Fake New fax, Fake Evernote SPAM ...
FYI...
Fake "New fax" SPAM - using goo .gl shortening service
- http://blog.dynamoo.com/2014/07/new-...hortening.html
31 July 2014 - "Here are a couple of variations of a fax -spam- using the goo .gl shortening service:
From: Fax [fax@ victimdomain]
Date: 31 July 2014 11:23
Subject: You've received a new fax
New fax at SCAN5735232 from EPSON by https ://victimdomain
Scan date: Thu, 31 Jul 2014 19:23:11 +0900
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at:
https ://goo.gl /1rBYjl
(Google Disk Drive is a file hosting service operated by Google, Inc.)
------------------------------
From: FAX [fax@ qcom .co.uk]
Reply-to: FAX [fax@ qcom .co.uk]
fax@ localhost
Date: 31 July 2014 10:53
Subject: You have received a new fax message
You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI
Download file at google disk drive service - dropbox.
https ://goo .gl/t8jteI ...
There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware... I've seen three different URLs... Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54*. The CAMAS report** shows that the malware reaches out to the following locations to download further components:
andribus .com/images/images.rar
owenscrandall .com/images/images.rar
Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:
> https://1.bp.blogspot.com/-XGnNezE_8...600/goo-gl.png
164 clicks isn't a lot, but there are multiple URLs in use.
Recommended blocklist:
andribus .com
owenscrandall .com
esys-comm .ro
autoescuelajoaquin .com
pinkfeatherproductions .com "
* https://www.virustotal.com/en-gb/fil...is/1406804074/
** http://camas.comodo.com/cgi-bin/subm...61c27883e995cc
___
Fake Evernote "File has been sent" SPAM
- http://blog.dynamoo.com/2014/07/ever...sent-spam.html
31 July 2014 - "I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..
Date: Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
From: EVERNOTE [lcresknpwz@ business .telecomitalia .it]
Subject: File has been sent [redacted]
DSC_9426679.jpg attached to the letter
Copyright 2014 Evernote Corporation. All rights reserved
The file attached is actually DSC_9426679.zip and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53*. The CAMAS report** shows that the malware attempts to download an additional component... These download locations are the same as yesterday's Amazon spam run***. The downloaded file has a VT detection rate of 3/53****. The recommended blocklist is the same as yesterday."
* https://www.virustotal.com/en-gb/fil...is/1406813029/
** http://camas.comodo.com/cgi-bin/subm...fb5316d1a785dd
*** http://blog.dynamoo.com/2014/07/amaz...r-spam_30.html
**** https://www.virustotal.com/en-gb/fil...is/1406813571/
___
ADP Payroll Spam
- http://threattrack.tumblr.com/post/9...p-payroll-spam
Juky 31, 2014 - "Subjects Seen:
ACH Notification
Typical e-mail details:
Attached is a summary of Origination activity for 07/31/2014
Download it from Google Disk Drive Inc.:
goo .gl/mp4Vh3
If you need assistance please contact us via e-mail during regular business hours.
Thank you for your cooperation.
Malicious URLs:
espressomachinesinfo .com/wp-includes/images/Document-83265.zip
Malicious File Name and MD5:
Document-83265.scr (3603D5B08D83130414B264FAF3EE41E1)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...PvX1r6pupn.png
Tagged: ADP, Upatre
72.29.66.41: https://www.virustotal.com/en-gb/ip-...1/information/
___
Fake Xerox WorkCentre SPAM
- http://blog.dynamoo.com/2014/07/scan...ntre-spam.html
31 July 2014 - "This is a thoroughly old school spam with a malicious attachment.
Date: Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From: Local Scan [scan.614@ victimdomain]
Subject: Scanned Image from a Xerox WorkCentre
You have a received a new image from Xerox WorkCentre.
Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: victimdomain
Attached file is scanned image in PDF format...
Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54* at VirusTotal. The Comodo CAMAS report** shows that the malware downloads components... There are some further clues in the VirusTotal comments* as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before***.
Recommended blocklist:
94.23.247.202
globe-runners .com
lucantaru .it
mediamaster-2000 .de
ig-engenharia .com
upscalebeauty .com
lagrimas.tuars .com "
* https://www.virustotal.com/en-gb/fil...is/1406832159/
** http://camas.comodo.com/cgi-bin/subm...dc468affa02a7a
*** http://www.sophos.com/en-us/threat-c...-analysis.aspx
94.23.247.202: https://www.virustotal.com/en-gb/ip-...2/information/
:mad: :fear: :sad:
Fake "Sup", Fake IRS SPAM, Phish: Barclays ...
FYI...
Fake "Sup" snowshoe SPAM - from 208.71.174.32/27
- http://blog.dynamoo.com/2014/08/sup-...711743227.html
4 Aug 2014 - "Here's a strange spam I've been tracking for a couple of days:
Date: Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
From: Olive [olive@ platesat .us]
Subject: Sup ...
The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? Not exactly. A look at the root directory of www .gonename .us (143.95.38.234 = petyrbaelish .asmallorange .com)... The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make -everyone- unsubscribe... At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone... No doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes. All the sending IPs are in the 208.71.174.32/27 range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be -fake- . This attack started last week with a different range of sending addresses in the 188.165.94.176/28 (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www .morehex .us which was configured in the same way. All those sites have now been -suspended- . Email subjects in that case were:
What's up?
Hey Sister
G'day
Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated... Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details..
Recommended blocklist:
208.71.174.32/27
gonename .us "
(More detail at the dynamoo uRL above.)
___
Fake BoA SPAM leads to Cryptowall
- http://blog.dynamoo.com/2014/08/bank...ents-spam.html
4 Aug 2014 - "This -fake- BofA spam has a malicious payload:
Date: Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
From: Andrea Talbot [Andrea.Talbot@ bofa .com]
Subject: RE: Important Documents
Please check attached documents regarding your Bofa account.
Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@ bofa .com ...
Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54* and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home..
Recommended blocklist:
94.23.247.202
dirbeen .com
ibuildchoppers .com "
* https://www.virustotal.com/en/file/6...is/1407179338/
** http://camas.comodo.com/cgi-bin/subm...6880519e2b2f6f
94.23.247.202: https://www.virustotal.com/en/ip-add...2/information/
___
Fake IRS SPAM – 'Fiscal Activity 71363' .doc malware
- http://myonlinesecurity.co.uk/irs-no...d-doc-malware/
4 Aug 2014 - "IRS Notification – Fiscal Activity 71363. pretending to come from International Taxpayer Service <lhopkins@ wm .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... current bunch of malwares being spread by attempting to use a genuine Word Doc with an embedded macro. This one, once again tries to contact http ://moviebernie1996 .ru/u.exe and download the zbot which has a current virus total detection rate of 5/54*. If you still use an older version of Microsoft Word, then you are at risk of being infected by this. Modern versions, that is 2010 and 2013 have macros disabled by default and are set to display in read only mode by default... aimed at US tax payers who are living or working in UK, because the Address and phone number in the email belong to the American Embassy in London:
> http://www.irs.gov/static_assets/img/logo.png
Here is a report on your early 2014 Federal Tax return report.
Kindly download the attachment to view your report and start
filling for 2014 return as early as second week of July.
Thanks
Internal Revenue Service
24/31 Grosvenor Square
London W1K 6AH
United Kingdom
Tel.Fax.: [44] (207) 672-2808 ...
4 August 2014: Fiscal Activity.Doc Current Virus total detections: 7/52*
This IRS Notification – Fiscal Activity 71363. is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1407132830/
___
Fake BT Digital SPAM
- http://blog.dynamoo.com/2014/08/impo...file-spam.html
4 Aug 2014 - "This -fake- BT spam has a malicious attachment:
Screenshot: https://1.bp.blogspot.com/-M2q0aceAk...ital-vault.png
The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54*... Comodo CAMAS report** ...
Recommended blocklist:
94.23.247.202
amhzconsultancy .com
sintesismark .com
bianconeandwilinsky .com
osteoarthritisblog .com
hopeisnull .comuf .com
grenzland-classic .de "
* https://www.virustotal.com/en-gb/fil...is/1407158959/
** http://camas.comodo.com/cgi-bin/subm...7efd53c296ada8
94.23.247.202: https://www.virustotal.com/en/ip-add...2/information/
___
Fake Invoice 2014080420 SPAM
- http://blog.dynamoo.com/2014/08/invo...0420-spam.html
4 Aug 2014 - "This spam has a malicious attachment:
Date: Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
From: Accounts Dept [tolvan.rover@ btinternet .com]
Subject: Invoice 2014080420 dynamoo
This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us...
There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52*. Automated analysis tools are inconclusive..."
* https://www.virustotal.com/en-gb/fil...is/1407159727/
___
Phish: Booking .com
- http://blog.malwarebytes.org/fraud-s...holiday-phish/
4 Aug 2014 - "... it contained all of their genuine hotel booking information for starters – and claimed to be sent from Booking .com, which happens to be the company they booked their stay through. The information included:
* Correct reservation dates
* Correct hotel name
* Personal information such as name, home address
* Correct invoice amount
The email didn’t stop there – it also asked for payment information (CVV number) and asked for a payment to be -wired- to (what appears to be) a bank in Poland (despite the hotel being in Spain). While it isn’t unusual for payments to show in one location when the hotel is in another – depending on how you do it or which third party you book through, you may find your cash wings its way to an entirely different location – it is a little unusual to see wiring money mentioned and this likely set off alarm bells. The scammers also asked for a scanned copy of the wire transfer deposit – this is often used in 419 / wire scams, because they’ll take the scan to the place where the money it sent and pretend to be the victim or a relative before wandering off with a tidy stack of notes. The outlook on this one right now seems to be that the hotel has been targeted in some way rather than the booking website, and likely involves social engineering. If you do have a trip planned and receive -emails- about -payments- , phone the hotel and / or booking agents -directly- instead of replying – as you can see, these mails are 100% accurate and will probably brush aside many “But what about…” -scam- flags recipients would ordinarily raise. Another type of email -scam- to steer clear of, then..."
___
Backdoor Techniques in Targeted Attacks
- http://blog.trendmicro.com/trendlabs...geted-attacks/
Aug 4, 2014 - "Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information.. various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain -undetected- by network administrators and security products... Using free services for C&C functions is not new; we noted just recently how Dropbox was being used in a similar way... resources to help deal with targeted attacks can be found in our targeted attacks hub*."
* http://about-threats.trendmicro.com/...geted-attacks/
___
Fake IRS e-Help Desk Spam
- http://threattrack.tumblr.com/post/9...help-desk-spam
Aug 4, 2014 - "Subjects Seen:
E-mail Receipt Confirmation - Ticket#SD3784695 [/i]
Typical e-mail details:
The IRS e-help Desk has received your email on 06/20/14. A case has been opened in response to your question or issue.
Your case ID is : SD3784695
Details about this case has been attached.
If additional contact is necessary, please reference this case ID.
You will receive a reply within two business days.
Thank you for contacting the IRS e-help Desk...
Malicious File Name and MD5:
SD08042014.scr (8AB01278965D09ACA5F2CE175756DB8C)
SD3784695.zip (108D153B71D2E8C66A2FA54F13317E18)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...d3R1r6pupn.png
Tagged: IRS, Upatre
___
Fake iTunes Order Acknowledgment Spam
- http://threattrack.tumblr.com/post/9...wledgment-spam
Aug 4, 2014
"Screenshot: https://gs1.wac.edgecastcdn.net/8019...CM11r6pupn.png
Subjects Seen:
Order Number: W6269799
Typical e-mail details:
Dear Apple Member,
Thank you for shopping Apple.com. Please review your order details below and retain this email for your records. You will receive a shipping confirmation email once your order has shipped.
For more information please check attached PDF invoice.
Malicious File Name and MD5:
W6269799.scr (8AB01278965D09ACA5F2CE175756DB8C)
W6269799.zip (1B14810142A86D7F2B63D4E23F586274)
Tagged: iTunes, Upatre
___
Phish: Barclays - "Your account might be compromised"
- http://myonlinesecurity.co.uk/accoun...lays-phishing/
4 Aug 2014 - "Your account might be compromised pretending to come from Barclays Current Accounts <barclays@ securesuite .net> is one of a series of currently spreading emails that are intended to get your bank log in details. They ask you to open the attached zip & fill in the html form inside it. That of course will end up with you having your bank, credit card and email details -stolen- and used by criminals. -If- you fill in the form, it then sends you on to a genuine Barclays log in page, where you don’t realise that you have filled in a form & details were sent -elsewhere- ...
Dear Customer,
We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.
For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.
If you do not restore your account by August 05, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.
Do not ignore this message is for your security.
We apologize for any inconvenience.
Yours sincerely,
Jessica M. Klaus,
IT Assistant,
Barclays Current Accounts...
:fear::fear: :mad:
Fake iTunes SPAM, Phish: Gumtree ...
FYI...
Fake iTunes Order SPAM - PDF malware
- http://myonlinesecurity.co.uk/itunes...e-pdf-malware/
5 Aug 2014 - "iTunes Order Number : W8057748 pretending to come from iTunes <store@apple.com>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
iTunes Order Acknowledgment
Order Number: W8057748
Ordered on August 04, 2014
Dear Apple Member,
Thank you for shopping Apple.com. Please review your order details below and retain this email for your records. You will receive a shipping confirmation email once your order has shipped.
For more information please check attached PDF invoice...
5 August 2014: W8057748.zip (10kb): Extracts to W08042014.scr
Current Virus total detections: 25/54* . This iTunes Order Number : W8057748 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1407216005/
- http://threattrack.tumblr.com/post/9...wledgment-spam
4 Aug 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019...CM11r6pupn.png
___
Dyreza / Pushdo outbreak - QuickBooks, Dun & BradStreet and iTunes themed emails
- http://stopmalvertising.com/spam-sca...ed-emails.html
5 Aug 2014 - "Yesterday we received several unsolicited emails appearing to be either from QuickBooks, Dun & BradStreet and iTunes. The emails respectively arrive with the subject line "Payment Overdue", "New Company Complaint - 4086489" and "Order Number: W0666513". All emails come with an attachment that the recipient is invited to open. Each file inside the ZIP archive poses as a -PDF- no matter what their file extension is. That’s why you need to make sure that Windows Explorer is configured to show file extensions and -never- trust a file by its icon. The first stage payload of each mail is -Upatre- , its unique objective is to load malware on the compromised computer. Although the executable is named differently, the Upatre payload of the QuickBooks invoice and the Dun & BradStreet complaint share the same MD5 hash. In every single case Upatre downloads Dyreza, a Trojan banker and the spambot Pushdo, a dropper for Cutwail. The Pushdo sample is identical in the three spam campaigns. The Dyreza sample from the iTunes campaign is different to the two other campaigns..."
___
Fake Order confirmation SPAM - PDF malware
- http://myonlinesecurity.co.uk/order-...e-pdf-malware/
5 Aug 2014 - ""Order confirmation pretending to come from Scott Powell is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Attached is a list of items we have recently supplied that require the prices to be confirmed.
Regards
Scott Powell
5 August 2014 Order 9680748.zip (44kb) : Extracts to Order 2661788.exe
Current Virus total detections: 1/51* ... This Order confirmation is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1407237866/
___
Fake Invoice June2014-July2014 SPAM
- http://blog.dynamoo.com/2014/08/invo...july-2014.html
5 Aug 2014 - "This -spam- is very like this one*, but has a different payload:
Date: Tue, 05 Aug 2014 17:18:39 +0700 [06:18:39 EDT]
From: Accounts Dept [optique@ hotmail .com]
Subject: Invoice 20146308660 June 2014 - July 2014 dynamoo
This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.
Attached is an archive ID_20146308660.zip which contains a folder invoice__details_June-July.xls which in turn contains a malicious executable invoice__details_June-July.xls.scr which has a VirusTotal detection rate of just 2/54**. According to the CAMAS report***, the malware then downloads a further component... This second stage has a VirusTotal detection rate of 9/54****. Automated analysis tools are inconclusive..."
(Long 'Recommended blocklist' at the dynamoo URL above.)
* http://blog.dynamoo.com/2014/08/invo...0420-spam.html
** https://www.virustotal.com/en-gb/fil...is/1407242827/
*** http://camas.comodo.com/cgi-bin/subm...12a8fa791e997b
**** https://www.virustotal.com/en-gb/fil...is/1407244040/
___
Phish: Gumtree 'Account Locked' Scam
- http://www.hoax-slayer.com/gumtree-phishing-scam.shtml
Aug 5, 2014 - "Email purporting to be from online buying and selling website Gumtree claims that you Gumtree account has been locked for security reasons and you must proceed with a verification process to restore access. The email is -not- from Gumtree. It is a phishing scam designed to trick you into giving your personal and financial information to Internet criminals.
Screenshot: http://www.hoax-slayer.com/images/gu...ing-scam-1.jpg
According to this email, which claims to be from online buying and selling portal Gumtree, your Gumtree account has been locked for security reasons. The email urges you to download a file to start a verification process that will restore account access... Clicking the link in the scam email will download a .zip file that contains a .html file. Clicking the .html file will open a -fake- Gumtree login page in your browser. -If- you enter you login details on the fake page, you may then be taken to a second page that asks you to provide address and ID information as well as credit card details... information submitted on the -bogus- webpages will be collected by criminals and used for financial fraud and identity theft. The criminals may also use the stolen information to hijack your Gumtree account and use it for further fraudulent activities..."
:fear: :mad:
Fake email SPAM - attachment malware
FYI...
Fake email SPAM - Word Doc attachment malware
- http://myonlinesecurity.co.uk/change...d-doc-malware/
6 Aug 2014 - "'Change in percent' pretending to come from mnmorgan@ tribune .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email addresses are either faked or belong to users with infected computers or servers, that various bots have compromised. Since posting this, I have received several other copies of the -malware- email from different senders and all with different names and phone numbers in the body... once again a genuine word doc with an embedded macro that acts as a downloader to download a full blown zbot from http ://bernisuperfilm .ru/uupdate2.exe* which has a current virus total detection rate of 3/54** ... Office 2010 and Office 2013 have macros disabled by default and are set to display in read only mode by default. That -stops- any -macros- or embedded programs from running... Email reads:
Hi [redacted]
Yield reduced. We ask you for information to the attached document to pass to your superiors.
Riojas Imelda
Tel./Fax.: +44 171 6825484
6 August 2014: Information.zip : Extracts to Information.doc
Current Virus total detections: 2/44*** ... accidentally open it and be infected...."
* 77.28.100.73: https://www.virustotal.com/en-gb/ip-...3/information/
** https://www.virustotal.com/en/file/8...is/1407273243/
*** https://www.virustotal.com/en-gb/fil...is/1407295528/
___
Fake 'Benefit Elections' SPAM – PDF malware
- http://myonlinesecurity.co.uk/benefi...e-pdf-malware/
6 Aug 2014 - "'Benefit Elections' pretending to come from Landon.Carter@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team
6 August 2014 : CBEform.zip ( 8kb) : Extracts to CBEform.exe
Current Virus total detections: 0/54* ... This 'Benefit Elections' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1407339197/
___
Fake Companies House SPAM
- http://blog.dynamoo.com/2014/08/comp...0571-spam.html
6 Aug 2014 - "This -fake- Companies House spam has a malicious attachment:
Date: Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
From: Companies House [WebFiling@ companieshouse .gov .uk]
Subject: RE: Case 4620571
The submission number is: 4620571
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds...
Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53*. Automated analysis tools... show that the malware reaches out to... locations which are good candidates for blocking:
64.191.43.150
94.23.247.202
feelgoodframesstore .com
beeprana .com
upscalebeauty .com "
* https://www.virustotal.com/en-gb/fil...is/1407338507/
94.23.247.202: https://www.virustotal.com/en-gb/ip-...2/information/
___
US-based Tech Support SCAMS ...
- http://blog.malwarebytes.org/fraud-s...support-scams/
Aug 6, 2014 - "... last month, we stumbled upon -fake- warning pages urging users to call a number for ‘emergency tech support’. When we rang the number, we were surprised to hear that the technician sounded American. It turned out that their company was based in ‘the sunshine state‘ of Florida, USA... The following are fraudulent sites that display a warning message and play -sound- effects with the goal of scaring the user and making them believe that their computer is infected:
> http://cdn.blog.malwarebytes.org/wp-...redwarning.png
...
> http://cdn.blog.malwarebytes.org/wp-...othererror.png
... There is an ongoing and strong affiliate campaign pushing these warnings. You may come across them as you are browsing the net...
A -bogus- sales pitch: Upon seeing the warning message, many people may feel as though there is really something wrong with their machine. In fact, the pages themselves are designed in such a way that you cannot close them by clicking the ‘X’. Instead you need to forcefully ‘kill’ the browser either via TaskManager or other Windows utilities. Those who take the bait will call the 1-800 number to speak with a technician and this is where their real troubles begin. The warning page is essentially a launchpad for the technician to talk about online threats, giving examples of recent attacks and eventually scare the user... This is -not- true of course. Microsoft has stated many times that “You will -never- receive a legitimate call from Microsoft or our partners to charge you for computer fixes*“.
* http://www.microsoft.com/security/on...one-scams.aspx
... US-based companies are much less likely to cold-call people because of the risks of getting caught, not to mention the fact that this practice has such a bad reputation...
> http://cdn.blog.malwarebytes.org/wp-...14/07/flag.png
... The technician was friendly, spoke proper English and the work was done in a timely and efficient manner. But, what these victims may not see and what we decided to expose here, is how some dishonest tech support companies have trained their staff to fabricate lies in order to -scare- their prospect customers into paying a lot of money for a service they may actually -not- need. At the end of the day, this is a tough issue because there are a lot of people out there (especially the elderly) that do need some assistance with their computers and often don’t have many options to get it. If they look for it online, chances are that they will get ripped off..."
(More detail at the malwarebytes URL at the top.)
___
Revenue and Customs Notice Spam
- http://threattrack.tumblr.com/post/9...eported-income
Aug 6, 2014 - "Subjects Seen:
Notice of Underreported Income
Typical e-mail details:
Taxpayer ID: ufwsd-000005925000UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC )
Please complete the attached form
HM Revenue and Customs
Malicious File Name and MD5:
ufwsd-000004421455UK.scr (A888BD28BE24D6A59D132B66E5E1AEBB)
ufwsd-000005925000UK.zip (33809621F99D44BEBC07E7D9B2D092C9)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...NKT1r6pupn.png
Tagged: HMRC, Upatre
___
Hacks amass over a Billion internet passwords
- http://www.nytimes.com/2014/08/06/te...edentials.html
Aug 5, 2014 - "A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses..."
- https://isc.sans.edu/diary.html?storyid=18487
2014-08-06 - "Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost... given all the password leaks we had over the last couple years it is pretty fair to assume that at least -one- of your passwords has been compromised at some point..."
- http://krebsonsecurity.com/2014/08/q...mail-accounts/
6 Aug 2014 - "... Q: Should I be concerned about this? A: ... If you are the type of person who re-uses passwords at multiple sites — including email accounts — then the answer is yes. If you re-use your email password at another site and that other site gets -hacked- there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain... Your email account may be worth far more than you imagine:
> http://krebsonsecurity.com/wp-conten...-1-600x333.jpg
:fear: :mad:
FireEye/Fox-IT - free keys to unlock CryptoLocker
FYI...
FireEye and Fox-IT - free keys designed to unlock systems infected by CryptoLocker
>> https://www.decryptcryptolocker.com/
Aug 6, 2014 - "Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.
- Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system.
- Notes:
[1] Email addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox‑IT.
[2] You should only upload encrypted files that do not contain any sensitive or personally identifiable information..."
- http://www.fireeye.com/blog/corporat...ecryption.html
Aug 6, 2014
- http://www.fireeye.com/blog/wp-conte...08/crypto2.png
- https://www.fox-it.com/en/press-rele...ocker-victims/
6 Aug 2014
:bigthumb:
Fake RBS SPAM, AmEx PHISH, Resume SPAM ...
FYI...
Fake RBS SPAM
- http://blog.dynamoo.com/2014/08/rbs-...3549-spam.html
8 Aug 2014 - "This fake RBS spam has a malicious attachment:
Date: Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
From: Annie Wallace[Annie.Wallace@ rbs .co.uk]
Subject: RE: Incident IM03393549
Good Afternoon ,
Attached are more details regarding your account incident. Please extract the attached
content and check the details.
Please be advised we have raised this as a high priority incident and will endeavour to
resolve it as soon as possible. The incident reference for this is IM03393549.
We would let you know once this issue has been resolved, but with any further questions
or issues, please let me know.
Kind Regards, ...
The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42*. The CAMAS report** shows that the malware connects to the following locations to download additional components:
94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia .com/Scripts/n0808uk.zip
energysavingproductsinfo .com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia .com
energysavingproductsinfo .com "
* https://www.virustotal.com/en-gb/fil...is/1407490764/
** http://camas.comodo.com/cgi-bin/subm...663b54ab14b0a3
___
Fake Resume SPAM - malicious attachment
- http://blog.dynamoo.com/2014/08/fw-r...ttachment.html
8 Aug 2014 - "This terse spam is malicious:
Date: Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
From: Janette Sheehan [Janette.Sheehan@ linkedin .com]
Subject: FW: Resume
Attached is my resume, let me know if its ok.
Thanks,
Janette Sheehan
Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54*. The CAMAS report** shows that the malware attempts to phone home to the following locations:
94.23.247.202 /0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0708stat/SANDBOXA/1/0/0/
hngdecor .com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind .com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor .com
welfareofmankind .com "
* https://www.virustotal.com/en-gb/fil...is/1407493005/
** http://camas.comodo.com/cgi-bin/subm...8b27ebf5a55d5b
94.23.247.202: https://www.virustotal.com/en-gb/ip-...2/information/
___
Fake HMRC tax SPAM - PDF malware
- http://myonlinesecurity.co.uk/hmrc-t...e-pdf-malware/
7 Aug 2014 - "HMRC taxes application with reference 4DEW NASM CBCG RC6 received pretending to come from noreply@ taxreg .hmrc .gov .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
The application with reference number 4DEW NASM CBCG RC6 submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
7 August 2014: 4DEW NASM CBCG RC6.zip (8kb) Extracts to 4DEW NASM CBCG RC6.scr
Current Virus total detections: 0/54* . This HMRC taxes application with reference 4DEW NASM CBCG RC6 received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1407447014/
___
AmericanExpress - PHISH
- http://blog.dynamoo.com/2014/08/secu...n-on-your.html
8 Aug 2014 - "This -fake- AmEx spam appears to lead to a phishing site on multiple URLs:
Screenshot: https://3.bp.blogspot.com/-bC41J5WRh...amex-phish.png
In this case the link goes to a phishing site... but there seem to be a bunch of them at the moment... IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75 "
91.219.29.35: https://www.virustotal.com/en/ip-add...5/information/
188.240.32.75: https://www.virustotal.com/en/ip-add...5/information/
- http://myonlinesecurity.co.uk/americ...-key-phishing/
8 Aug 2014
___
Fake e-on energy SPAM - PDF malware
- http://myonlinesecurity.co.uk/e-ener...e-pdf-malware/
8 Aug 2014 - "e-on energy Unable to process your most recent bill payment pretending to come from E ON Energy <noreply@ eonenergy .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.
8 August 2014: e-ON-Energy-Bill.zip (15kb) : Extracts to e-ON-Energy-Bill.exe
Current Virus total detections: 7/54* . This e-on energy Unable to process your most recent bill payment is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1407509103/
:fear: :mad:
Netflix Phish, Fake Order SPAM ...
FYI...
Fake Netflix email / Phish
- http://myonlinesecurity.co.uk/netfli...-837-phishing/
12 Aug 2014 - "Your Netflix Account Requires Validation [NVF-837] is an attempt to get access to your Netflix Account... The phishing website in this example is so closely named to the genuine Netflix site, that almost anybody could be fooled by it http ://netflix-validate .com
Email looks like:
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your accountFailure to complete the validation process will result in a suspension of your netflix membership.We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team ...
Following the link in this Your Netflix Account Requires Validation email or other spoofed emails takes you to a website that looks exactly like the real Netflix site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details. Not only will this information enable them to use your Netflix account, but also your Bank Account, credit card details, Email details, webspace..."
192.99.188.111: https://www.virustotal.com/en/ip-add...1/information/
Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/...?site=AS:16276
"... over the past 90 days, 2638 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-08-11, and the last time suspicious content was found was on 2014-08-11... we found 373 site(s) on this network.. that appeared to function as intermediaries for the infection of 821 other site(s)... We found 745 site(s)... that infected 65282 other site(s)..."
___
Fake Order SPAM
- http://myonlinesecurity.co.uk/order-...e-pdf-malware/
12 Aug 2014 - "Order take 8753884 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email with subject of Order take < random numbers> arrives with just a subject and no email content except an attachment. It appears to come from various random names at various random companies.
12 August 2014: order 1530875.zip (37 kb) : Extracts to Order-8991617.exe
Current Virus total detections: 1/54* . This Order take 8753884 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1407832220/
___
Fake new picture or video SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-pi...e-pdf-malware/
12 Aug 2014 - "A new picture or video message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one wants you to download the -malware- via a tiny URL link in the email, there is no actual attachment. Email looks like:
You have received a picture message from mobile phone number +447584905118
GET MY FOTO
Please note, the free reply expires three days after the original message is sent from the Vodafone network.
Vodafone Service
12 August 2014: f679RqP75G.exe - Current Virus total detections: 0/53*
This 'A new picture or video message' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1407835450/
___
Fake IRS phish...
- http://myonlinesecurity.co.uk/irs-get-refund-card/
12 Aug 2014 - "IRS Get Refund On Your Card pretending to come from IRS <refund@ irs .gov> is one of the phishing attempts to get your bank and credit card information. Email looks like:
We are writing to you because your federal Tax payment (ID: 66116572), recently sent is available for refund.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
For more information, please visit the following link
– https ://sa.www4.irs .gov/irfof/lang/en/irfofgetstatus.jsp?reenter=true
Your prompt response regarding this matter is appreciated.
Sincerely,
IRS Refund Team
Following the link in this 'IRS Get Refund On Your Card' email or -other- spoofed emails takes you to a website that looks exactly like the real IRS site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
:mad: :fear::fear: