DHL phish, Fake voicemail SPAM, 419 SCAM ...
FYI...
DHL phish ...
- http://blog.dynamoo.com/2014/10/dhl-...of-effort.html
7 Oct 2014 - "This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.
Screenshot: https://3.bp.blogspot.com/-J8JkllU3g.../s1600/dhl.png
Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.
Screenshot2: https://2.bp.blogspot.com/-smrDiPpKz...s1600/dhl2.png
... a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199 /~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index .htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.
Screenshot3: https://4.bp.blogspot.com/-BDpUiMlKa...s1600/dhl3.png
With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile."
37.61.235.199: https://www.virustotal.com/en/ip-add...9/information/
___
Fake Outlook voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/micros...e-wav-malware/
7 Oct 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook <no-reply@ random domain address > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE0003589463733.wav
Caller-Id: 3589463733
Message-Id: ZU1I9W
Email-Id: montag @ myonlinesecurity .co .uk
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
7 October 2014: VOICE3589463733.wav.zip: Extracts to: VOICE000358276655116307.exe
Current Virus total detections: 10/55* . This You have received a voice mail is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound ) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...*
* https://www.virustotal.com/en/file/f...is/1412673429/
___
Vishing ...
- https://blog.malwarebytes.org/fraud-...e-vishy-vishy/
Oct 7, 2014 - "Voice phishing – Vishing, for short – has been around for a long time and is all about using the phone and social engineering to grab the information required...
Ref: http://www.edinburghnews.scotsman.co...-000-1-3540027
...
- http://www.telegraph.co.uk/finance/p...-One-Show.html
Vishing can start with an email or a text but the ultimate goal is to get you on the other end of a telephone line. From there, the -scammers- will go about harvesting your data by pretending to be your bank and asking for card... It’s important to remember there are many ways to fall foul of a telephone scam than “just” Vishing, and you can take a look at some more examples in a roundup by the FTC*..."
* http://www.consumer.ftc.gov/articles/0076-phone-scams
___
419 SCAM - Breast Cancer Awareness Donation
- http://myonlinesecurity.co.uk/ongoin...gram-419-scam/
7 Oct 2014 - "This rather evil and nasty 419 scam saying Ongoing Breast Cancer Awareness Donation Program pretends to come from Neil trotter Cancer Foundation <neil–trotter@ [redacted] .com>... The email looks like this with pictures:
Screenshot: http://myonlinesecurity.co.uk/wp-con...on-Program.png
Obviously it is a total -scam- and you should -not- reply to any email received that is like this."
___
Fake inTuit/Apple malicious SPAM
- https://security.intuit.com/alert.php?a=111
Oct 7, 2014 - "People are receiving fake emails with the title 'Your receipt No.557911643385'. These mails are coming from applecenter@ security .intuit .com, which is -not- a legitimate email address (spoofed). Below is a copy of the email people are receiving:
Apple iTunes
October 07, 2014
Billed To:
Order ID: KT85GMQ55L
Receipt Date: 10/07/2014
Order Total: $161.98
Billed To: Store Credit
Item Artist
August: Osage County John Wells
My Man Is a Loser Mike Young
Type Unit Price
Film Rental(HD) $67.99
Film Rental(HD) $93.99
Order Total
$161.98
Issues with this transaction?
If you haven't authorized this transaction, click the link below to get full refund...
2014 Apple Online Support
This is the end of the -fake- email.
Steps to Take Now:
- Do not open the attachment in the email.
- Do not -click- on any -links- in the email..
- Delete the email.
___
Yahoo Sports servers - malicious code
- http://www.theinquirer.net/inquirer/...-security-flaw
Oct 7 2014 - "... there was some kind of security breach on its servers, but took pains to clear up reports which suggested that Shellshock was the reason. Yahoo's chief information security officer, Alex Stamos, took to the net to counter comments that began at Yahoo*..."
* https://news.ycombinator.com/item?id=8418809
Oct 6 2014 - "... I’m the CISO of Yahoo and I wanted to clear up some misconceptions. Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact -not- affected by Shellshock. Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs. Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found -no- evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been -fixed- and we have added this pattern to our CI/CD code scanners to catch future issues... the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: -not- Shellshock... just because exploit code works doesn’t mean it triggered the bug you expected!... Yahoo takes external security reports seriously and we strive to respond immediately to credible tips... our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation..."
___
Adobe - spying on e-book readers
- http://www.theinquirer.net/inquirer/...e-book-readers
Oct 7 2014
- http://arstechnica.com/security/2014...in-plain-text/
Oct 7 2014
- http://the-digital-reader.com/2014/1...ook-libraries/
:mad: :fear:
Fake Business proposal - Phish, Malware-laden SPAM ...
FYI...
Fake Business proposal - Phish ...
- https://blog.malwarebytes.org/fraud-...ness-proposal/
Oct 8, 2014 - "Carter Ham, a retired four-star United States Army general, is supposedly on Linkedin—and he wants you (to read his personal message)... clearly a scheme to phish for information from unwary recipients. Below is a screenshot of the sender’s online profile:
General Carter Ham on Linkedin. Not!:
> https://blog.malwarebytes.org/wp-con...nkedin-gch.png
... As far as the legitimacy of the profile goes, the blurb from the Summary section was copied and pasted from this Wikipedia page*. We don’t know if the former general is indeed on the said social networking site (in case you’re wondering). What we -do- know is that if you receive a message similar to the one above asking for personal information from you in exchange for a slice of the cash s/he wanted to move, it’s best to ignore the message and check with this contact if his/her account has been hacked or not."
* http://en.wikipedia.org/wiki/Carter_Ham
___
Fake Lloyds and NatWest SPAM - malware
- http://blog.dynamoo.com/2014/10/malw...important.html
8 Oct 2014 - "... familiar pattern to this malware-laden spam, but with an updated payload from before:
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 8 October 2014 11:09
Subject: Important - Commercial Documents
Important account documents
Reference: C437
Case number: 66324010
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...
From: NatWest [secure.message@ natwest .com]
Date: 8 October 2014 10:29
Subject: You have a new Secure Message - file-2620
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...
The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53*. The Malwr report indicates that the malware phones home to the following locations which are worth -blocking- especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server."
94.75.233.13 :37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13 :37400/0810uk1/HOME/1/0/0/
94.75.233.13 :37400/0810uk1/HOME/41/5/1/
cemotrans .com/seo/0810uk1.soa
* https://www.virustotal.com/en/file/3...is/1412773720/
... Behavioural information
DNS requests
cemotrans .com (82.98.157.8)
TCP connections
94.75.233.13: https://www.virustotal.com/en/ip-add...3/information/
82.98.157.8: https://www.virustotal.com/en/ip-add...8/information/
___
Fake photo SPAM – malware
- http://myonlinesecurity.co.uk/photo-8-oct-2014-malware/
8 Oct 2014 - "'photo 8 oct 2014' pretending to come from various @yahoo.co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very plain and terse with the subject of photo 8 oct 2014 and the body simply says:
Sent from my iPhone
8 October 2014: Img-0034.zip: Extracts to: Img-0034.jpeg
Current Virus total detections: 2/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/2...is/1412768396/
___
Fake Invoice Balance SPAM - word doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
8 Oct 2014 - "'Invoice Balance' pretending to come from various Hotmail .co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
HELLO,
work-life balance.
Thanks
---
8 October 2014: Invoice_Balance_september_doc.zip: Extracts to: Invoice_Balance_september_doc.exe
Current Virus total detections: 2/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1412766448/
___
Australian Taxation Office Refund Spam
- http://threattrack.tumblr.com/post/9...ce-refund-spam
Oct 8, 2014 - "Subjects Seen:
Australian Taxation Office - Refund Notification
Typical e-mail details:
IMPORTANT NOTIFICATION
Australian Taxation Office - 08/10/2014
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2398.43 AUD.
For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.
Ingrid Warren,
Tax Refund Department
Australian Taxation Office
Malicious File Name and MD5:
ATO_TAX_419771083.zip (EBE4991F3C1C4B00E3E8662577139F3E)
ATO_TAX_419771083.pdf.scr (A89CD5ACAB413D308A565B21B481A2F8)
Tagged: australian taxation office, Upatre, ATO
:fear: :mad:
Fake fax, 'Secure msg' SPAM
FYI...
Fake fax, 'Secure msg' SPAM - malware
- http://blog.dynamoo.com/2014/10/malw...w-fax-you.html
10 Oct 2014 - "A pair of malware spams this morning, both with the same payload:
"You've received a new fax"
From: Fax [fax@ victimdomain .com]
Date: 10 October 2014 11:34
Subject: You've received a new fax
New fax at SCAN7097324 from EPSON by https ://victimdomain .com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)
"You have received a new secure message from BankLine"
From: Bankline [secure.message@ bankline .com]
Date: 10 October 2014 10:29
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...
The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the ThreatExpert report... the malware communicates with the following URLs which are probably worth -blocking- or monitoring"
94.75.233.13 /1010uk1/NODE01/41/5/1/
94.75.233.13 /private/sandbox_status.php
94.75.233.13 /1010uk1/NODE01/0/51-SP3/0/
94.75.233.13 /1010uk1/NODE01/1/0/0/
beanztech .com/beanz/1010uk1.rtf
* https://www.virustotal.com/en/file/5...is/1412937674/
94.75.233.13: https://www.virustotal.com/en/ip-add...3/information/
___
Gameover Zeus... at Vogue .com
- http://www.threattracksecurity.com/i...zes-vogue-com/
Oct 10, 2014 - "Our researchers this week spotted a Gameover Zeus sample receiving commands to download Zemot from hxxp ://media .vogue[dot]com/voguepedia/extensions/dimage/cache/1zX67.exe
... Others have spotted Gameover Zeus reaching out to a compromised vogue.com domain to download Zemot – a family of Trojan downloaders – which according to Microsoft is usually distributed via the Kuluoz botnet*. Behavior worth noting in this Gameover Zeus sample upon execution is that it crawled a list of DGA domains... this Gameover Zeus sample seems to be an updated variant targeting -financial- processes we’ve not yet seen in previous reports... According to URLquery.net**, there were several malicious files being served on the Vogue domain, which have been removed. 1zX67.exe was an active threat as late as yesterday evening..."
* http://blogs.technet.com/b/mmpc/arch...014-zemot.aspx
** http://www.urlquery.net/report.php?id=1412718766058
___
Mobile ads use malware tricks to get installs
- https://blog.malwarebytes.org/mobile...-get-installs/
Oct 10, 2014 - "Deceptive advertising targeting Android users is an effective way of getting malware installed. Now some advertisers are using it to get paid through pay-per-install schemes... we’ve been seeing more and more of this, but this time advertisers are using these banner and pop-up ads to get installs of more trustworthy apps like Dolphin browser. The messages are less scary than the virus related ones, but they are still meant to get your attention. It seems a bit backwards but it’s all about making money, ad developers are just as greedy as malware authors–just not as malicious. Anytime during your mobile browsing experience, if you encounter one of these pop-ups or similar just ignore and it’d probably be best to -leave- the site displaying them:
> https://blog.malwarebytes.org/wp-con...ds06.jpg?w=564
...
> https://blog.malwarebytes.org/wp-con...ds05.jpg?w=564
Don’t fall for these messages, Android won’t use web pop-ups to inform you of updates, they’ll be handled through a system notification and apps will update via Google Play Services. Using a tool like Adblock Plus which will filter URL traffic can help prevent most of these ads. Adblock Plus is a third-party app, will require a bit of configuration* and only blocks WiFi traffic.
* https://adblockplus.org/en/android-config
...
> https://blog.malwarebytes.org/wp-con...0/and_ad11.jpg
On iOS you won’t see the warning pop-ups, instead you’ll immediately be -redirected- to the peddled apps App Store page. If, by chance, you’re interested in installing one of these apps go -directly- to your trusted source for apps. By following the redirect you might be going down another rabbit hole and end up getting -malware- instead of the original."
___
October 2014 Web Server Survey
- http://news.netcraft.com/archives/20...er-survey.html
10 Oct 2014 - "In the October 2014 survey we received responses from 1,028,932,208 sites, which is nearly six million more than last month. Microsoft lost the lead to Apache this month, as the two giants continue to battle closely for the largest share of all websites. Apache gained nearly 30 million sites, while Microsoft lost 22 million, causing Apache to be thrust back into the lead by more than 36 million sites. In total, 385 million sites are now powered by Apache, giving it a 37.45% share of the market. A significant contributor to this change was the expiry of domains previously used for link farming on Microsoft IIS servers. The domains used by these link farms were acquired and the sites are now hosted on Apache servers..."
(Charts available at the URL above.)
:fear: :mad:
Fake DOC attachment SPAM - malware
FYI...
Fake DOC attachment SPAM - malware
- http://blog.dynamoo.com/2014/10/to-v...ease-open.html
14 Oct 2014 - "This spam comes with a malicious DOC attachment:
From: Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@ bostonqatar .net]
Date: 14 October 2014 11:09
Subject: Your document
To view your document, please open attachment.
The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc. This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography .co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55* and the EXE file is just 2/54** ... UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55***..."
* https://www.virustotal.com/en-gb/fil...is/1413281775/
** https://www.virustotal.com/en-gb/fil...is/1413283670/
*** https://www.virustotal.com/en-gb/fil...is/1413287366/
- http://myonlinesecurity.co.uk/docume...d-doc-malware/
14 Oct 2014 - "... The email is very plain, simple and terse and just says:
To view your document, please open attachment.
14 October 2014: document_1720781.doc Current Virus total detections: 0/55* ..."
* https://www.virustotal.com/en/file/3...is/1413281933/
___
Fake Sales Order SPAM - word doc malware
- http://myonlinesecurity.co.uk/sales-...d-doc-malware/
14 Oct 2014 - "'Sales Order Number SON1410-000183' pretending to come from mail@ firwood .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
<html>
<body bgcolor=”#FFFFFF”>
<table width=”750″ border=”0″>
<tr>
<td>
<font face=”verdana” size=”2″></font>
<br><br>
<font face=”verdana” size=”2″>Please find the attached document a summary
of which is below:</font>
</td>
</tr>
</table>
<table width=”750″ border=”0″> ...
</table>
<font face=”verdana” size=”2″>Regards </br></br><B>Firwood Paints Ltd
</B></br>Oakenbottom Road </br>Bolton BL2 6DP England </br></br>Tel +44
(0)1204 525231 </br>Fax +44 (0)1204 362522 </br>e mail mail@ firwood .co.uk
</br></font>
</body>
</html>
Automated mail message produced by DbMail.
Registered to X3 – Sage North America, License EDM2013051.
This message has been scanned for viruses by BlackSpider MailControl ...
14 October 2014: Extracts to: SON141000-000183.pdf.exe
Current Virus total detections: 13/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1413274440/
___
YouTube Ads lead to Exploit Kits ...
- http://blog.trendmicro.com/trendlabs...it-us-victims/
Oct 14, 2014 - "Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube. Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Countries affected by this malicious ad campaign:
> http://blog.trendmicro.com/trendlabs...4/10/malad.jpg
Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label. The ads we’ve observed do not -directly- lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers. In order to make their activity look legitimate, the attackers used the -modified- DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.) The traffic passes through two -redirection- servers (located in the Netherlands) before ending up at the malicious server, located in the United States. The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:
CVE-2013-2460 – Java
CVE-2013-2551 – Internet Explorer
CVE-2014-0515 - Flash
CVE-2014-0322 – Internet Explorer
Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical. The final payloads of this attack are variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible. Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure..."
:mad: :fear::fear:
Fake delivery SPAM, Fake 'Shipping Info' SPAM ...
FYI...
Fake delivery SPAM - word doc malware ...
- http://myonlinesecurity.co.uk/inform...d-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Thank you for buying at our store!
Date ordered: October 14 2014
This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
Please review the attached document.
15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1413361301/
___
Fake 'Shipping Info' SPAM
- http://blog.dynamoo.com/2014/10/ship...spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.
Screenshot: https://3.bp.blogspot.com/-l3nlpqmPS...pping-info.png
The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspot.com/-86SXLSZk3...al-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustotal.com/en-gb/fil...is/1413383394/
** https://www.virustotal.com/en-gb/fil...is/1413384221/
*** https://www.virustotal.com/en-gb/fil...is/1413384174/
___
Fake Paypal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal...e-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction.
Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please see attached payment receipt .
15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1413387437/
:fear: :mad:
Fake Bank SPAM, Fake Invoice SPAM, .SU malware sites ...
FYI...
Fake Bank SPAM
- http://blog.dynamoo.com/2014/10/barc...-complete.html
16 Oct 2016 - "This fake Barclays spam leads to malware.
From: Barclays Bank [Barclays@email .barclays .co.uk]
Date: 16 October 2014 12:48
Subject: Transaction not complete
Unable to complete your most recent Transaction.
Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt below...
Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54*. The Malwr report shows that it reaches out to the following URLs:
http ://188.165.214.6 :12302/1610uk1/HOME/0/51-SP3/0/
http ://188.165.214.6 :12302/1610uk1/HOME/1/0/0/
http ://188.165.214.6 :12302/1610uk1/HOME/41/5/1/
http ://jwoffroad .co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to -block- or monitor. It also drops two executables, bxqyy.exe (VT 5/54** ...) and ldplh.exe (VT 1/51*** ...)."
* https://www.virustotal.com/en/file/6...is/1413462043/
... Behavioural information
DNS requests
jwoffroad .co.uk (88.208.252.216)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-add...6/information/
88.208.252.216: https://www.virustotal.com/en/ip-add...6/information/
** https://www.virustotal.com/en/file/8...is/1413462507/
*** https://www.virustotal.com/en/file/7...is/1413462517/
___
Many .su and .ru domains leading to malware
- http://blog.dynamoo.com/2014/10/a-bu...eading-to.html
16 Oct 2016 - "These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know.... recommend watching out for these..."
(Long list at the dynamoo URL above.)
- https://www.abuse.ch/?p=3581
- http://blog.dynamoo.com/2013/03/zbot...-to-block.html
"The obsolete .su (Soviet Union) domain is usually a tell-tale sign..."
___
Fake Invoice SPAM
- http://myonlinesecurity.co.uk/re-inv...e-pdf-malware/
16 Oct 2016 - "'RE: Invoice #4023390' pretending to come from Sage Accounting < Alfonso.Williamson@ sage-mail .com >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please see attached copy of the original invoice.
16 October 2014: Invoice_4017618.zip: Extracts to: Invoice_4017618.exe
Current Virus total detections: 5/54* . This RE: Invoice #4023390 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1413490281/
... Behavioural information
DNS requests
lewis-teck .co.uk (5.77.44.47)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-add...6/information/
5.77.44.47: https://www.virustotal.com/en/ip-add...7/information/
:fear::fear: :mad:
Fake Sage Invoice SPAM, Ebola phish ...
FYI...
Fake Sage Invoice SPAM - malware
- http://blog.dynamoo.com/2014/10/sage...m-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.
Screenshot: https://2.bp.blogspot.com/-UFvbcQMZe...1600/sage3.png
Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk "
* https://www.virustotal.com/en-gb/fil...is/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-...6/information/
66.7.214.212: https://www.virustotal.com/en-gb/ip-...2/information/
** https://www.virustotal.com/en-gb/fil...is/1413540238/
*** https://www.virustotal.com/en-gb/fil...is/1413540261/
___
Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecurity.co.uk/octobe...pdate-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustotal.com/en/file/9...is/1413556548/
** https://www.virustotal.com/en/file/9...c241/analysis/
1) https://techhelplist.com/index.php/s...y-update-virus
The email looks like:
Dear client,
You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.
Download the attached certificate. Update will be automatically installed by double click.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation... Thank you for using Salesforce .com
17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1413556548/
___
Fake eFax SPAM
- http://blog.dynamoo.com/2014/10/efax...0204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
From: eFax [message@ inbound .claranet .co.uk]
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit... to view this message in full...
The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).
Screenshot: https://1.bp.blogspot.com/-IzglVG8I_...1600/efax2.png
The download link goes to http ://206.253.165.76: 8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76 "
* https://www.virustotal.com/en-gb/fil...is/1413545028/
___
Fake Virgin Media SPAM - phish/malware
- http://myonlinesecurity.co.uk/help-a...media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Virgin Media Automated Billing Reminder
Date 17th October 2014
This e-mail has been sent you by Virgin Media to inform you that we were unable to process your most recent payment of bill. This might be due to one of the following reasons:
A recent change in your personal information such as Name or address.
Your Credit or Debit card has expired.
Insufficient funds in your account.
Cancellation of Direct Debit agreement.
Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...
Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___
More Free Facebook Hacks ...
- https://blog.malwarebytes.org/fraud-...urface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
fbwand(dot)com
> https://blog.malwarebytes.org/wp-con.../10/fbwand.png
hackfbaccountlive(dot)com
> https://blog.malwarebytes.org/wp-con...ccountlive.png
One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malwarebytes.org/wp-con...rify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malwarebytes.org/wp-con...kers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook.com/about/graphsearch
___
Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert.gov/ncas/current...ware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___
CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmicro.com/trendlabs...yre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmicro.com/trendlabs...il_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmicro.com/trendlabs...untries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmicro.com/trendlabs...ambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___
WhatsApp Spam
- http://threattrack.tumblr.com/post/1.../whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
Voice Message Notification
Typical e-mail details:
You have a new voicemail!
Details:
Time of Call: Oct-13 2014 06:02:04
Lenth of Call: 07sec
Malicious URLs:
p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...YyI1r6pupn.png
Tagged: Whatsapp, Kuluoz
:fear::fear: :mad: