to protecting the security of your account, we routinely verify online profile details. We’re writing you to confirm your Chase account details.
Your account security is important to us, so we appreciate your prompt attention to this matter. Attached is a form to help complete this process. Download the form and follow the instructions.
We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
Sincerely,
Jennifer Myhre
Senior Vice President
Chase Consumer Banking
Malicious URLs
myasfalisi .gr/images/sampledata/chase.js
Screenshot: https://gs1.wac.edgecastcdn.net/8019...iGe1qz4rgp.png
___
Malicious Wells Fargo Wire Transfer Spam
- http://threattrack.tumblr.com/post/4...-transfer-spam
April 12, 2013 - "Subjects Seen:
International Wire Transfer File Not Processed
Typical e-mail details:
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 04/12/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: [removed]
Date/Time Stamp: Fri, 12 Apr 2013 12:44:47 -0500
Malicious URLs
94.32.66.114 /ponyb/gate.php
116.122.158.195 :8080/ponyb/gate.php
embryo-india .com/24gwq.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Qum1qz4rgp.png
:mad::fear:
Malicious PayPal, USPS Spam, BoA phish...
FYI...
Malicious PayPal Receipt Spam
- http://threattrack.tumblr.com/post/4...al-recipt-spam
April 15, 2013 - "Subjects Seen:
Receipt for your PayPal payment to [removed]
Typical e-mail details:
Hello,
You sent a payment of $149.49 USD to [removed] ([removed])
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Malicious URLs
matsum .info/wp-content/plugins/akismet/wp-status.php?1HJN2KC56FN7C
lacunanotifies .net/closest/incomming_message.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019...1Ce1qz4rgp.png
___
Malicious USPS Delivery Failure Spam
- http://threattrack.tumblr.com/post/4...y-failure-spam
April 15, 2013 - "Subjects Seen:
USPS delivery failure report
Typical e-mail details:
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: [removed]
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
serw.myroitracking .com/24gwq.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Dsw1qz4rgp.png
___
Bank of America Credentials Phish
- http://threattrack.tumblr.com/post/4...dentials-phish
April 15, 2013 - "Subjects Seen:
Please confirm your information
Typical e-mail details:
We have decided to put an extra verification process to ensure your identity and your account security.
Please click here to continue the verification process and ensure your account security.
Malicious URLs
safe.bankofamerica .logon.canadapenfund.ca/ - 216.227.221.247*
Screenshot: https://gs1.wac.edgecastcdn.net/8019...oUs1qz4rgp.png
* http://urlquery.net/report.php?id=2023194
Diagnostic page for AS15244 (ADDD2NET)
- https://www.google.com/safebrowsing/...?site=AS:15244
"Of the 23067 site(s) we tested on this network over the past 90 days, 1138 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-15, and the last time suspicious content was found was on 2013-04-15... Over the past 90 days, we found 173 site(s) on this network... that appeared to function as intermediaries for the infection of 516 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 157 site(s)... that infected 602 other site(s)..."
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake USPS Delivery Failure Notification E-mail Messages - 2013 Apr 15
Fake Tax Refund Notification E-mail Messages - 2013 Apr 15
Fake Product Quotation Document E-mail Messages - 2013 Apr 15
Fake Product Inquiry With Attached Sample Design E-mail Messages - 2013 Apr 15
Fake Portuguese Account Regularization Notification E-mail Messages - 2013 Apr 15
Fake Wire Transfer Notification E-mail Messages - 2013 Apr 15
Fake Western Union Money Compensation Notification E-mail Messages - 2013 Apr 15
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Apr 15
Fake Italian Malicious Link E-mail Messages - 2013 Apr 15
Fake Tax Return Submission Notification E-mail Messages - 2013 Apr 15
Fake Credentials Reset Notification E-mail - 2013 Apr 15
Fake Purchase Order Notification E-mail Messages - 2013 Apr 15
Fake Bill Notification E-mail Messages - 2013 Apr 15
Fake Document Sharing E-mail Messages - 2013 Apr 15
(Links and more detail at the cisco URL above.)
:mad::fear:
Fake Fiserv, American Airlines, NACHA, ACH Transfer SPAM
FYI...
Fake "Fiserv Secure Email Notification" spam
- http://blog.dynamoo.com/2013/04/fise...tion-spam.html
April 16, 2013 - "This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.
From: Fiserv Secure Notification [mailto:secure.notificationi@fiservi.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5
You have received a secure message
Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - KsUs3Z921mA
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to http://forums.spybot.info/misc.php?d...5maXNlcnYuY29t to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
At the time of writing, VirusTotal results are just 5/46*. The Comodo CAMAS report is here**, the ThreatExpert report here***... seems to be a Zbot variant.
The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)
Recommended blocklist:
korbi.va-techniker .de
mail.yaklasim .com
phdsurvey .org
vbzmiami .com
user1557864.sites.myregisteredsite .com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13 "
* https://www.virustotal.com/en/file/3...is/1366120267/
File name: Case_Fiserv_04162013.exe
Detection ratio: 5/46
Analysis date: 2013-04-16 13:51:07 UTC
** http://camas.comodo.com/cgi-bin/subm...2e921c5b071764
*** http://www.threatexpert.com/report.a...e7562d7b0564f9
___
Malicious American Airlines Spam Continues
- http://threattrack.tumblr.com/post/4...spam-continues
April 16, 2013 - "Subjects Seen:
Your order has been completed
Order #[removed]
Typical e-mail details:
Customer Notification
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should Download It .
Malicious URLs
caprica-toysncomics .com/components/.a9iifi.php?request=ss00_323
caprica-toysncomics .com/components/.a9iifi.php?ticket=844_220641690
Screenshot: https://gs1.wac.edgecastcdn.net/8019...TUq1qz4rgp.png
___
Malicious NACHA, ACH Transfer Spam
- http://threattrack.tumblr.com/post/4...-trasnfer-spam
April 16, 2013 - "Subjects Seen:
Your ACH transfer
Typical e-mail details:
The ACH process (ID: [removed]), recently requested from your checking account (by you), was rejected by the recepient’s bank.
Screenshot: https://gs1.wac.edgecastcdn.net/8019...xuS1qz4rgp.png
___
Fake Boston Marathon Scams - Update
- https://isc.sans.edu/diary.html?storyid=15617
2013-04-16
:fear: :mad: