Fake Amazon + Royal Mail SPAM ...
FYI...
Fake Amazon SPAM / 213.152.26.150
- http://blog.dynamoo.com/2014/02/amaz...ur-online.html
27 Feb 2014 - "This fake Amazon spam leads to something bad.
Date: Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From: "Amazon.com" [t1na@ msn .com]
Subject: Important For Your Online Account Access .
Your Account Has Been Held
Dear Customer ,
We take you to note that your account has been suspended for protection , Where the password was entered more than once .
In order to protect ,account has been suspended .Please update your Account Information To verify the account...
Thanks for Update at Amazon .com...
Screenshot: https://lh3.ggpht.com/-I0pRhOGLLtA/U...00/amazon2.png
In the samples that I have seen the link in the email goes to either [donotclick]exivenca .com/support.php or [donotclick]vicorpseguridad .com/support.php both of which are currently -down- but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care.."
___
Fake Royal Mail SPAM
- http://blog.dynamoo.com/2014/02/roya...sory-spam.html
27 Feb 2014 - "This -fake- Royal Mail spam has a malicious payload:
From: Royal Mail noreply@ royalmail .com
Date: 27 February 2014 14:50
Subject: Royal Mail Shipping Advisory, Thu, 27 Feb 2014
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE ...
Screenshot: https://lh3.ggpht.com/-Uwr252R1CT4/U.../royalmail.png
This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns .com/concern/index.html
and it then runs one or more of the following scripts:
[donotclick]billigast-el .nu/margarita/garlicky.js
[donotclick]ftp.arearealestate .com/telecasted/earners.js
[donotclick]tattitude .co .uk/combines/cartooning.js
in this case the payload site is at
[donotclick]northwesternfoods .com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites... The payload appears to be an Angler Exploit Kit (see this example*).
Recommended blocklist:
23.239.12.68
billigast-el .nu
ftp.arearealestate .com
tattitude .co .uk
n2ocompanies .com
northerningredients .com
northwesternfoods .com
oziama .com
oziama .net "
* http://urlquery.net/report.php?id=9660606
:fear::fear:
IE10 0-day now Drive-by-Download...
FYI...
IE10 0-day exploited in widespread Drive-by Downloads
- http://www.symantec.com/connect/blog...rive-downloads
Updated: 27 Feb 2014 - "... We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes. Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world. Our telemetry shows -both- targeted attacks and drive-by downloads in the mix.
Attacks targeting CVE-2014-0322 around the world
> http://www.symantec.com/connect/site...%20day%201.png
... websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks... Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:
- Upgrade to Internet Explorer 11
- Install the Microsoft Fix it workaround solution:
> http://support.microsoft.com/kb/2934088#FixItForMe "
___
Fake Netflix Phish leads to Fake MS Tech Support
- http://blog.malwarebytes.org/fraud-s...-tech-support/
Feb 28, 2014 - "... came across what I first thought was a typical phishing scam targeting Netflix:
> http://cdn.blog.malwarebytes.org/wp-.../02/signin.png
Until I realized it wasn’t, or at least that there was something more to it. Of course it stole my credentials:
> http://cdn.blog.malwarebytes.org/wp-...4/02/phish.png
But it also displayed a message saying my account had been suspended:
> http://cdn.blog.malwarebytes.org/wp-.../suspended.png
In order to fix this issue, you are urged to call “Netflix” at a 1-800 number. If you do a bit of a search you will find out this is -not- the official hotline, so this warranted a deeper investigation. Once I called the number, the rogue support representative had me download a “NetFlix Support Software”:
> http://cdn.blog.malwarebytes.org/wp-...2/software.png
This is nothing else but the popular remote login program TeamViewer:
> http://cdn.blog.malwarebytes.org/wp-.../downloads.png
After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity. This was supposedly due to hackers who had infiltrated my computer as he went on to show me the scan results from their own ‘Foreign IP Tracer’, a -fraudulent- custom-made Windows batch script... According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer. He drafted a quick invoice and was kind enough to give me a $50 Netflix coupon (fake of course) before transferring me to another technician... During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as ‘banking 2013.doc‘... Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen... This is where it ended as my camera was disabled by default. The scammers were located in India, information gathered from the TeamViewer logfile... -never- let anyone take remote control of your computer unless you absolutely trust them. This scam took place in a controlled environment that had been set up specifically for that purpose..."
:fear::fear:
Fake Companies House, Fake Urgent eviction SPAM ...
FYI...
The ThreatCon is currently at Level 2: Elevated
- http://www.symantec.com/security_res...atconlearn.jsp
Mar 2, 2014 - "On February 19, 2014, Microsoft released a security advisory confirming a limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 9 and 10. The exploit is now being used in mass attacks. Customers are advised to update to Internet Explorer 11 or apply the Microsoft Fix it* solution described in the Microsoft Security Advisory. A security patch has yet to be released.
Microsoft Security Advisory (2934088) Vulnerability in Internet Explorer Could Allow Remote Code Execution"
* http://support.microsoft.com/kb/2934088#FixItForMe
> http://www.netmarketshare.com/browse...=0&qpcustomd=0
Feb 2014 - IE: 58%
___
Fake Companies House SPAM
- http://blog.dynamoo.com/2014/02/comp...9670-spam.html
28 Feb 2014 - "This -fake- Companies House spam leads to malware:
From: Companieshouse.gov.uk [web-filing@companies-house .gov .uk]
Date: 28 February 2014 12:55
Subject: Spam FW: Case - 6569670
A company complaint was submitted to Companies House website.
The submission number is 6569670
For more details please click : https ://companieshouse .gov .uk/Case?=6569670
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other organisations that handle public funds.
If you have any queries please contact the Companies House Contact Centre ...
Screenshot: https://lh3.ggpht.com/-_WHfOqxcvGU/U...es-house-4.png
The link in the email goes to:
[donotclick]economysquareshoppingcenter .com/izmir/index.html
in turn this runs one or more of the following scripts:
[donotclick]homedecorgifts .biz/outfitted/mascara.js
[donotclick]www.coffeemachinestorent .co.uk/disusing/boas.js
[donotclick]citystant .com/trails/pulitzer.js
[donotclick]rccol.pytalhost .de/turban/cupped.js
which in turn leads to a payload site at:
[donotclick]digitec-brasil .com.br/javachecker.php?create=3019&void-cat=4467&first-desk=9002
According to this URLquery report*, the payload site has some sort of Java exploit.
Recommended blocklist:
digitec-brasil .com.br
homedecorgifts .biz
coffeemachinestorent .co.uk
citystant .com
rccol.pytalhost .de "
* http://urlquery.net/report.php?id=9706278
___
Fake Urgent eviction notification - Asprox...
- http://stopmalvertising.com/spam-sca...ecosystem.html
Feb 28, 2014 - "The latest Asprox / Kuluoz spam template consists of an unsolicited email appearing to be from ppmrental .com. Prospectors Property Management is a Real Estate Agency located in Morgan Hill, California. The emails arrive with the subject line "Urgent eviction notification". The spammed out message notifies the recipient that as a trespasser they need to move out from their property before the 21 March 2014 and leave the property empty of their belongings and trash. The addressee must contact the Real Estate without delay in order to make arrangements to move out. Failure to do so could result in being locked out of the house. A detailed bank statement as well as the Real Estate's contact information can be found in the attachment. The executable file inside the ZIP archive poses as a Microsoft Word Document. This is one of the main reasons why you should never trust a file by its icon. Make sure that Windows Explorer is set to show file extensions and always pay attention to the file extension instead. The payload, Urgent_notice_of_eviction.exe will start up an instance of svchost.exe before accessing the internet. A copy of the executable will be copied under a random name to the %User Profile%\Local Settings\Application Data folder. A small downloader - bqoqusgj.exe in our analysis - will be fetched from the C&C together with 3 other files:
vbxghrke - 66.5 KB (68,161 bytes)
kqrbfxel - 12.0 KB (12,326 bytes)
ihxqgwcu.exe - 140 KB (143,360 bytes)
A new start up entry will be created for ihxqgwcu.exe so that the program starts each time Windows starts but the executable isn’t launched yet. In meanwhile bqoqusgj.exe will download two files posing as Updates for the Flash Player: updateflashplayer_9e26d2b2.exe (libs5.8/jquery directory) and UpdateFlashPlayer_266a0199.exe (libs5.8/ajax directory).
> http://stopmalvertising.com/research...-infogram1.jpg
... Updateflashplayer_9e26d2b2.exe will instantly shutdown and reboot the computer. A series of error messages will appear upon reboot as the malicous binary has deleted several critical registry keys belonging to Antivirus / Firewall / HIPS applications...The Asprox ad fraud binary also makes sure that the computer can’t boot in Safe Mode by deleting the corresponding registry entries. As seen below, booting the computer in safe mode results in a blue screen.
> http://stopmalvertising.com/research...-infogram2.jpg
... For an in-depth analysis of Asprox / Kuluoz please refer to: Analysis of Asprox and its New Encryption Scheme*... Email:
> http://stopmalvertising.com/research...infogram10.jpg
... IP Details
46.161.41.154
37.221.168.50
109.163.239.243 ...
14.54.223.133
37.193.48.182 (504)
37.115.155.128
72.227.178.35
90.154.249.71
91.225.93.237
100.2.223.97
109.226.203.101
176.212.145.163
188.129.241.164
213.231.48.242 ..."
(More detail at the stopmalvertising URL above.)
* http://stopmalvertising.com/malware-...on-scheme.html
- http://tools.cisco.com/security/cent...?alertId=33147
2014 Mar 03
:mad: :fear:
Malware sites to block ...
FYI...
Malware sites to block ...
- http://blog.dynamoo.com/2014/03/malw...lock-2314.html
2 Mar 2014 - "These domains and IPs are all connected with this gang*, some of it appears to be involved in -malware- distribution, -fraud- or other illegal activities. I recommend that you -block- these IPs and domains. Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting..."
(Long list at the URL above.)
* http://blog.dynamoo.com/2014/03/seek...job-offer.html
2 Mar 2014
___
Rising use of Malicious Java Code ...
- https://www.trusteer.com/blog/rising...infiltration-0
Mar 3, 2014 - "... exploit kits such as the Blackhole and Cool exploit kit were found to be using unpatched Java vulnerabilities... to install malware..."
Extract from the 2014 IBM X-Force Threat Intelligence Quarterly report
Exploited apps - Dec 2013
> https://www.trusteer.com/sites/defau...eenShot609.png
Java vulnerabilities - 2010-2013
> https://www.trusteer.com/sites/defau...eenShot610.png
:mad: :fear:
Phone Phishing, Data Breaches, and Banking Scams ...
FYI...
Phone Phishing, Data Breaches, and Banking Scams
- http://blog.trendmicro.com/trendlabs...banking-scams/
Mar 4, 2014 - "... I received a rather unusual call that claimed to be from National Australia Bank (NAB), one of the four largest banks in Australia. The caller had my complete name and my address. They claimed that they had flagged a suspicious transaction from my account to an Alex Smith in New Zealand to the tune of 700 Australian dollars. They needed my NAB number to confirm if the transaction was legitimate. There was just one problem with this seemingly plausible call: I wasn’t an NAB customer. I offered to call them back – and when I did so, they simply hung up on me. These sorts of calls are not the only threats that arrive via phone – for example, fake “support” calls that are supposedly from Microsoft* that offer to remove malware from user PCs are sadly commonplace. To most users who simply go about their daily lives, these calls can sound quite convincing and can cause a lot of problems... How did they get that all that information? We don’t know. However, it’s very possible that somebody somewhere had a data breach. They may not have known about it, or they may have decided that since the information “wasn’t critical” – say, they didn’t have my credit card or banking credentials – that it was harmless. However, now you can see how seemingly “harmless” information can be used to carry out real fraud. Since last year, we’ve been pointing out the huge gains in banking malware**. Just as support scams can be thought of as a “real-world” equivalent to ransomware and fake antivirus, so can these sort of phishing calls be the equivalent of these banking malware threats..."
* http://www.microsoft.com/security/on...cy/msname.aspx
** http://blog.trendmicro.com/trendlabs...urity-roundup/
___
Twitter sends password reset emails by mistake, admits it wasn't hacked
- http://www.theinquirer.net/inquirer/...nt-been-hacked
Mar 04 2014 - "... Twitter sent a number of password reset emails on Monday evening due to a system error. The firm contacted users with the sort of messages usually seen when attackers are taking over accounts. Twitter's email has been shared on the microblogging website, of course, and picked up by the Recode website. The missive presented itself as one of those 'you've been hacked' emails, and informed users about their scorched logins. "Twitter believes that your account may have been compromised by a website or service not associated with Twitter," it said. "We've reset your password to prevent accessing your account." Users took to Twitter to fret about the email, and a search on "Twitter hack" turns up a range of panicked missives and messages of thanks to Twitter for its speedy intervention. Later though, in a statement to Recode, the firm admitted that it had been the victim of nothing more than a system error. "We unintentionally sent some password reset notices tonight due to a system error," it said. "We apologise to the affected users for the inconvenience." Users could not be blamed to worrying about the phantom attack, as we have already seen a large number of security breaches this year already..."
___
Orange MMS Message Spam
- http://threattrack.tumblr.com/post/7...s-message-spam
Mar 4, 2014 - "Subjects Seen:
MMS message from: +447974******
Typical e-mail details:
You have received MMS message from: +447974778589
You can find the contents of the message in the attachment
If you have any questions regarding this automated message please contact Orange Customer Support
Malicious File Name and MD5:
MMS_C0BFB6C0B8.zip (3A123E39BDCAC7ED1127206502C1598C)
MMS_87436598.exe (10F21C0F2C3C587A509590FA467F8775)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...hjQ1r6pupn.png
Tagged: Orange, Androm
___
Bitcoin bank Flexcoin shuts down after theft
- http://www.reuters.com/article/2014/...A2329B20140304
Mar 4, 2014 - "Bitcoin bank Flexcoin said on Tuesday it was closing down after it lost bitcoins worth about $600,000 to a hacker attack. Flexcoin said in a message posted on its website that all 896 bitcoins stored online were stolen on Sunday. "As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately," the company said. [ http://www.flexcoin.com/ ] Alberta, Canada-based Flexcoin, which is working with law enforcement agencies to trace the source of the hack, said it would return bitcoins stored offline, or in "cold storage", to users. Cold storage coins are held in computers not connected to the Internet and therefore cannot be hacked... Bitcoin is a digital currency that, unlike conventional money, is bought and sold on a peer-to-peer network independent of central control. Its value soared last year, and the total worth of bitcoins minted is now about $7 billion..."
:fear: :sad:
Deceptive ads expose users to PUA ...
FYI...
Deceptive ads expose users to PUA ...
- http://www.webroot.com/blog/2014/03/...d-application/
Mar 6, 2014 - "Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them. We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application... actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post...
Sample screenshot of the landing page:
> https://www.webroot.com/blog/wp-cont..._Performer.png
... Sample detection rate for PurpleTech Software Inc’s PC Performer:
MD5: f85a9d94027c2d44f33c153b22a86473* ... Once executed, the sample phones back to:
hxxp:// inststats-1582571262.us-east-1.elb.amazonaws .com – 23.21.180.138
hxxp:// api.ibario .com – 50.22.175.81
hxxp:// 107.20.142.228 /service/stats.php?sv=1
hxxp:// 174.36.241.169 /events
Domain name reconnaissance:
api.ibario .com – 50.22.175.81; 96.45.82.133; 96.45.82.197; 96.45.82.69; 96.45.82.5
thepcperformer .com – 96.45.82.5; 96.45.82.69; 96.45.82.133; 96.45.82.197 ...
... responded to the same C&C server (23.21.180.138) ...
... phoned back to the same IP (50.22.175.81)..."
* https://www.virustotal.com/en/file/1...is/1394030288/
:mad: :fear:
Fake TurboTax: E-file successful email
FYI...
Fake TurboTax: E-file successful email
- http://security.intuit.com/alert.php?a=101
3/7/14 - " People are receiving fake emails with the title "TurboTax: E-file Successful." Below is a copy of the email people are receiving:
> http://security.intuit.com/images/ttsuccessful.jpg
___
This is the end of the -fake- email.
Steps to Take Now
Do not open any attachment or click any links in the email...
Delete the email."
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Bank Transaction Statement Email Messages - 2014 Mar 07
Email Messages with Malicious Attachments - 2014 Mar 07
Fake Product Invoice Notification Email Messages - 2014 Mar 07
Fake Account Payment Information Email Messages - 2014 Mar 07
Fake Product Order Notification Email Messages - 2014 Mar 07
Fake Failed Delivery Notification Email Messages - 2014 Mar 07
Fake Fax Message Delivery Email Messages - 2014 Mar 07
Fake Fax Delivery Email Messages - 2014 Mar 07
Fake Payment Transaction Notification Email Messages - 2014 Mar 06...
(Links / more info at the cisco URL above.)
___
Friday (Spam) Roundup
- http://blog.malwarebytes.org/online-...-spam-roundup/
Mar 7, 2014 - "... spam for the weekend?
1) Bitcoin spam: http://cdn.blog.malwarebytes.org/wp-...3/bitspam1.jpg
“Buy and sell Bitcoins!
Find the best places online to buy / sell Bitcoin currency”
The link just takes clickers to what appears to be a parked domain with sponsored links. In other words, delete / avoid.
2) Skype Team Direct Messages: http://cdn.blog.malwarebytes.org/wp-...3/bitspam2.jpg
“Direct message from Skype Team
Skype
Direct Message
View Message
Respectfully,
Skype Service”
3) Pharmacy msgs: http://cdn.blog.malwarebytes.org/wp-...3/bitspam3.jpg
4) TV spamblog spam [-not- email based]: ... when scammers try to take advantage of a service like Google Docs they’re going phishing. I saw this and thought it was at least a little unusual – Google Docs being used to spam a cookie-cutter spamblog promising free TV shows. I’m sure you’ve seen those spam posts across the net...
> http://cdn.blog.malwarebytes.org/wp-...3/bitspam5.jpg "
:mad: :fear:
Q4-2013 McAfee Threat Report, Facebook scam...
FYI...
Q4-2013 McAfee Threat Report
- https://net-security.org/malware_news.php?id=2727
Mar 10, 2014 - "... By the end of 2013, McAfee Labs saw the number of malicious signed binaries in our database -triple- to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee Labs found more than 2.3 million new malicious signed applications, a 52 percent increase from the previous quarter. The practice of code signing software validates the identity of the developer who produced the code and ensures the code has not been tampered with since the issue of its digital certificate...
> http://www.net-security.org/images/a...afee032014.jpg
... Additional findings:
- Mobile malware. McAfee Labs collected 2.47 million new mobile samples in 2013, with 744,000 in the fourth quarter alone. Our mobile malware zoo of unique samples grew by an astounding 197 percent from the end of 2012.
- Ransomware. The volume of new ransomware samples rose by 1 million new samples for the year, doubling in number from Q4 2012 to Q4 2013.
- Suspicious URLs. McAfee Labs recorded a 70 percent increase in the number of suspect URLs in 2013.
- Malware proliferation. In 2013, McAfee Labs found 200 new malware samples every minute, or more than three new threats every second.
- Master boot record-related. McAfee Labs found 2.2 million new MBR-attacks in 2013.
The complete report is available here*."
* http://www.mcafee.com/us/resources/r...at-q4-2013.pdf
___
Facebook scam: naked videos of friends - delivers Trojans instead
- https://net-security.org/malware_news.php?id=2728
Mar 10, 2014 - "Bitdefender has discovered that more than 1,000 people have already been tricked into installing Trojan malware after clicking on a new Facebook scam that promises naked videos of their friends. The UK was the second most affected country by number of users and infections were also detected in France, Germany, Italy and Romania.
> http://www.net-security.org/images/a...nder032014.jpg
The scam, now spreading on the social network, can multiply itself by tagging users’ friends extremely quickly. To avoid detection, cybercriminals vary the scam messages by incorporating the names of Facebook friends alongside “private video,” “naked video” or “XXX private video”... To increase the infection rate, the malware has multiple installation possibilities. Besides the automated and quick drop on the computer or mobile device, it also multiplies itself when users -click- the -fake- Adobe Flash Player update. To make the scam more credible, cybercriminals faked the number of views of the adult video to show that over 2 million users have allegedly clicked on the infected YouTube link..."
___
Malware peddler tryouts: different exploit kits
- https://net-security.org/malware_news.php?id=2729
Mar 10, 2014 - "Websense researchers* have been following several recent -email-spam- campaigns targeting users of popular services such as Skype and Evernote, and believe them to be initiated by the infamous ru:8080 gang, which a history of similar spam runs impersonating legitimate Internet services such as Pinterest, Dropbox, etc. These latest campaigns start with -spoofed- emails purportedly alerting the recipients to a message/image they have received on Skype and Evernote, offering an embedded link that leads to compromised sites hosting an exploit kit. In the past, the aforementioned gang's preferred exploit kit was Blackhole, but with the arrest and prosecution of its creator... they have switched first to using the Magnitude, then the Angler and, finally, the Goon exploit kit. This group is currently focusing more on UK users, but targets US and German users as well... This gang typically pushes information-stealing trojans such as Cridex, Zeus GameOver, and click-fraud trojans like ZeroAccess onto the users, but they have also been known to deliver ransomware and worms. In this last few cases, the delivered malware is a Zeus variant that was initially detected by just a handful of commercial AV solutions..."
* http://community.websense.com/blogs/...loit-kits.aspx
___
Fake gateway .gov .uk SPAM
- http://blog.dynamoo.com/2014/03/gate...ovuk-spam.html
10 Mar 2014 - "This -fake- spam from the UK Government Gateway comes with a malicious payload:
Date: Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
From: gateway.confirmation@ gateway .gov .uk
Subject: Your Online Submission for Reference 485/GB3283519 Could not process
Priority: High
The submission for reference 485/GB3283519 was successfully received and was not
processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50*. Automated analysis tools... show attempted downloads from i-softinc .com on 192.206.6.82 (MegaVelocity, Canada) and icamschat .com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you -block- traffic to the following IPs and domains:
192.206.6.82
i-softinc .com
icamschat .com "
* https://www.virustotal.com/en-gb/fil...is/1394462821/
___
MS Account 'Outlook Web Access' Phish ...
- http://www.hoax-slayer.com/outlook-w...ing-scam.shtml
Mar 10, 2014 - "Email purporting to be from the Microsoft Account Team claims that recipients must click a link to upgrade their email account and set up Outlook Web Access. The email is -not- from Microsoft and the claim that users must click a link to upgrade their email accounts is a lie. The message is a phishing scam designed to trick users into sending their Microsoft account login details to criminals.
Example:
> http://www.hoax-slayer.com/images/mi...cam-2014-1.jpg
... the email is -not- from Microsoft and the claim that users must follow a link to upgrade their email account is untrue. Instead, the email is a criminal ruse designed to trick people into giving their Microsoft account details to cybercriminals. Those who fall for the trick and click one of the links as instructed will be taken to a -bogus- 'Microsoft' website that displays the following login form:
> http://www.hoax-slayer.com/images/mi...cam-2014-2.jpg
Once they have added their email address and password, victims will then be presented with a message claiming that their 'Outlook account was updated successfully'. Within a few seconds, they will be redirected to a genuine Microsoft website. Meanwhile, the criminals responsible for the phishing campaign can use the stolen credentials to hijack the real Microsoft accounts belonging to their victims. A 'Microsoft account' is the new name for what was previously known as a 'Windows Live ID.' The one set of login details can be used to access a number of Microsoft services, and are thus a valuable target for scammers..."
:mad: :fear:
DDoS attack - WordPress pingback abuse, Twitter crash, Bitcoin risks ...
FYI...
DDoS attack - WordPress pingback abuse...
- http://blog.sucuri.net/2014/03/more-...ce-attack.html
Mar 10, 2014 - "Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner... Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use..."
* http://it-beta.slashdot.org/story/14...into-spotlight
Mar 12, 2014
- http://arstechnica.com/security/2014...l-ddos-attack/
Mar 11 2014
___
Malware found in Google Play Store
- http://blog.malwarebytes.org/mobile-...le-play-store/
Mar 12, 2014 - "Most experts agree the best way to stay safe from Android malware is to stick to trusted sources–specifically the Play Store. Unfortunately, those sources can sometimes be compromised. In the last week there have been -two- malware families found in Google’s Play Store... The first one, found by Lookout Security*, is a remote administration tool called Dendroid.
> http://cdn.blog.malwarebytes.org/wp-...dendriod02.jpg
This particular malware is a variant of the publicly available remote tool AndroRAT. Dendroid was advertised as “Parental Control” in the Play Store... This Play Store version of Dendroid was discovered only a couple of days after Dendroid was uncovered from the underworld by Symantec**, which means Google was -unaware- of the malicious code at the time... The second app was uncovered by Avast*** and is a SMS -Trojan- disguised as a night vision app.
> http://cdn.blog.malwarebytes.org/wp-.../fakecam01.jpg
The Trojan is capable of looking up contact numbers in a social messaging apps like WhatsApp, Telegram, and ChatON. Once the number is collected it’s sent to a remote server and the numbers are used to register for a premium service costing up to $50... Both of these apps have been removed from the Play Store... Android malware continues to increase and at times they’re able to sneak into places we trust..."
* https://blog.lookout.com/blog/2014/03/06/dendroid/
** http://www.symantec.com/connect/blog...h-out-dendroid
*** http://blog.avast.com/2014/03/07/goo...ndroid-market/
___
Twitter crashes... again
- http://www.reuters.com/article/2014/...A2A1NY20140311
Mar 11, 2014 - "Twitter Inc crashed on Tuesday for the second time in nine days when a software glitch stalled the popular messaging service for about one hour. The company apologized to its 250 million users in a status blog, saying it had encountered "unexpected complications" during "a planned deploy in one of our core services." The outage began around 11 a.m. Pacific time and service had "fully recovered" by 11:47 a.m., the San Francisco-based company said..."
___
Beware Bitcoin: U.S. brokerage regulator
- http://www.reuters.com/article/2014/...A2A1OJ20140311
Mar 11, 2014 - "Bitcoin can expose people to significant losses, fraud and theft, and the lure of a potential quick profit should not blind investors to the virtual currency's significant risks, a brokerage industry watchdog warned on Tuesday. In an investor alert* titled "Bitcoin: More than a Bit Risky,"* the Financial Industry Regulatory Authority (FINRA) said recent events such as the bankruptcy of Bitcoin exchange operator Mt. Gox have spotlighted some of the currency's risks..."
* http://www.finra.org/Newsroom/NewsReleases/2014/P457519
:fear: :sad: