Rogue Chrome extension, Fake 'Western Union' SPAM, 'BoA', 'TurboTax' phish
FYI...
Rogue Chrome extension - tech support scam
- https://blog.malwarebytes.com/threat...-support-scam/
Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
> https://blog.malwarebytes.com/wp-con...17/02/TSS1.png
... We detect and remove this one as Rogue.ForcedExtension.
IOCs:
Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-add...7/information/
104.27.184.37: https://www.virustotal.com/en/ip-add...7/information/
lfbmleejnobidmafhlihokngmlpbjfgo
Backend server (ad fraud/malvertising):
amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-add...8/information/
104.31.71.128: https://www.virustotal.com/en/ip-add...8/information/
qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-add...3/information/
Tech support scam:
microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-...r-java-adwind/
21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
1] https://myonlinesecurity.co.uk/?s=java+adwind
The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
2] https://myonlinesecurity.co.uk/spoof...s-java-adwind/
Screenshot: https://myonlinesecurity.co.uk/wp-co...rtra-rules.png
DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58*
Payload Security**
WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1487577130/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/6...is/1487577144/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
83.243.41.200
___
BoA 'Access Locked' - phish
- https://myonlinesecurity.co.uk/bank-...phishing-scam/
21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ily-Locked.png
The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
where you see a site looking like:
> https://myonlinesecurity.co.uk/wp-co...FTP_signon.png "
121.170.178.35: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/31...2497/analysis/
___
'TurboTax' - phish
- https://myonlinesecurity.co.uk/turbo...date-phishing/
21 Feb 2017 - "Another phishing scam, this time TurboTax:
Screenshot: https://myonlinesecurity.co.uk/wp-co...unt-Update.png
The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
> https://myonlinesecurity.co.uk/wp-co...shing-page.png "
whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/29...26d6/analysis/
:fear::fear: :mad:
Fake 'Secure Bank Comm' SPAM, Dropbox phish
FYI...
Fake 'Secure Bank Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...secure-doc.png
22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2]
Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is
www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png
which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/f...is/1487783258/
2] https://www.virustotal.com/en/file/b...072b/analysis/
1A] https://www.hybrid-analysis.com/samp...ironmentId=100
2A] https://www.hybrid-analysis.com/samp...ironmentId=100
3] https://www.virustotal.com/en/file/8...3427/analysis/
4] https://twitter.com/GossiTheDog/stat...53695299518464
TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/8d...e0cb/analysis/
sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/77...a633/analysis/
___
Dropbox phish
- https://myonlinesecurity.co.uk/you-h...pbox-phishing/
22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter all your details, pretending that you can now sign into dropbox using your email address. After giving the details you get sent to the genuine DropBox site:
Screenshot: https://myonlinesecurity.co.uk/wp-co...hing_email.png
The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites, there usually are with these scams) where you see a page looking like:
> https://myonlinesecurity.co.uk/wp-co...x_phishing.png
Select -any- of the links and you get:
> https://myonlinesecurity.co.uk/wp-co..._phishing1.png "
pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/85...552e/analysis/
:fear::fear: :mad:
Fake 'debit card' – Phish
FYI...
Fake 'debit card' – Phish
- https://myonlinesecurity.co.uk/dispu...west-phishing/
2 Mar 2017 - "... many email clients, especially on a mobile phone or tablet, only show the NatWest and not the bit in <xxxx>. This one has a HTML page attachment, not even a link to the phishing site in the email body. The attachment has the -link- which goes to:
http ://www .immosouverain .be/css/supst.html which -redirects- you to the actual phishing site:
http ://planurday .in/css/WaL0eHW/4!@_1.php?s0=;87d929c328f8c62a231c1cc95057fb7087d929c328f8c62a231c1cc95057fb70
Screenshot: https://myonlinesecurity.co.uk/wp-co...ns-NatWest.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
immosouverain .be: 5.135.218.101: https://www.virustotal.com/en/ip-add...1/information/
planurday .in: 78.142.63.63: https://www.virustotal.com/en/ip-add...3/information/
:fear::fear: :mad:
'Free' AV coupon, Fake 'IRS Urgent' SPAM
FYI...
'Free' AV coupon leads to tech support scam
- https://blog.malwarebytes.com/threat...-support-scam/
Mar 3, 2017 - "... This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are -redirected- to this coupon page via a similar malvertising campaign. It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they -must- perform a final call to get it completed... This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the -bogus- technician will identify severe problems that need an immediate fix... Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400. Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway)...There are other scam domains also hosted on this IP (166.62.1.15)... Instantpccare .com is familiar and related to a previous investigation* where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us. As always, please stay vigilant online when you see 'free coupons' or other similar offers. They often are the gateway to a whole of trouble..."
* https://blog.malwarebytes.com/threat...port-scammers/
> https://blog.malwarebytes.com/tech-support-scams/
166.62.1.15: https://www.virustotal.com/en/ip-add...5/information/
Related:
166.62.1.1: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'IRS Urgent' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/spoof...rs-ransomware/
3 Mar 2017 - "... an email with the subject of 'IRS Urgent Notification' pretending to come from Dick Richardson who pretends to be an IRS Tax Officer. I have seen dozens of these and they all come from random email addresses. Dick Richardson changes his job in different emails. Sometimes he is a tax officer or a Tax Specialist or Tax department manager as well as an official representative...
Update: I am reliably informed[1] this is Shade/Troldesh ransomware...
1] https://id-ransomware.malwarehuntert...a894b2e24d5e47
Other subjects include:
Realty Tax Arrears – IRS
Please Note – IRS Urgent Message
IRS Urgent Message
Overdue on Realty Tax ...
One of the emails looks like:
From: Dick Richardson <electric@ oceanicresources .co.uk>
Date: Thu 01/09/2016 19:22
Subject: IRS Urgent Notification
Attachment: link-in-email
Dear Citizen,
My name is Dick Richardson, I am the official representative of the Internal Revenue Service, Realty Tax Department.
My office is responsible for notification of citizens, description of the tax system for them, supporting citizens on issues related to tax procedures, arrears, and payments, etc.
In the present case, I have to notify you that you have the considerable tax arrears pertaining to your property. More specifically, there is the tax debt for your realty – the realty tax. Generally, we make no actions in case of such delays for 4-6 months, but in your context, the overdue period comes to 7 months. Thereby, we must take relevant measures to remedy the situation.
Particularly for your convenience, our specialists have made the full and comprehensive report for you. It contains the full information regarding realty tax accrual, your debt (including the total amount), and the chart of overdue payments for each month of the arrears period.
Please download the report directly from the official server of the IRS, going to the link:
http ://radiotunes .co.uk/wp-content/plugins/simple-social-icons/index0.html
Please study the document at the earliest possible moment. Actually, after receiving this message, you have only 1 day to contact your taxmanager and provide them with the information you get in the report in order to resolve the problem. Differently, significant charges and fines may apply.
Best Regards,
Dick Richardson,
Realty Tax Division
Internal Revenue Service ...
Realty.tax.division.xls.zip: Extracts to: Realty.tax.division.xls.js - Current Virus total detections 5/56*
Payload Security** shows a download from
www .metropolisbangkok .com/assets/70958ae0/fonts/gcdf/templates/winscr.exe (VirusTotal 14/58***)...
There are loads of -other- sites in the body of alternative emails downloading the .js file...
The basic rule is NEVER open any attachment -or- link-in-an-email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1488549054/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (15)
*** https://www.virustotal.com/en/file/5...efab/analysis/
radiotunes .co.uk: 192.138.189.151: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/bc...f70f/analysis/
metropolisbangkok .com: 27.254.96.21: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/20...33c2/analysis/
:fear::fear: :mad:
Fake UPS, USPS, FedEx SPAM
FYI...
Fake UPS, USPS, FedEx SPAM - deliver Cerber ransomware
- https://myonlinesecurity.co.uk/locky...arcel-malspam/
4 Mar 2017 - "... we are noticing that the 2 different malspammed versions of spoofed/faked 'UPS, USPS, FedEx failed to deliver your parcel' malspam are now distributing Cerber ransomware instead of Locky or Sage 2 along with Kovter... I am continuing to document the 2 versions... changes and different sites used to distribute them: HERE[a] and HERE[b]...
a] https://myonlinesecurity.co.uk/spoof...d-locky-sites/
b] https://myonlinesecurity.co.uk/spoof...tiple-malware/
The subjects all mention something about 'failing to deliver parcels' and includes:
Courier was not able to deliver your parcel (ID0000333437, FedEx)
Our UPS courier can not contact you (parcel #4633881)
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
New status of your UPS delivery (code: 6622630)
Please recheck your delivery address (UPS parcel 004360910)
Status of your USPS delivery ID: 158347377
FedEx Parcel: 1st Attempt Unsuccessful
Delivery Unsuccessful, Reason: No Answer
Express FedEx Parcel #614617064, Current Status: Delivery Failed
... basically identical in the body of the email (the delivery service changes and switches between FedEx, UPS, USPS) ... The attachment is a zip file with a second zip inside it that extracts to a .js file. These have names like UPS-Parcel-ID-4633881.zip that extracts to UPS-Parcel-ID-4633881.doc.zip that extracts to UPS-Parcel-ID-4633881.doc.js...
Screenshot: https://myonlinesecurity.co.uk/wp-co..._v1_cerber.png
... Examples of this version VirusTotal [1-4/56] [2-15/59] [3-7/59] Payload Security [4] [5] [6]...
Currently the format is < site from array.top >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file. and the actual download comes from site name.top /counter/exe1.exe Yesterday was Cerber. VirusTotal [7-3/55] [8-17/59]. Payload Security[9] and /counter/exe2.exe delivers Kovter (VirusTotal 10-10/59). Currently at the time of writing all the .top sites I have listed are down and not responding. As soon as the new set of emails arrive, I will post images of them with any changes."
1] https://www.virustotal.com/en/file/7...is/1488613659/
UPS-Parcel-ID-4633881.doc.js
2] https://www.virustotal.com/en/file/5...is/1488609050/
5d3fa709e29d.png
3] https://www.virustotal.com/en/file/0...is/1488609063/
fe3be7902ac8.png
4] https://www.hybrid-analysis.com/samp...ironmentId=100
UPS-Parcel-ID-4633881.doc.js
Contacted Hosts (1234)
5] https://www.hybrid-analysis.com/samp...ironmentId=100
fe3be7902ac8.png
Contacted Hosts (1088)
6] https://www.hybrid-analysis.com/samp...ironmentId=100
5d3fa709e29d.png
Contacted Hosts (382)
7] https://www.virustotal.com/en/file/5...is/1488510919/
Delivery-Details.js
8] https://www.virustotal.com/en/file/a...b651/analysis/
carved_1.exe
9] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (1240)
10] https://www.virustotal.com/en/file/c...is/1488526482/
exe2[1].exe
:fear::fear: :mad: