-
Exploit Kits - OVH Canada / r5x .org ...
FYI...
Exploit Kits - OVH Canada / r5x .org / Penziatki
- http://blog.dynamoo.com/2014/03/evil...penziatki.html
13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30
OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
198.27.0.0/16
198.50.0.0/16
Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24 ..."
(More detail at the dynamoo URL above.)
* https://twitter.com/jedisct1
** https://gist.github.com/jedisct1/9509527 - Nuclear Exploit Kit Mar 12
*** http://blog.dynamoo.com/search/label/R5X.org
> http://google.com/safebrowsing/diagnostic?site=AS:16276
___
Malware sites to block 13/3/14
- http://blog.dynamoo.com/2014/03/malw...ock-13313.html
13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
64.120.242.178
188.226.132.70
93.189.46.90 ...
The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
(Many others listed at the dynamoo URL above.)
___
Fake Blood count result - fake PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
- IMPORTANT:Blood analysis result
- IMPORTANT:Blood analysis
- IMPORTANT:Complete blood count (CBC)result ...
> http://myonlinesecurity.co.uk/wp-con...-CBCresult.png
... 13 March 2014: CBC_Result_9B4824B65E.zip (55kb) Extracts to CBC_scaned_584444449.pdf.exe
Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/d...is/1394703905/
** http://myonlinesecurity.co.uk/why-yo...wn-file-types/
___
Key Secured Message -fake- PDF malware
- http://myonlinesecurity.co.uk/key-se...e-pdf-malware/
13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-con...ed-Message.png
... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en-gb/fil...55c2/analysis/
___
Fake Sky .com "Statement of account" SPAM
- http://blog.dynamoo.com/2014/03/skyc...ount-spam.html
13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
Date: Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From: "Sky .com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the December invoice as this is now due for
payment.
Regards, Carmela ...
Wilson McKendrick LLP Solicitors ...
Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
188.247.130.190 (Prime Telecom SRL, Romania)
gobemall .com
gobehost .info
184.154.11.228 (Singlehop, US)
terenceteo .com
184.154.11.233 (Singlehop, US)
quarkspark .org
The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall .com
gobehost .info
terenceteo .com
quarkspark .org "
* https://www.virustotal.com/en-gb/fil...is/1394715270/
___
HM Revenue & Customs Spam
- http://threattrack.tumblr.com/post/7...e-customs-spam
Mar 12, 2014 - "Subjects Seen:
HMRC Tax Notice
Typical e-mail details:
Dear <email address>
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 6807706.
Malicious File Name and MD5:
PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Ge41r6pupn.png
Tagged: HMRC, weelsof
:mad: :fear:
-
Google Docs users Targeted - Phishing Scam ...
FYI...
Google Docs users Targeted - Phishing Scam
- http://www.symantec.com/connect/blog...-phishing-scam
13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
Google Docs phishing login page:
> http://www.symantec.com/connect/site...site_image.png
The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
___
ABSA Global business - certificate update – fake PDF malware
- http://myonlinesecurity.co.uk/absa-g...e-pdf-malware/
Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Attention!
On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator ABSA Global
cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...5843/analysis/
___
Fake Facebook messages
- http://myonlinesecurity.co.uk/fake-facebook-messages/
Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
1) http://myonlinesecurity.co.uk/wp-con...our-status.png
2) http://myonlinesecurity.co.uk/wp-con...k-password.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook. Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
___
Banks to be hit with MS costs for running outdated ATMs
- http://www.reuters.com/article/2014/...0M345C20140314
LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
___
Bogus online casino themed campaigns intercepted in the wild
- http://www.webroot.com/blog/2014/03/...ead-w32casino/
Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
Sample screenshots of the landing pages for the rogue casinos:
1) https://www.webroot.com/blog/wp-cont...ationc_PUA.png
2) https://www.webroot.com/blog/wp-cont...onc_PUA_01.png
3) https://www.webroot.com/blog/wp-cont...onc_PUA_02.png
4) https://www.webroot.com/blog/wp-cont...onc_PUA_03.png
5) https://www.webroot.com/blog/wp-cont...onc_PUA_04.png
6) https://www.webroot.com/blog/wp-cont...5-1024x576.png
Spamvertised URLs:
hxxp ://bit. ly/1brCoxg
hxxp ://bit .ly/1bQRudq
hxxp ://bit .ly/1mLQr5I
hxxp ://bit .ly/MCOyaL
hxxp ://bit .ly/1ec3UMN
hxxp ://bit .ly/1hN6Vbd
hxxp ://bit .ly/1mQ3XFu
hxxp ://bit .ly/17DJ4pZ
hxxp ://bit .ly/1ec2JNa
hxxp ://bit .ly/1fBY6d5
W32.Casino PUA domains reconnaisance:
hxxp ://rubyfortune .com – 78.24.211.177
hxxp ://grandparkerpromo .com – 95.215.61.160
hxxp ://kingneptunescasino1 .com – 67.211.111.169
hxxp ://riverbelle1 .com – 193.169.206.233
hxxp ://europacasino .com – 87.252.217.13
hxxp ://vegaspartnerlounge .com – 66.212.242.136
Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
... (More) Known to have been downloaded from the same IP (87.248.203.254) ..."
* https://www.virustotal.com/en/file/1...is/1394642298/
** https://www.virustotal.com/en/file/4...is/1394642439/
*** https://www.virustotal.com/en/file/3...is/1394643637/
**** https://www.virustotal.com/en/file/4...is/1394643413/
:mad: :fear: :sad:
-
Something evil on 198.50.140.64/27, 192.95.6.196/30 ...
FYI...
Something evil on 198.50.140.64/27
- http://blog.dynamoo.com/2014/03/some...501406427.html
17 Mar 2014 - "Thanks again to Frank Denis (@jedisct1) for this heads up* involving grubby web host OVH Canada and their black hat customer "r5x .org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27. A full list of all the web sites I can find associated with this range can be found here**, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16). Domains in use that I can identify are listed below. I recommend you block -all- of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.
Recommended blocklist:
198.50.140.64/27
ingsat .eu
kingro .biz ..."
(More detail and domains listed at the dynamoo URL above.)
* https://twitter.com/jedisct1/status/445220289534631937
** http://pastebin.com/kkPRKu6v
___
Something evil on 192.95.6.196/30
- http://blog.dynamoo.com/2014/03/some...295619630.html
17 Mar 2014 - "Another useful tip by Frank Denis* on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x .org / Penziatki", this time on 192.95.6.196/30. The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault .ru
addrela .eu
backinl .org
A full list of the domains I can find in this /30 can be found here** [pastebin].
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
* https://twitter.com/jedisct1/status/445690516433145856
** http://pastebin.com/RWG8uj00
___
Bank of America / Merrill Lynch - Completion of request for ACH CashPro – fake PDF malware
- http://myonlinesecurity.co.uk/bank-a...e-pdf-malware/
Mar 17, 2014 - "Bank of America Merrill Lynch Completion of request for ACH CashPro is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-con...CH-CashPro.png
17 March 2014 securedoc.zip (12kb) Extracts to securedoc.exe
Current Virus total detections: 2/49* - MALWR Auto Analysis**
This Bank of America Merrill Lynch Completion of request for ACH CashPro is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/4...9bf5/analysis/
** https://malwr.com/analysis/Njc2MjY3Y...VhYTEyMzI4OTY/
___
Injection attack in progress 17/3/14
- http://blog.dynamoo.com/2014/03/inje...ess-17314.html
17 Mar 2014 - "A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:
fsv-hoopte-winsen .de
grupocbi .com
These are hosted on 82.165.77.21 and 72.47.228.162 respectively. The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites... This sort of attack has been used to push -fake- software updates* in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains."
1) http://urlquery.net/report.php?id=9933756
2) http://urlquery.net/report.php?id=9933677
* http://blog.dynamoo.com/2014/01/scri...end-media.html
___
Fake Personal message from Gmail Service – spam
- http://myonlinesecurity.co.uk/fake-p...-service-spam/
Mar 17, 2014 - "< your name> Personal message from Gmail Service is an alternative version of the Fake Facebook messages*. Just like the Facebook versions these either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs.
Fake Personal message from Gmail Service
> http://myonlinesecurity.co.uk/wp-con...il-message.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Gmail. Do -not- click on the links, just delete the emails as soon as they arrive. There is always the very high possibility that one of the other -botnets- will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines..."
* http://myonlinesecurity.co.uk/fake-facebook-messages/
___
Fake Salesforce/Quickbooks invoice - malware
- http://blog.dynamoo.com/2014/03/sale...d-overdue.html
Mar 17, 2014 - "This -fake- Salesforce spam comes with a malicious attachment... actually two malicious attachments..
Date: Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From: "support @ salesforce .com" [support @ salesforce .com]
Subject: Please respond - overdue payment
Priority: High Priority 2
Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Alvaro Rocha
This e-mail has been sent from an automated system...
Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49*. Automated analysis tools... don't give much of a clue as to what is going on..."
* https://www.virustotal.com/en-gb/fil...is/1395087978/
:fear: :mad:
-
AMEX phish, Gov't Biz Dept SPAM ...
FYI...
AMEX phish...
- http://myonlinesecurity.co.uk/americ...hing-attempts/
Mar 18, 2014 - "We are seeing quite a few American Express -phishing- attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. They are using literally hundreds if not thousands of -hijacked- websites to perform these attacks. The site listed in the email is the first step in the chain and you are bounced on to other sites. The coding on the primary hijacked sites suggest that they are under the control of the Blackhole and Angler exploit kit criminals. This means that at any time when they have taken stolen enough identities and money, they will switch to spreading malware via the same network and emails. Do not click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t American Express. Immediately -delete- the email and the safest way to make sure that it isn’t a genuine email form American Express is to type the American Express web address in your browser. and then log in to the account that way. There are currently 2 main avenues of the American Express phishing attempts:
AmericanExpress phishing attempts:
1) http://myonlinesecurity.co.uk/wp-con...hing-email.png
2) http://myonlinesecurity.co.uk/wp-con...hing-email.png
Following the link in these takes you to a website that looks exactly like the real American Express site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace ( if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___
Gov't Biz Dept. – fake PDF malware
- http://myonlinesecurity.co.uk/govern...e-pdf-malware/
Mar 18, 2014 - "Government Business Departament pretending to come (from a) Department for Business Innovation & Skills <business_dep@ gov .uk> from is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Please note the poor -spelling- in the email subject, which should be enough of a flag to warn users of the -fake- . Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
> http://myonlinesecurity.co.uk/wp-con...epartament.png
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake YouTube email – fake mov malware
- http://myonlinesecurity.co.uk/receiv...e-mov-malware/
Mar 18, 2014 - "'You have received a YouTube video' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... plain simple email with subject You have received a YouTube video and content just says 'Sent from my iPad'...
18 March 2014 : VIDEO_819562694.MOV.ZIP (79kb) : Extracts to VIDEO_890589685.MOV.exe
Current Virus total detections: 6/50*
... another one of the spoofed icon files... will look like a proper mov ( movie) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...69ae/analysis/
Screenshot: https://gs1.wac.edgecastcdn.net/8019...ywx1r6pupn.png
___
500,000 PCs attacked after 25,000 UNIX servers hijacked ...
- http://www.welivesecurity.com/2014/0...ation-windigo/
Mar 18, 2014 - "... Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed. The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines...
> http://www.welivesecurity.com/wp-con...digo-spam.jpeg
... That would be bad enough, normally. But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users. Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals...
> http://www.welivesecurity.com/wp-con...go-iphone.jpeg
ESET’s security research team has published a detailed technical paper* into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years..."
An analysis of the visiting computers revealed a wide range of operating systems being used:
> http://www.welivesecurity.com/wp-con...ims-by-os.jpeg
(More detail at the welivesecurity URL at the top.)
* http://www.welivesecurity.com/wp-con...on_windigo.pdf
Indicators of Compromise
- https://github.com/eset/malware-ioc
:mad: :fear:
-
OVH Canada hosted exploit kits, Twitter Spamrun ...
FYI...
More OVH Canada hosted exploit kits
- http://blog.dynamoo.com/2014/03/more...loit-kits.html
19 Mar 2014 - "... Yesterday Frank identified three new OVH Canada ranges* being used to host the Nuclear EK [1], again the customer is "r5x .org / Penziatki"
198.50.212.116/30
198.50.131.220/30
192.95.40.240/30
Update: also 192.95.51.164/30 according to this Tweet**... A full list of everything I can find is here*** [pastebin] ... At a mininum I recommend that you block those IP ranges and/or domains.
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
(More detail at the dynamoo URL above.)
* https://twitter.com/jedisct1/status/445970337490927616
** https://twitter.com/jedisct1/status/446154856093343744
*** http://pastebin.com/4eGWBwHV
1] http://krebsonsecurity.com/tag/nuclear-exploit-pack/
Updated - Mar 20, 2014: http://blog.dynamoo.com/search/label/OVH
___
Something evil on 64.120.242.160/27
- http://blog.dynamoo.com/2014/03/some...024216027.html
19 Mar 2014 - "64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal*). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here** [csv]). There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.
64.120.242.160/27
asifctuenefcioroxa .net
hukelmshiesuy .net
asifctuenefcioroxa .com
asifctuenefcioroxa .info ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-...0/information/
** http://www.dynamoo.com/files/64.120.242.160-27.csv
___
Fake NatWest SPAM ...
- http://blog.dynamoo.com/2014/03/natw...ed-secure.html
19 Mar 2014 - "This -fake- NatWest spam has a malicious attachment:
Date: Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From: NatWest [secure.message@ natwest .co .uk]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment...
Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51*. Automated analysis tools... show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.
199.193.115.111 (NOC4Hosts, US) ...
184.107.149.74 (iWeb, Canada) ...
50.116.4.71 (Linode, US) ...
Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1395245960/
Screenshot: https://gs1.wac.edgecastcdn.net/8019...ol61r6pupn.png
___
Steer Clear of the Latest Twitter Spamrun
- http://blog.malwarebytes.org/social-...itter-spamrun/
Mar 19, 2014 - "Watch out for messages on your Twitter feed like the ones below, because they’ll try their best to give your account a bad hair day:
> http://cdn.blog.malwarebytes.org/wp-...twitphish1.jpg
Some of the (many) messages read as follows, and all are designed to entice the recipient into clicking:
lmao I had a eerie feeling this was yours
haha this post by you is so funny
haha this was made by you?
Im laughing so much right now at this
haha this update by you is odd
lol I had a eerie feeling this was you
lolz this post by you is nuts
lol this was posted by you?
omfg this entry by you is crazy
lolz this tweet by you is so funny
LOL you got 2 see this, its epic
omfg this post by you is cool
lolz this post by you is hilarious... (more)
There are others, but those seem to be the main ones and everything else is typically a variation on the above themes. The links take end-users to a site informing them of the following:
“Your current session has ended
For security purposes you were forcibly signed out. For security purposes you need to verify your Twitter account, please login”
> http://cdn.blog.malwarebytes.org/wp-...3/twitpsh2.jpg
... change your password if you think you’ve already been affected by this one and clear up any rogue links lying around on your feed – your followers will thank you for it.
Christopher Boyd (Hat-tip to @Cliffsull *)"
* https://twitter.com/cliffsull
:mad::mad:
-
Something evil on 66.96.195.32/27, PHP bug ...
FYI...
Something evil on 66.96.195.32/27
- http://blog.dynamoo.com/2014/03/some...961953227.html
Mar 20, 2014 - "Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday*, this time 66.96.195.32/27 which seems to be more of the same thing. The exploit kit in question is the Goon EK, as shown in this URLquery report**. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example [3]). The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see... malicious websites active in that range (all on 66.96.195.49 [4])..."
* http://blog.dynamoo.com/2014/03/some...024216027.html
** http://urlquery.net/report.php?id=1395311494976
3] http://urlquery.net/report.php?id=1395322515680
4] https://www.virustotal.com/en/ip-add...9/information/
___
PHP bug allowing site hijacking still menaces Internet 22 months on
- http://arstechnica.com/security/2014...-22-months-on/
Mar 19 2014 - "A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers. As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday*, CVE-2012-1823**, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade... PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post* said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses..."
* http://blog.imperva.com/2014/03/thre...r-command.html
Mar 18, 2014
** https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-1823 - 7.5 (HIGH)
Last revised: 07/20/2013
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Product Shipping Documents Email Messages - 2014 Mar 20
Fake Financial Documents Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Tax Return Notification Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Document Processing Request Email Messages - 2014 Mar 20
Fake Fax Message Delivery Email Messages - 2014 Mar 20
Fake Product Order Quotation Email Messages - 2014 Mar 20
Fake Tax Document Email Messages - 2014 Mar 20
Fake Payroll Information Notification Email Messages - 2014 Mar 20
Fake Incoming Money Transfer Notification Email Messages - 2014 Mar 20
Fake Bank Payment Transfer Notification Email Messages - 2014 Mar 20
Fake Lawsuit Details Attachment Email Messages - 2014 Mar 20
Fake Account Payment Information Email Messages - 2014 Mar 20
Fake Product Order Notification Email Messages - 2014 Mar 20
Fake Failed Delivery Notification Email Messages - 2014 Mar 20
Fake Bank Transaction Notification Email Messages - 2014 Mar 19
(More detail and links at the cisco URL above.)
:mad: :sad:
-
Fake Amazon, Companies House SPAM, Something evil on 50.116.4.71 ...
FYI...
Fake Amazon .co .uk SPAM, Something evil on 50.116.4.71
- http://blog.dynamoo.com/2014/03/amaz...g-evil-on.html
21 Mar 2014 - "This -fake- Amazon .co .uk spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From: "AMAZON .CO .UK" [SALES@ AMAZON .CO .UK]
Cc: ; Fri, 21 Mar 2014 13:40:05 +0530
Subject: Your Amazon.co.uk order ID841-6379889-7781077
Hello, Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #799-5059801-3688207 Placed on March 21, 2014 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk...
There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51*. The Malwr analysis** the most comprehensive, and shows that it attempts to phone home... Out of these, aulbbiwslxpvvphxnjij .biz seems to be active on 50.116.4.71 (Linode, US). Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo .org ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1395393900/
** https://malwr.com/analysis/MWI1MGFlY...MzMmViZTk4ZjI/
- https://www.virustotal.com/en/ip-add...1/information/
___
Fake Companies House SPAM and 50.116.4.71 (again)
- http://blog.dynamoo.com/2014/03/comp...471-again.html
21 Mar 2014 - "This -fake- Companies House spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From: Companies House [WebFiling@ companieshouse .gov .uk]
Subject: Incident 8435407 - Companies House
The submission number is: 8435407
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house .gov .uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...
Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49*. The Malwr analysis -again- shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij .biz. The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine .co .uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below). I would recommend... the following blocklist in combination with this one.
50.116.4.71
aulbbiwslxpvvphxnjij.biz ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1395396703/
___
Fake Air Canada Ticket - malware
- http://www.threattracksecurity.com/i...icket-malware/
Mar 20, 2014 - "... The email (pictured below) was directed to an employee inbox purporting to be from Air Canada and directing the recipient to download and print their ticket. (Note: Air Canada was not hacked, nor were they part of this malware. The malicious URL distributing a previously unidentified malware is simply being masked to look like it’s coming from Air Canada.)
> http://www.threattracksecurity.com/i...ious-Email.png
The link hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?action=download&fid=QB820910108CA pointed to another address, hxxp ://alienstub.com/pdf_ticket_820910108.zip, which hosts the malware, a zipped malicious file. Once the zip file is decompressed, the user will see a file called pdf_ticket_820910108.pif . Analysis by ThreatSecure quickly revealed the sample as an exploit categorized with a high severity (see in-product analysis screen below), exhibiting malicious behavior like disabling the Windows firewall, changing proxy settings in Internet Explorer, opening the command prompt, creating executable files and connecting to Windows Remote Access Connection Manager.
> http://www.threattracksecurity.com/i...f-analsysi.jpg
... At the time of posting this blog, 16/51* antivirus vendors on VirusTotal detect this file as being malicious. The domain hxxp ://alienstub .com appears to be registered in China...
* https://www.virustotal.com/en/file/d...7622/analysis/
alienstub .com
108.162.198.134 - https://www.virustotal.com/en-gb/ip-...4/information/
108.162.199.134 - https://www.virustotal.com/en-gb/ip-...4/information/
:fear: :mad:
-
Malware sites to block 23/3/14 (P2P/Gameover Zeus)
FYI...
Malware sites to block 23/3/14 (P2P/Gameover Zeus)
- http://blog.dynamoo.com/2014/03/malw...ock-23314.html
23 Mar 2014 - "These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie*. I recommend that you -block- the -IPs- and/or domains listed as they are all malicious:
50.116.4.71 (Linode, US) ...
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)
50.116.4.71 ...
178.79.178.243 ...
212.71.235.232 ...
23.239.140.156 ..."
(More - long list of domains listed at the dynamoo URL above.)
* http://blog.malwaremustdie.org/2014/...er-crooks.html
:mad::mad: :fear:
-
Fake Flash update hosted on OneDrive, HMRC SPAM
FYI...
Fake Flash update hosted on OneDrive
- http://blog.dynamoo.com/2014/03/js-i...sh-update.html
25 Mar 2014 - "This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a -fake- Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive. The first step in the attack is through a vulnerable site such as this one [urlquery*]. In turn, the infected .js file leads to [donotclick]alientechdesigns .com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns .com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery**].
> https://lh3.ggpht.com/-sLx4s_0GoKQ/U...fake-flash.jpg
The link in the popup goes to a download loction at [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe. flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51***. The Malwr report shows that this then downloads two additional components, from:
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108
The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51 [5]. Malwr, Anubis and Comodo CAMAS show some working of this malware. The second file is called update2.exe with a VirusTotal detection rate of 5/49****. This seems somewhat resistant to automated analysis tools... This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from."
* http://urlquery.net/report.php?id=1395739538065
** http://urlquery.net/report.php?id=1395739786885
*** https://www.virustotal.com/en-gb/fil...is/1395739964/
**** https://www.virustotal.com/en-gb/fil...is/1395742041/
5] https://www.virustotal.com/en/file/9...is/1395740434/
___
Fake HMRC SPAM
- http://blog.dynamoo.com/2014/03/you-...ages-from.html
25 Mar 2014 - "This fake HMRC spam comes with a malicious attachment:
Date: Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices....
The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51*. According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca .com.au/directions/2503UKp.tis
[donotclick]www.sandsca .com.au/directions/2503UKp.tis
Subsequent communications are made with aulbbiwslxpvvphxnjij .biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq .biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf .org which does not resolve...
Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca .com
aulbbiwslxpvvphxnjij .biz
qkdapcqinizsczxrwaelaimznfbqq .biz
hzdmjjneyeuxkpzkrunrgyqgcukf .org "
* https://www.virustotal.com/en-gb/fil...is/1395750216/
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...3/information/
___
Google Drive Email - Phish ...
- http://www.hoax-slayer.com/google-dr...ing-scam.shtml
Mar 25, 2014 - "... email requests recipients to click a link to view a document that the sender uploaded using Google Cloud Drive. There is no document to be viewed, urgent or otherwise. The email is a -phishing- scam designed to trick recipients into giving their email login details to Internet criminals... Example:
Hello,
Kindly click the link to view the document I uploaded for you using Google
cloud drive.
[Link removed]
Just Sign in with your email to view the document, it is very important.
Thank you,
Rev. Dr. Karen [Surname Removed]
Serving Humanity Spiritually
[Phone number removed]
Good works are links that form a chain of love.
Mother Teresa
Screenshot of phishing website:
> http://www.hoax-slayer.com/images/go...ing-scam-1.jpg
... Users who fall for the ruse and click the link as instructed will be taken to a -bogus- website that includes the Google Drive logo along with a login screen that asks for both their email address and email password. If users submit their email credentials as requested and click the 'View document' button, they will be redirected to Google's Gmail home page... however, their email address and password will be sent to online criminals. The criminals can use the stolen details to hijack webmail accounts belonging to victims. Hijacked accounts can be used to perpetrate more scam and spam campaigns, all in the names of the victims. If victims submitted details for a Gmail account, the scammers may be able to use the same login information to access other Google services as well as email..."
___
Gameover ZeuS now targets users of employment websites
- http://net-security.org/malware_news.php?id=2745
Mar 25, 2014 - "Some newer variants of the Gameover Zeus Trojan, which is exceptionally good at using complex web injections to perform Man-in-the-Browser (MITB) attacks and gain additional information about the victims to be used for bypassing multi-factor authentication mechanisms and effecting social engineering attacks, has been spotted targeting users of popular employment websites. They initially focused on CareerBuilder.com (largest employment website in the US), but now also on Monster.com (one of the largest in the world). The -fake- login page victims are served with looks virtually identical to the legitimate one, but the next one is web form injected by the malware:
> http://www.net-security.org/images/a...r-25032014.jpg
There are 18 different questions to choose from, and they range from the name of the city where your sibling lives/you got your first job/you met your spouse, to the name of your school(s)/friend/work supervisor and significant dates and numbers in your life..."
- http://www.f-secure.com/weblog/archives/00002687.html
March 25, 2014
___
Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs
- http://www.webroot.com/blog/2014/03/...-applications/
Mar 25, 2014 - "Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host. We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA...
Sample screenshot of Adware.Linkular download page:
> https://www.webroot.com/blog/wp-cont...pplication.png
Sample screenshot of Win32.SpeedUpMyPC.A download page:
> https://www.webroot.com/blog/wp-cont...ication_01.png
Domain name reconnaissance:
getmyfilesnow .info – 54.208.165.36
getmyfilesnow .com – 174.142.147.2
coollinks .us – 174.142.147.5
linkular .com – 208.109.216.125
Detection rate for the PUA: MD5: 0d60941d1ec284cab2e861e05df89511 * ...
Known to have responded to 54.208.165.36 ...
Once executed, the sample phones back to:
hxxp // 107.23.152.80 /api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768
Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
MD5: 0a8ecb11e39db5647dcad9f0cc938c99 ** ... "
* https://www.virustotal.com/en/file/2...is/1395713453/
** https://www.virustotal.com/en/file/e...is/1395717259/
:mad::mad: :fear:
-
Something evil on 173.212.223.249, Fake PDF malware...
FYI...
Something evil on 173.212.223.249
- http://blog.dynamoo.com/2014/03/some...212223249.html
26 Mar 2014 - "There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US). The infection chain I have spotted here starts with a typical compromised website, in this case:
[donotclick]onerecipedaily .com/prawn-patia-from-anjum-anands-i-love-curry/
A quick look at the URLquery report* shows a general alert, but no smoking gun.. The incident logs come up with a generic detection... The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz .com
syb.beuqnyrtz .com
sxxmxv.beuqnyrtz .info
The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz .com
beuqnyrtz .info "
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1395844844686
- https://www.virustotal.com/en/ip-add...9/information/
- https://www.virustotal.com/en/ip-add...1/information/
___
Info from SantanderBillpayment. co .uk - fake PDF malware
- http://myonlinesecurity.co.uk/info-s...e-pdf-malware/
26 Mar 2014 - "Info from SantanderBillpayment.co.uk pretending to come from Santanderbillpayment-noreply@SantanderBillPayment .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. Analysis of this one is showing it likely to be a Gameover Zeus/Zbot variant. This is “new” — it’s going after a similar URL as the Pony samples we have been seeing in the last few weeks, but completely different binary. This has VM detection and if it detects that, it runs routines to choke memory and the CPU. On real hardware, it tries this URL (http :// 62.76.45.233 /2p/1.exe) given recent patterns, this is likely to be a Gameover production...
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 18 March 2014 at 20:03:41.
Payment type: VAT
Customer reference no: 9789049470611
Card type: Visa Debit
Amount: 483.93 GBP
Your transaction reference number for this payment is IR19758383.
Please quote this reference number in any future communication regarding this payment.
Full information in attachment.
Yours sincerely,
Banking Operations
This message is intended for the named person above and may be confidential, privileged or otherwise protected from disclosure...
26 March 2014 : VAT_F37D8FE5F9.zip (72kb) : Extracts to ATT00347_761105586544.pdf.exe
Current Virus total detections: 7/51* MALWR Auto Analysis** ...
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...d4a2/analysis/
** https://malwr.com/analysis/NTQyOGVhN...RlMDZmMjVhMDk/
- https://www.virustotal.com/en/ip-add...3/information/
:mad::fear::sad:
-
Threat Metrics / Malware magnets ...
FYI...
Malware magnets ...
Cisco's threat metrics show pharmaceutical and chemical firms are 11 times more susceptible to Web malware
- http://www.infoworld.com/t/cyber-cri...magnets-238909
Mar 24, 2014 - "... Cyber crime has been estimated* at costing the U.S. economy $100 billion annually, with smaller companies feeling the pain** more often due to inadequate defenses. If Cisco's analyses are on track - and the numbers hold true for people outside of Cisco's customer base - attacks are likely to grow even more targeted to match their victims in the future, with narrower niches singled out by attackers based on their industry."
* http://www.infoworld.com/d/security/...00-jobs-223352
** http://www.infoworld.com/d/security/...r-crime-216543
Feb 2014 Threat Metrics
- http://blogs.cisco.com/security/febr...hreat-metrics/
Mar 21, 2014 - "Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.
> http://blogs.cisco.com/wp-content/up...eb2014Rate.jpg
The ratio of unique non-malicious hosts to unique malware hosts was fairly constant between the two months, at 1:4808 in January 2014 and 1:4775 in February 2014. Likewise, the rate of unique non-malicious IP addresses to malicious IP addresses was also similar between the two months, at 1:1330 in January 2014 compared to 1:1352 in February 2014.
> http://blogs.cisco.com/wp-content/up...b2014hosts.jpg
While Java malware encounters were 4% of all web malware encounters in January 2014, that rate increased to 9% in February. Of particular interest was the increase in the rate of Java malware encounters involving versions older than Java 7 or Java 6, which increased to 33% of all Java malware encounters in February 2014 from just 13% in the month prior.
> http://blogs.cisco.com/wp-content/up...eb2014java.jpg
During the month of February 2014, risk ratings for companies in the Media & Publishing vertical increased 417%, Utilities increased 218%, and Insurance 153%. Companies in Pharmaceutical & Chemical remained at a consistent high rate, with a slight increase from a 990% risk rating in January 2014 to an 1100% risk rating in February. To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.
> http://blogs.cisco.com/wp-content/up...eb2014vert.jpg
Following a January 2014 spam volume decrease of 20% in January 2014, spam volumes increased 73% in February 2014...
> http://blogs.cisco.com/wp-content/up...014spamvol.jpg
The top five global spam senders in February 2014 were the United States at 16.5%, followed by the Russian Federation at 12.41%, with Spain, China, and Germany a distant 3.77%, 3.39%, and 3%, respectively. Though the Russian Federation was also in the number two spot in January 2014, it was a significant volume increase from only 5.10% of global spam origin that month."
___
Secure Message from various banks – fake PDF malware
- http://myonlinesecurity.co.uk/secure...e-pdf-malware/
Mar 27, 2014 - "... pretends to come from various banks is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... We have seen a couple of different versions over the last few days from different banks, including HSBC, and Natwest...
Subjects seen are:
You have a new Secure Message
You have received a secure message
HSBC secure mail
Secure Message
You have received a secure message
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
First time users – will need to register after opening the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-con...ecure-mail.png
Natwest Secure Message:
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk...
27 March 2014 : Version 1 (NatWest bank) SecureMessage.zip (8kb Extracts to SecureMessage.exe (19kb)
Current Virus total detections: 5/51* MALWR Auto Analysis **
27 March 2014 : Version 2 (HSBC) SecureMessage.zip (11kb) Extracts to SecureMessage.exe (24kb)
Current Virus total detections: 0/51*** MALWR Auto Analysis ****
This You have received a secure message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/e...12a4/analysis/
** https://malwr.com/analysis/ZmFkZDRhN...Q5YzlhODQ1Zjg/
*** https://www.virustotal.com/en/file/e...3cbb/analysis/
**** https://malwr.com/analysis/NGI0NjVmY...RjMDVmYmMyZTQ/
___
Facebook You send new photo – fake PDF malware
- http://myonlinesecurity.co.uk/facebo...e-pdf-malware/
Mar 27, 2014 - "... pretending to be from Facebook is another one from the current Androm bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This campaign follows on from other similar attempts to infiltrate your computer using Facebook as a theme...
Screenshot: http://myonlinesecurity.co.uk/wp-con...-new-photo.png
27 March 2014 DCIM_IMAGEForYou.rar (40kb) Extracts to DCIM_IMAGEForYou.scr
Current Virus total detections: 1/51* MALWR Auto Analysis**
This You send new photo is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...9404/analysis/
** https://malwr.com/analysis/ZWQyMjdkY...hjZWVlNTVjMmM/
:mad: :mad:
-
Fake Bank acct. security warning, Something evil on 192.95.44.0/27
FYI...
Fake Bank acct. security warning – fake PDF malware
- http://myonlinesecurity.co.uk/bankin...e-pdf-malware/
28 Mar 2014 - "Banking account security warning pretending to come from FRAUD ALERT SYSTEM <k.cooper@ fraudalert .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Many of these bank themed emails are extremely difficult to distinguish from phishing scams. It is becoming very frequent that the same or almost identical emails are being used over and over. Sometimes they have a link to a -fake- website where they expect you to give them your details. Other times it contains a html file that they want you to -click- on and enter details. This time they have a -fake- pdf file that if you are unwise enough to open it would infect your computer and enroll it into the Zeus botnet...
Subjects seen:
Important: Unauthorized attempt to access your banking account
Banking account security warning
Attention! Your credit card is being used
Emails seen:
Dear Sir or Madam,
The banking security system has just registered an external attempt to use your credit card from an unknown location.
In view of the fact that the safety of the credit card account is in danger we strongly recommend you to use the emergency instructions given in the attachments.
To protect users from attacks and fraudulent activities coming from within the banking system itself we need your permission to start the investigation and adjust the security measurements. If the required steps won’t be completed the account will be temporarily suspended and will be available after visiting a local office.
Step-by-step instructions and emergency phone number are in attachments to the email.
Truly yours,
PCI DSS Chief officer
K. Cooper ...
28 March 2014 : Fraud alert document 778-1.zip (345kb) Extracts to Fraud alert document 778-1.exe
Current Virus total detections: 4/51* MALWR Auto Analysis**
This Banking account security warning is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/5...3c50/analysis/
** https://malwr.com/analysis/NjE0ZmFmM...U5NjcyNTkyZTc/
___
Something evil on 192.95.44.0/27 (OVH Canada)
- http://blog.dynamoo.com/2014/03/some...vh-canada.html
28 Mar 2014 - "192.95.44.0/27 (spotted by Frank Denis*) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x .org / Penziatki although now OVH seem to be masking the customer details. I can see the following active subdomains within this range, all of which can be assumed to be malicious...
(Long list of URLs at the dynamoo URL above.)
I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste .ru
reachprotectione .ru
reachmape .ru
acquireconnectionse .ru "
* https://twitter.com/jedisct1/status/449309681408684032
___
Sky .com SPAM leads to Gameover Zeus
- http://blog.dynamoo.com/2014/03/skyc...pam-leads.html
28 Mar 2014 - "This -fake- Sky spam has a malicious attachment:
Date: Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From: "Sky.com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the February invoice as this is now due for
payment.
Regards,
Darrel ...
The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51*. The Malwr analysis** shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa .net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij .biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of -other- autogenerated domains.
Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij .biz
lpuoztsdsnvyxdyvwpnlzwg .com..."
(More domains listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1396011158/
** https://malwr.com/analysis/N2ZkYWFiN...k1MGI3MTYwNDU/
___
New Man-in-the-Middle attacks leveraging rogue DNS
- http://atlas.arbor.net/briefs/index#-1333965473
27 Mar 2014
Elevated Severity
New Man-in-the-Middle attacks are manipulating DNS settings and posing as websites of over 70 different financial institutions in order to capture login credentials.
Source:
- http://blog.phishlabs.com/new-man-in...ging-rogue-dns
Mar 26, '14 - "... new wave of "Man-in-the-Middle" (MitM) attacks targeting users of online banking and social media. Customers of more than 70 different financial institutions are being targeted. In these attacks, hackers use -spam- to deliver malware that changes DNS settings and installs a rogue Certificate Authority (CA). The DNS changes point to the hacker's clandestine DNS name server so that users are directed to proxy servers instead of legitimate sites... The browser displays the proper website name and displays the familiar security icon to indicate a trusted, secure connection. The hacker's proxy sits between the authorized user and the real website, capturing login credentials and injecting code into the browsing session. This allows the hacker to take total control of the user's account and carry out unauthorized banking transactions as well as other actions...
> http://blog.phishlabs.com/hs-fs/hub/...itM_Attack.png
The hacker initiates these attacks by using spam to deliver malware to victims via malicious attachments... these spam emails contain a message designed to entice the user to open an attached RTF (Rich Text Format) document. The document contains an OLE (Object Linking and Embedding) object which is actually an executable program file. This program is the malware which changes the DNS and Certificate Authority settings that allow the attack to be performed without any outward signs visible to the user.
> http://blog.phishlabs.com/hs-fs/hub/...sed_as_RTF.png
On many systems, double-clicking an embedded program will execute it. Cybercriminals may use tools to create specially crafted RTF document files that display a familiar data file icon and a caption in most popular word processing programs; thus hiding or obscuring clues to the executable nature of the object, such as the EXE filename extension... The malware embedded in the spammed documents is a backdoor RAT (Remote Administration Tool) with an initial payload containing instructions to change DNS and security settings when initialized. The file is a Win32 PE (Portable Executable) EXE file and is actually a compiled form of an AutoIt script. The AutoIt scripting tools used offer the option to obfuscate the compiled code, and the version used to produce this malware makes it more difficult to decompile or reverse engineer the resulting EXE file than earlier versions. Some but not all of the samples found have been run through a second "cryptor" to aid in evading detection by anti-malware tools... One of the first actions performed by the malware is changing the DNS settings on the infected user’s PC. The malware configures the PC to use the hacker's rogue DNS server... PhishLabs continues to monitor these attacks and is working with others to mitigate the threat."
___
CVE-2014-0322* integrating Exploit Kits
- http://atlas.arbor.net/briefs/index#1584606323
27 Mar 2014
Elevated Severity
The disclosed CVE-2014-0322 vulnerability affecting Internet Explorer 9 and 10 is now being integrated into exploit kits.
This follows previously observed patterns of 0-day exploit code first being developed and used by APT actors for specific targets, then later adapted by cyber criminals for use in exploit kits targeting a much wider range of users who have not yet applied security updates.
Source: http://malware.dontneedcoffee.com/20...loit-kits.html
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-0322 - 9.3 (HIGH)
Last revised: 03/16/2014
:fear: :mad:
-
Android.MisoSMS - malware, Google Public DNS intercepted, Credit Card SCAM ...
FYI...
Android.MisoSMS - malware ...
- http://www.fireeye.com/blog/technica...with-xtea.html
Mar 31, 2014 - "FireEye labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December* — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft. Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email... The newest version of MisoSMS suggests that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment."
* http://www.fireeye.com/blog/?p=4126
(More detail available at both fireeye URLs above.)
___
Who’s Behind the ‘BLS Weblearn’ Credit Card SCAM
- http://krebsonsecurity.com/2014/03/w...dit-card-scam/
Mar 31, 2014 - "A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers... At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574)...
onlinelearningaccess .com, one of the fraudulent affiliate marketing schemes that powers these -bogus- micropayments:
> http://krebsonsecurity.com/wp-conten...ningaccess.png
... it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network behind the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta. And, just like with the $9.84 scam*, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue .com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine)... If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again. For more on this scam, check out these posts from DailyKos** and Consumerist***."
* http://krebsonsecurity.com/2014/01/d...t-card-hustle/
** http://www.dailykos.com/story/2014/0...-fraud-warning
*** http://consumerist.com/2014/03/19/ch...-transactions/
___
Fake cclonline "Order Despatched" – fake doc malware
- http://myonlinesecurity.co.uk/cclonl...e-doc-malware/
Mar 31, 2014 - "... pretending come from sales@ cclonline .com and to be a notification about a computer being despatched to you via DPD courier services is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear ellie,
We are pleased to confirm that your order reference 1960096 has been despatched via Economy Courier. You will find the full details of your order and this delivery in the attached document. In a few hours, your consignment 0255417316 can be tracked through the DPD website by clicking the following link: www .dpd .co .uk/tracking/trackingSearch.do?search.searchType=1&search.consignmentNumber=0255417321
You may receive further information concerning your consignment direct from DPD via email and/or SMS
Should you have any queries regarding your purchase, our customer service staff will be pleased to assist. E-mail mailto:custservice@ cclonline .com or telephone 01274 471206.
Thank you for choosing CCL Computers.
Yours sincerely...
31March 2014: DESPATCH_NOTE_B18E7F.zip (72kb) Extracts to disp_75464354787914325.doc.exe
Current Virus total detections: 2/51* . This cclonline .com – Order Despatched is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper doc file with a fake Bluetooth icon instead of the .exe file it really is..."
* https://www.virustotal.com/en/file/c...892c/analysis/
___
ADP Benefit Election Spam
- http://threattrack.tumblr.com/post/8...-election-spam
Mar 31, 2014 - "Subjects Seen:
Benefit Elections
Typical e-mail details:
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team
Screenshot: https://gs1.wac.edgecastcdn.net/8019...ybc1r6pupn.png
Malicious File Name and MD5:
CBE_Form.zip (60770AD82549984031FD3615E180EC83)
CBE_Form.scr (20406804C43D11DA25ABC2714697EC59)
Tagged: ADP, Upatre
___
Google’s Public DNS intercepted in Turkey
- http://googleonlinesecurity.blogspot...in-turkey.html
Mar 29, 2014 - "We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers). A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for... imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service."
:mad: :fear:
-
Something evil on 64.202.116.124, Fake PDF malware...
FYI...
Something evil on 64.202.116.124
- http://blog.dynamoo.com/2014/04/some...202116124.html
1 Apr, 2014 - "64.202.116.124 (HostForWeb, US) is currently hosting exploit kits (see this example*). I recommend that you block traffic to this IP or the domains listed in this pastebin**. Most of the domains listed are dynamic DNS ones. If you block all such domains in that list it is nice and managable:
in .ua
myftp .org
sytes .net
hopto .org
no-ip .biz
myvnc .com
sytes .net
no-ip .info
tobaccopeople .com "
* http://urlquery.net/report.php?id=1396348899312
** http://pastebin.com/Pq4kDit6
- https://www.virustotal.com/en/ip-add...4/information/
___
Fake message from your attorney - PDF malware
- http://myonlinesecurity.co.uk/messag...e-pdf-malware/
1 April 2014 - "... pretending to be from your neighbour is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This one also has a rootkit component so the malware it downloads & ruins, attempts to stay hidden on your computer...
Hi, there!
This is your neighbor writing here. Today your attorney popped you, but you were out, so he left a message for you.
I have attached the file in this email, so you can open and check everything you need.
Your attorney told me it is quite urgent and as soon as you check this message you should call him back.
If something is not clear, you can find the cell phone number of your attorney into the file, so you can dial it at once...
1 April 2014 please call me back asap.zip (346kb) Extracts to please call me back asap.exe
Current Virus total detections: 6/51*. This message from your attorney is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...6e81/analysis/
___
Fake rbs .com "RE: Copy" SPAM
- http://blog.dynamoo.com/2014/04/rbsc...copy-spam.html
1 Apr 2014 - "This very terse spam has a malicious attachment:
Date: 1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From: Kathryn Daley [Kathryn.Daley@ rbs .com]
Subject: RE: Copy
(Copy-01042014)
The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50*. The Malwr analysis** shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt .ro/script/0104UKd.bis . The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt .ro
aulbbiwslxpvvphxnjij .biz ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1396353996/
** https://malwr.com/analysis/MWY4M2M3Y...JjMDhlYmM3ZmY/
___
Royal Mail Lost Package Spam
- http://threattrack.tumblr.com/post/8...t-package-spam
Apr 1, 2014 - "Subjects Seen:
Failure to deliver
Typical e-mail details:
Dear <email address>
Royal Mail has detained your package #98159-5424.Unfortunately some important information is missing to complete the delivery.
Please fulfil the documents attached, and send it back to: onlinepostage@ royalmail.com
The RM International Mail Branch holding will notify you of the reason for detention .
Malicious File Name and MD5:
rm_332009105C.zip (AB0041BC7687AE92E378B145663519C5)
Deliery_info_7383461243.pdf.exe (3F54A5BBAD1B63263135DC97037447E1)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...ITU1r6pupn.png
___
Bogus email “ACH failed...” - trojan in .scr format
- http://blog.mxlab.eu/2014/03/31/emai...in-scr-format/
Mar 31, 2014 - "... new trojan distribution campaign by email with the subject “ACH failed due to system failure”... has the following body:
ACH PAYMENT CANCELLED
The ACH Transfer (ID: 87052955198926), recently submitted from your savings account (by you or any other person), was CANCELLED by other financial institution.
Rejection Reason: See details in the acttached report.
Transfer Report: report_87052955198926.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association
The attached ZIP file has the name report_87052955198926.zip and contains the 19 kB large file report_28740088654298.scr. The trojan is known as W32/Trojan.MNWL-4927 or TROJ_GEN.F0D1H00CV14. At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 1ab76103d28fda1ed11d2019e7c47df3d57401aee43e7df785b057853f9c1f52 "
* https://www.virustotal.com/en/file/1...1f52/analysis/
** https://malwr.com/analysis/OTg5MWRiN...YzYjgzNzUyMGM/
:fear: :mad:
-
Something evil on 66.96.223.204 + 213.229.69.41, Facebook SPAM...
FYI...
Something evil on 66.96.223.204
- http://blog.dynamoo.com/2014/04/some...696223204.html
2 Apr 2014 - "66.96.223.204 (Network Operations Center, US) appears to be hosting some sort of malicious redirectors being used in current malware campaigns. VirusTotal gives a snapshot of the badness*.
* https://www.virustotal.com/en-gb/ip-...4/information/
Recommended blocklist:
66.96.223.204 ..."
(More URLs listed at the dynamoo URL above.)
___
Something evil on 213.229.69.41
- http://blog.dynamoo.com/2014/04/some...132296941.html
2 Apr 2014 - "This tweet by Malmouse* got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness. First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way... VirusTotal gives a good overview of the badness on this IP**.
** https://www.virustotal.com/en-gb/ip-...1/information/
... All these domains appear to be recently registered with the exception of gfthost .com which has ns1.gfthost .com and ns2.gfthost .com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection... I recommend that you -block- 213.229.69.41 (Simply Transit, UK) ..."
* https://twitter.com/malm0u53/status/451299152316882944
___
Fake Facebook emails lead to Upatre Malware
- http://blog.malwarebytes.org/securit...patre-malware/
Apr 2, 2014 - "... SPAM messages in circulation bearing the message “Some men commented on your status”... Here’s the spam message currently landing in mailboxes, which looks like a Facebook notification:
> http://cdn.blog.malwarebytes.org/wp-...04/fbcute1.jpg
... The -clickable- link leads to a Dropbox page which is currently offline. The Malware involved in this particular spam run claims to be a PDF file:
> http://cdn.blog.malwarebytes.org/wp-...04/fbspam2.jpg
The spammers are making use of the Windows feature which hides extensions of common file types...
> http://cdn.blog.malwarebytes.org/wp-...04/fbspam3.jpg
... the so-called PDF is actually an .scr file, commonly used in Malware campaigns... As for the Malware itself, the VirusTotal score is currently pegged at 23/51*, a Malwr analysis can be seen here**... Upatre is well known for email campaigns and downloading additional Malware onto a compromised PC – from there, browser credentials, insecure passwords and anything else the attacker can think of could be up for grabs. Upatre often tends to go hand in hand with ZBot, which has many ties to Ransomware..."
* https://www.virustotal.com/en/file/8...9322/analysis/
** https://malwr.com/analysis/M2YyMjYwN...NiYjQzMzljZTI/
- http://myonlinesecurity.co.uk/facebo...e-pdf-malware/
1 Apr 2014
___
Fake Companies House "Annual Return" – fake PDF malware
- http://myonlinesecurity.co.uk/compan...e-pdf-malware/
2 Apr 2014 - "... 'Annual Return' pretending to be from Companies House <web-filing@ companies-house .gov .uk> received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer.They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Companies House
Thank you for completing a submission Reference # (0282665).
• (AR01) Annual Return
Your unique submission number is 0282665
Please quote this number in any communications with Companies House.
Check attachment to confirm acceptance or rejection of this filing.
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission.
Once accepted, these changes will be displayed on the public record...
Fake Companies House(AR01) Annual Return received:
> http://myonlinesecurity.co.uk/wp-con...ual-return.png
2 April 2014: Ref_0282665.zip (7kb) - Extracts to Ref_04022014.scr
Current Virus total detections: 14/51* . This (AR01) Annual Return received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...9dff/analysis/
Screenshot: https://gs1.wac.edgecastcdn.net/8019...2u81r6pupn.png
___
Fake Bitdefender A/V ...
- http://www.hotforsecurity.com/blog/f...2015-8262.html
Mar 31, 2014 - "... -fake- Bitdefender antivirus download posted on YouTube leads users to fraudulent surveys and premium SMS scams. The video had hundreds of views and several French users posted messages to warn others.
> http://www.hotforsecurity.com/wp-con...-plus-2015.jpg
... The grammatically-troubled spammers lure users into clicking on a URL-shortened link that hides a fraudulent website. The “Bitdefender” download is then blocked by a phony human verification warning. “It is very simple to verify, just complete any of the verification forms or surveys from the list below,” the message reads. The options include direct downloads, “how smart are you” surveys and selections of soccer games.
> http://www.hotforsecurity.com/wp-con...lus-2015-1.jpg
Users never get to download Bitdefender Antivirus Plus 2015, but they are redirected to scams such as premium SMS fraud that copies Facebook’s design to look like a legitimate app of the social network. For a month now, several “entrepreneurs” have also been spreading license keys for Bitdefender Total Security on Facebook. Bitdefender has reported the -fake- YouTube video and the -deceptive- Facebook profile and advises users to be cautious before downloading security software from third parties..."
:fear: :mad:
-
Attachment inside an attachment - UPATRE ...
FYI
Attachment inside an attachment - UPATRE ...
- http://blog.trendmicro.com/trendlabs...an-attachment/
Apr 4, 2014 - "... the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments... a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The spam within spam technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE...
An email from “Lloyds Bank” contains a .MSG attachment
> http://blog.trendmicro.com/trendlabs...atre-spam1.png
Opening the .MSG attachment reveals a malicious .ZIP file
> http://blog.trendmicro.com/trendlabs...atre-spam2.png
Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then downloads a NECURS variant detected as RTKT_NECURS.RBC. The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages... Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files..."
___
SPAM: Important – New Outlook Settings – fake PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
Apr 4, 2014 - "... pretends to come from your own domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Please carefully read the attached instructions before updating settings.
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ thespykiller .co .uk and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.
4 April 2014: OutlookSettings.zip (7kb) : Extracts to OutlookSettings.scr
Current Virus total detections: 5/51*. This Important – New Outlook Settings is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustotal.com/en/file/2...7c53/analysis/
____
Twitter Spam: Compromised Accounts and Websites lead to Diet Spam
- http://www.symantec.com/connect/blog...lead-diet-spam
4 Apr 2014 - "Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.
Twitter miracle diet spam:
> http://www.symantec.com/connect/site...Figure1_10.png
... Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.
Fake promotional page used by spammers in this campaign
> http://www.symantec.com/connect/site.../Figure2_6.png
Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly .com. Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts... By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product... Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users..."
___
Fiesta Exploits Kit Targeting High Alexa-Ranked Site
- https://atlas.arbor.net/briefs/index#-564048760
Elevated Severity
3 Apr 2014
Analysis: Exploits kits are easy to find and purchase, making attacks relatively easy for cybercriminals. Like other kits, Fiesta EK includes a number of exploits targeting widespread applications with disclosed vulnerabilities; it is rare for a kit to have zero-day capabilities... In addition, most vulnerabilities targeted by kits have patches available, including some updates available as far back as 2012. The most likely intended victims of EKs are therefore those with unpatched systems. Applying patches in a timely manner is absolutely critical for network security. Multiple Fiesta EK campaigns, including this current one, have made use of -dynamic- DNS (DDNS) domains to host exploits. Due to the widespread malicious use of DDNS, organizations should automatically scrutinize network traffic to DDNS in order to determine whether or not it is legitimate.
Source: http://community.websense.com/blogs/...lexa-site.aspx
___
CryptoDefense - CryptoLocker imitator ...
- http://www.symantec.com/connect/blog...4000-one-month
Mar 31, 2014 - "... CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone... Symantec has observed CrytoDefense being spammed out using emails such as the one shown:
> http://www.symantec.com/connect/site.../Figure1_9.png
... Example of HOW_DECRYPT.HTML file:
> http://www.symantec.com/connect/site.../Figure2_5.png
... malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past... Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page:
> http://www.symantec.com/connect/site.../Figure3_3.png
... Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page:
> http://www.symantec.com/connect/site.../Figure4_4.png
... As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server... To further protect against threats of this nature, it is recommended that you follow security best practices and -always- backup your files..."
:mad: :mad:
-
Fake Evernote leads to malware ...
FYI...
Fake Evernote – Image has been sent – leads to malware download
- http://myonlinesecurity.co.uk/image-...ware-download/
8 April 2014 - "... appears to come from Evernote service [support@ evernote .com}] another one from the current bot runs which try to drop loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment
Image has been sent < your name>.
DCIM_4199.jpg <http ://kingperu .com/1.html >
28 Kbytes
Go to Evernote <http ://kingperu .com/1.html>
2014 Evernote. Privacy policy provides our policies and procedures for collecting, using, and disclosing your information.
Users can access the Evernote service (the “Service”) through our website, applications on Devices, through APIs, and through third-parties.
A “Device” is any computer used to access the Evernote Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device...
Screenshot: http://myonlinesecurity.co.uk/wp-con...-been-sent.png
Following the link in the email sends you to a page offering a download of Vio player (why on earth anybody would think that they need vio player to view an image in evernote, I really don’t know). You -don’t- get the download offering from the original page but that loads 3 sites in the background and you are randomly sent to one...
8 April 2014 : setup.exe (565kb) : Current Virus total detections: 5/51*"
* https://www.virustotal.com/en/file/5...21b4/analysis/
___
Fake Sage SPAM ...
- http://blog.dynamoo.com/2014/04/sage...d-copy-of.html
8 April 2014 - "This -fake- Sage spam comes with a malicious attachment:
Date: Tue, 8 Apr 2014 08:65:82 GMT
From: Sage [Merrill.Sterling@ sage-mail .com]
Subject: RE: BACs #3421309
Please see attached copy of the original invoice.
Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51*. The Malwr analysis** shows that it attempts to download a configuration file from [donotclick]hemblecreations .com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.
Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij .biz ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1396961704/
** https://malwr.com/analysis/MDBjYmFhY...Y0MjJlMWRhYTI/
- https://www.virustotal.com/en/ip-add...1/information/
___
Fake Starbucks 'gift' email – fake PDF malware
- http://myonlinesecurity.co.uk/starbu...e-pdf-malware/
8 April 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is slightly more unusual than most others because they are sending a .exe file in the email and not a zipped file...
Your friend just made an order at Starbucks Coffee Company a few hours ago.
He pointed he is planning to make a special gift for you and he have a special occasion for that.
We’ve arranged an awesome menu for that case that can really surprise you with our new flavors.
In the attachment you can view the whole menu and the address and the exact time you can come and celebrate this day with your friend.
He asked to stay anonymous in order to make some mystery and desire to come and enjoy this atmosphere.
Have an awesome evening!
Screenshot: http://myonlinesecurity.co.uk/wp-con...bucks-gift.png
8 April 2014 Starbucks Coffee Company gift details on 12.04.2014.exe - Current Virus total detections: 4/50*. This Starbucks Coffee Company gift form your friend is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...2541/analysis/
___
Bank of America CashPro Spam
- http://threattrack.tumblr.com/post/8...a-cashpro-spam
Apr 8, 2014 - "Subjects Seen:
FW: Important documents
Typical e-mail details:
Important account documents
Reference: C58
Case number: 8924169
Please scan attached document and fax it to +1 (888) 589-0271.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions...
Malicious File Name and MD5:
AccountDocuments.zip (2A3034F7E6AD24B58CA11ED13AB2F84D)
Account_Documents.scr (3CD24390EDAE91C0913A20CEF18B5972)
Screenshots: https://gs1.wac.edgecastcdn.net/8019...TSR1r6pupn.png
Tagged: Bank of America, CashPro, Upatre
___
Scam Virus Shield app top paid app in Play Store
- http://blog.malwarebytes.org/mobile-...in-play-store/
Apr 8, 2014 - "An app claiming to be an antivirus solution climbed the charts as a top paid app in the Play Store...The problem is the app is a -fake-, a scam really. It does not scan for nor does it detect malware on Android devices...
> http://cdn.blog.malwarebytes.org/wp-...ussheild03.jpg
The app doesn’t do much but change the protection status and run a progress bar in the notification area. Although it appears to do a scan, it does not and has very limited functionality. The app is no longer in the Play Store and was first reported by Android Police*..."
* http://www.androidpolice.com/2014/04...-a-total-scam/
- http://cdn.androidpolice.com/wp-cont...7-02.08.02.png
:fear: :mad:
-
Instagram SCAM, Fake eBay emails ...
FYI...
Instagram Scam: Lottery Winners impersonated to offer Money for Followers
- http://www.symantec.com/connect/blog...oney-followers
9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
> http://www.symantec.com/connect/site...figure1_20.png
... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
___
Something evil on 66.96.223.192/27
- http://blog.dynamoo.com/2014/04/some...622319227.html
9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom .com
chebuesx .com ..."
(Long list at the dynamoo URL above.)
* http://www.dynamoo.com/files/66.96.223.192-27.csv
___
Fake eBay emails – Pharma SPAM
- http://myonlinesecurity.co.uk/fake-d...y-pharma-spam/
9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
Your name,
You have delayed mail
View mails
Yours truly
eBayNotifier
Screenshot: http://myonlinesecurity.co.uk/wp-con...-from-eBay.png ..."
:mad: :fear:
-
Fake CDS, DHL SPAM ...
FYI...
Fake CDS Invoice – fake PDF malware
- http://myonlinesecurity.co.uk/cds-in...e-pdf-malware/
10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear client
Please find attached your invoice number 168027
If you have any queries with this invoice, please email us... or call us...
For and on behalf ofThe CDS Group of Companies
Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International...
This message and any attachment are confidential and may be privileged...
This email has been scanned...
Screenshot: http://myonlinesecurity.co.uk/wp-con...ds-invoice.png
9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/dhl-de...e-pdf-malware/
10 April 2014
Fake DHL email Screenshot: http://myonlinesecurity.co.uk/wp-con...ery-report.png
** https://www.virustotal.com/en/file/1...is/1397115564/
___
SCAM: Climate Change And Health Conference ...
- http://blog.dynamoo.com/2014/04/ccah...nd-health.html
10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
From: CCAHC ccahc@ live .com
Reply-To: ccahc@ e-mile .co .uk
Date: 10 April 2014 16:04
Subject: Call for Poster
CCAHC: Climate Change And Health Conference 2014
Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom
The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
___
Fake UPS SPAM - Exception Notification – fake PDF malware
- http://myonlinesecurity.co.uk/ups-ex...e-pdf-malware/
10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
UPS
Discover more about UPS:
Visit ups .com
At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
Tracking Number:1Z522A9A6892487822 [ clickable URL ]
Rescheduled Delivery Date:14-April-2014
Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception Resolution:PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail ...
Screenshot: http://myonlinesecurity.co.uk/wp-con...tification.png
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
:mad: :fear:
-
Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.
FYI...
Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
- http://blog.dynamoo.com/2014/04/some...275140237.html
11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238
Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254
A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
(Long list of domains at the dynamoo URL above.)
* http://wepawet.iseclab.org/view.php?...206144&type=js
** http://urlquery.net/report.php?id=1397206442682
___
Fake UKMail - Proof of Delivery Report – fake PDF malware
- http://myonlinesecurity.co.uk/proof-...e-pdf-malware/
11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
………………………………………………………………………………………………………………………
iMail Logo
“For creating, printing and posting your next day mail”
click here to realise the savings that you could make
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.
11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...8f0d/analysis/
:mad: :fear:
-
Something still evil on 66.96.223.192/27
FYI...
Something still evil on 66.96.223.192/27
- http://blog.dynamoo.com/2014/04/some...622319227.html
16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
66.96.223.192/27
andracia .net ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2014/04/some...622319227.html
** http://pastebin.com/RQfE69hn
___
Netflix-themed tech support SCAM ...
- http://blog.malwarebytes.org/fraud-s...more-copycats/
April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
> http://cdn.blog.malwarebytes.org/wp-...ed_netflix.png
... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
> http://cdn.blog.malwarebytes.org/wp-...04/bingad1.png
... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."
:fear: :mad:
-
Fake Facebook Chat Verification used for SPAM
FYI...
Fake Facebook Chat Verification used for SPAM
- http://blog.trendmicro.com/trendlabs...used-for-spam/
Apr 17, 2014 - "Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”. The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
> http://blog.trendmicro.com/trendlabs...chat-spam1.jpg
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer). Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users... From the get-go, users should know that there is -no- product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced* that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site. Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning** notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things”..."
* http://mashable.com/2014/04/09/faceb...ing-messenger/
** https://www.facebook.com/selfxss
___
Zeus with your coffee ...
- https://www.securelist.com/en/blog/8...th_your_coffee
Apr 16, 2014 - "Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on -fake- messages supposedly from coffee chain Starbucks combined the two.
> https://www.securelist.com/en/images..._starbucks.jpg
The detected distribution claimed... a recipient's friend made an order for him to celebrate a special occasion in a Starbucks coffee shop. That mysterious friend wished to remain anonymous, enjoying the intrigue he was creating, but was sending out invitations with details of a special menu, which is available in the attachment. In the end they wished the recipient an awesome evening. All the messages were sent out with high importance. Besides, the addresses, created on the Gmail and Yahoo! free mail services, changed from letter to letter and seemed to be randomly generated combinations like incubationg46@, mendaciousker0@ and so on. The attachment was a .exe file and the cybercriminals made no effort to mask it with an archive or double filename extension. They seemed to be sure a happy recipient would open the attachment without any suspicion. Kaspersky Lab detects the attached file as Rootkit.Win32.Zbot.sapu - a modification of one of the most notorious spyware family Zbot (ZeuS). These applications are used by cybercriminals to steal confidential information. This version of Zbot is able to install a rootkit Rootkit.Win32.Necurs or Rootkit.Win64.Necurs, which disrupts the functioning of antiviruses or other security solutions."
___
Google patches Android icon Hijacking vuln
- http://www.securityweek.com/google-p...-vulnerability
Apr 15, 2014 - "Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites. According to FireEye*, the issue allows a malicious app with 'normal' protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners..."
* http://www.fireeye.com/blog/technica...n_android.html
Apr 14, 2014
- https://atlas.arbor.net/briefs/index#-561580891
Elevated Severity
17 Apr 2014
:fear: :mad:
-
Fake Santander Bank SPAM – word doc malware
FYI...
Fake Santander Bank SPAM – word doc malware
- http://myonlinesecurity.co.uk/santan...d-doc-malware/
Apr 22, 2014 - "March Invoice pretending to be from Santander bank with a sender address of Sarah Gandolfo [sgand0395@ aol.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 271201 Account No 56024641.
Thanks very much
Sarah
22April 2014: March invoice 5291.zip ( 10kb) Extracts to March invoice 8912.exe
Current Virus total detections: 1/51* . This March Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...5fbe/analysis/
___
Visa Card phish ...
- http://www.hoax-slayer.com/visa-card...ing-scam.shtml
Apr 22, 2014 - "... email purporting to be from Visa claims that the recipient's card access has been limited because 'unusual activity' has been detected... The email is -not- from Visa. It is a -scam- designed to steal the recipient's credit card data. A link in the email opens a -fake- website that asks for the user's credit card number, and other information pertaining to the recipient's Visa account...
Example:
Subject: Access to your Visa card has been blocked
Visa Card Status Notification
We are contacting you to Inform you that our Visa Card security department identified some unusual activity in your card. In accordance with Visa Card User Agreement and to ensure that your Visa Card has not been accessed from fraudulent locations, access to your Visa Card has been limited. Your Visa Card access will remain limited until this issue has been resolved please Click My Visa Card Activity to continue.
My Visa Card Activity
We take your online safety seriously, which is why we use state of the art notification systems to identify unusual activity and a challenge process to validate your details.
Thanks for banking with Visa.
Customer Finance Department
© Visa & Co, 2014.
Screenshot: http://www.hoax-slayer.com/images/vi...ing-scam-1.jpg
The message invites users to -click- a link to resolve the issue and restore access... the message is -not- from Visa and the claim that the account has been limited is a lie... the email is a typical phishing scam designed to extract financial information from users. The email's links open a -bogus- website created to closely mirror the look and feel of a genuine Visa webpage. The fake page will include a 'verification form' that requests users to supply their credit card number and other account details. After supplying the requested information, users will be taken to a second fake page that informs them that the problem has been resolved and restrictions have been removed... of course, there was no problem with the card to begin with..."
___
Fake 'Paintball Booking' SPAM ...
- http://blog.mxlab.eu/2014/04/22/pain...r-with-trojan/
Apr 22, 2014 - "... new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”. This email is sent from the spoofed address “”ipguk52@ paintballbookingoffice .com” <ipguk@ paintballbookingoffice .com>” and has the following body:
Dear client,
Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
Please view the attached booking confirmation, map and important game day documents prior to attending.
Kind regards,
Leigh Anderson
Event Co-ordinator...
The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe. The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen. At the time of writing, 4/51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe "
* https://www.virustotal.com/en/file/4...5fbe/analysis/
** https://malwr.com/analysis/YmI4MmFlN...U1ODMyMmMyZGQ/
:mad: :fear:
-
Massive cyber wire fraud attacks on US Companies
FYI...
Massive cyber wire fraud attacks on US Companies
- https://www.trustedsec.com/april-201...-us-companies/
April 25, 2014 - "... a number of US companies have been impacted, and unfortunately, a number of companies that are still unaware they were victim of this attack. A major offensive is currently happening on a number of United States based companies, mostly involving those that have international components. TrustedSec notified law enforcement that multiple companies are affected, and these attacks are aimed at extracting money from the companies. An ongoing and active case is in progress working with the companies affected and investigating the incidents... high success rate. They appear to have different escalation models and ways to force organizations to perform the transfer without triggering suspicion. They use a combination of social-engineering (both email and phone), compromising trusted partners/third parties, and spoofing email addresses in order to accomplish their goals...
What you can do:
1. Notify your financial and accounts payable departments of these attacks and the techniques.
2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
3. Provide enhanced education and awareness of these types of attacks.
4. If you have fallen victim to this attack, notify your local FBI office immediately...
Measures should be taken right -now- in order to educate your finance and accounts payable departments as well as an emphasize in controls in place for your third party partners and vendors."
(More detail at the trustedsec URL above.)
:fear: :mad:
-
Something evil on 146.185.213.69 ...
FYI...
Something evil on 146.185.213.69 ...
- http://blog.dynamoo.com/2014/05/some...21369-and.html
1 May 2014 - "146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious... you can probably assume that all those domains are malicious (even without the ads. prefix)... The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past*, and I tend to lean towards blocking them... frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it..." [146.185.213.*]
* http://blog.dynamoo.com/2011/10/some...-to-block.html
(More detail at the dynamoo URL above.)
___
Fake Malwarebytes 2.0 ...
- http://blog.malwarebytes.org/securit...re-2-0-abound/
May 1, 2014 - "... we already started seeing fake executable files purporting to be free versions of our product being hosted on unfamiliar sites.
A small sample of rogue files we found in the wild:
> http://blog.malwarebytes.org/wp-cont...04/samples.png
One of the many sites that host MBAM PUPs:
> http://blog.malwarebytes.org/wp-cont.../fake-site.png
... we found that these files have common behaviours: they all enable themselves to run whenever Windows is restarted or the system is turned on and they’re capable of accessing private information that browsers store whenever we go online, such as data pertaining to cookies, browsing history, and list of restricted sites... Several of these samples also create entries to IE’s restricted sites zone, consequently blocking users from accessing specific domains...
Sample of MBAM Installation GUI (taken from malwr.com):
> http://blog.malwarebytes.org/wp-cont...MWB-sample.png
For anyone interested in trying out MBAM 2.0, the wisest thing to do is still to go to our official download site*..."
* https://www.malwarebytes.org/downloads/
:mad: :fear:
-
Android Police-Locker ransomware, BoA SPAM ...
FYI...
Android "Police Locker" ransomware ...
- http://net-security.org/malware_news.php?id=2759
5.05.2014 - "Android users might soon become victims of "Police Locker" ransomware, if they haven't already, warns the researcher behind the Malware don't need Coffee blog*. "The 'Reveton team' has diversified its locking activity," he informs us. "The advert is old (2014-02-18) but i decided to write about it today as I found a Traffic Distribution System (TDS) using almost all features proposed by this affiliate including the Android locker." Other options for malware delivery include system lockers, fake AV, fake codecs, and Browlock ransomware. The researcher discovered a threat actor that uses a TDS that employs almost all features: if you land on a malicious site using Internet Explorer, a variant of the Winlock ransomware is served. If you land with with another browser on Windows, Linux or Mac, you'll get Brownlock. Finally, if you land on it with Android, you will be redirected to a fake adult website that will automatically push the download of a malicious APK file masquerading as a video downloader app (and using the icon of the legitimate BaDoink Video Downloader). The good news is that the user must approve the installation... The 'fine' US users are asked to pay in order to get their phones unlocked is $300, payable via Money Pak... The malware is detected... as Trojan Koler**, and the researcher has already spotted another threat actor delivering it. In this case, the malicious APK masquerades as the popular BSPlayer video player for Android."
* http://malware.dontneedcoffee.com/20...-for-your.html
** https://www.virustotal.com/en/file/e...is/1399286001/
Detection ratio: 4/52
___
Bank of America CashPro Spam
- http://threattrack.tumblr.com/post/8...a-cashpro-spam
May 5, 2014 - "Subjects Seen:
FW: Important account documents
Typical e-mail details:
Please scan attached document and fax it to +1 (888) 589-1001.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Vince Blue
Malicious File Name and MD5:
Account_Documents.zip (40E7BB684935A7B86E5D8E480974F691)
Account Documents.scr (6E40CD3BB6F1F531CDCE113A8C684B08)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...gvd1r6pupn.png
Tagged: Bank of America, Upatre
___
Encrypting Ransomware ...
- http://www.webroot.com/blog/2014/05/...ng-ransomware/
May 5, 2014 - "... big change in the encrypting ransomware family... For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.
Cryptolocker:
> https://www.webroot.com/blog/wp-cont...ptolocker5.png
(Other samples at the first webroot URL above.)
In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Crytpolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.
CryptoDefense:
> https://www.webroot.com/blog/wp-cont...ptolocker7.png
(Other samples at the first webroot URL above.)
In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.
DirCrypt:
> https://www.webroot.com/blog/wp-cont...5/dircrypt.png
In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or webpage once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues..."
:mad::mad: :fear:
-
Hacked WordPress site, BT Digital File SPAM, Fake MMS message, Payment error SPAM
FYI...
Hacked WordPress site - ccccooa .org
- http://blog.dynamoo.com/2014/05/cccc...ress-site.html
6 May 2014 - "ccccooa .org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got -82- of these all at the same time..
From: Linkedln Email Confirmation [emailing@ compumundo .info]
Reply-To: emailing@ compumundo .info
To: topsailes@ gmail .com
Date: 6 May 2014 13:41
Subject: Please confirm your email address
Linkedln
Click here to confirm your email address.
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using Linkedln!
--The Linkedln Team
This email was intended for [redacted]. Learn why we included this...
One example landing URL is [donotclick]www.ccccooa .org/buyphentermine/ which leads to a sort of intermediary landing page..
> https://3.bp.blogspot.com/-yHYRE10WZ.../fake-rx-1.png
This is turn goes to a -redirected- at [donotclick]stylespanel .com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online .com/search.html?q=phentermine which is a -fake- pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina. Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date."
___
BT Digital File - SPAM
- http://blog.dynamoo.com/2014/05/impo...file-spam.html
6 May 2014 - "This -fake- BT spam comes with a malicious attachment:
Date: Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
From: Santiago Biggs [Santiago.Biggs@ bt .com]
Subject: Important - BT Digital File
BT Digital Vault BT
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt .com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.
Thank you for choosing BT Digital Vault.
Kind regards,
BT Digital Vault Team ...
Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address...
Screenshot: https://2.bp.blogspot.com/-3lQPEJML0...Q/s1600/bt.png
Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52*. Automated analysis tools... show that this malware downloads additional components from the following locations:
[donotclick]realtech-international .com/css/0605UKdp.rar
[donotclick]biz-ventures .net/scripts/0605UKdp.rar
Blocking those URLs or monitoring for them may help to prevent further infection."
* https://www.virustotal.com/en/file/8...is/1399371324/
___
Fake MMS message – jpg malware
- http://myonlinesecurity.co.uk/new-mm...e-jpg-malware/
6 May 2014 - "... message pretending to come from 01552521415@ mmsreply.t-mobile .co .uk [NBdnO_0K0Cb8VYiYEpV8ozYauXw7swqpIiIs6nK3@ mmsreply.t-mobile .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
our message:
Guess what I forgot *handoverface*, see attached pic
Sending a reply:
You can reply by email to this mobile number within the next 7 days.
The total message size should not exceed 300kb.
You can only reply once, and it must be within 7 days of receiving this message...
Todays Date: PIC000444182547.zip (53 kb) Extracts to PIC000983339211.jpeg.exe
Current Virus total detections: 6/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is... look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/b...47fd/analysis/
___
Fake Payment error SPAM – malware
- http://myonlinesecurity.co.uk/paymen...92410-malware/
6 May 2014 - "Payment error #25393592410 pretending to come from Orville Creasy [payment@ rachelwarne .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like :
This e-mail has been sent to you to inform you that we were unable to process your most recent payment #570475658997219860277606
Please check attached file for more detailed information on this transaction.
Pay To Account Number: 8843867223806343
Date: 2014-05-05 15:19:19 UTC.
Transaction ID: 25393592410
Amount Due: £ 1060.45
Orville Creasy,
+07957419543
The number on the email subject is different in every email as are the transaction numbers, the pay to account number, the amount due and alleged sender and his/her phone number. The email senders are all different and the only thing in common is that they all pretend to be sent from payment @ some random named but real company. The companies have not been hacked. They just use the name of a company from a long list... unless you have “show known file extensions enabled“, will look like a file with an icon of a £ sign pretending to be a specialised invoice instead of the .exe file it really is..."
:fear::fear: :mad::mad:
-
Fake invoice, Fake Lloyds Banking BACs SPAM, Google+ phish
FYI...
Fake invoice file attachment SPAM
- http://blog.dynamoo.com/2014/05/this...oice-file.html
7 May 2014 - "Another case of a very terse spam with a malicious email attachment:
Date: Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From: Accounts Dept [menopausaln54@ jaygee .co .uk]
Subject: Email invoice: 1888443
This email contains an invoice file attachment
... The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52*. Automated analysis tools of this binary... shows that it downloads a further component... This "111.exe" binary has an even lower VirusTotal detection rate of 3/51**. Automated analysis of this... shows the malware installs itself deeply into the target system. There is a further dowload of a malicious binary from files.karamellasa .gr/tvcs_russia/2.exe which has a detection rate of 5/50*** and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1399448792/
** https://www.virustotal.com/en-gb/fil...is/1399450008/
*** https://www.virustotal.com/en-gb/fil...is/1399450683/
___
Fake Lloyds Banking BACs – fake PDF malware
- http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
7 May 2014 - "Lloyds Commercial Banking Important BACs pretending to be from Lloyds Commercial Banking [Ora.Hutchison@ lloydsbank .com]is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
Important account documents
Reference: C96 Case number: 0746481
Please review attached BACs documents and fax it to +44 (0) 845 600 9454.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Adrienne Mcdermott Senior Manager, Lloyds Commercial Banking ...
Screenshot: http://myonlinesecurity.co.uk/wp-con...rtant-BACs.png
7 May 2014 : LloydsCase-8948231.zip ( 11kb) Extracts to LloydsCase-07052014.scr
Current Virus total detections: 3/51*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is... make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/1...56c3/analysis/
___
Fake "TNT UK Limited" SPAM
- http://blog.dynamoo.com/2014/05/tnt-...ited-spam.html
7 May 2014 - "This -fake- TNT spam has a malicious attachment:
Date: Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From: TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject: TNT UK Limited - Package tracking 236406937389
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: GB5766211
Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.
Connote # : 236406937389
Service Type : Export Non Documents - Intl
Shipped on : 07 Apr 13 00:00
Order No : 5766211
Status : Driver's Return Description : Wrong Postcode ...
The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52*. Automated analysis tools... show a UDP connection to wavetmc .com and a further binary download from demo.providenthousing .com/wp-content/uploads/2014/05/b01.exe . This second executable has a VirusTotal detection rate of 20/51**. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).
Recommended blocklist:
83.172.8.59
wavetmc .com
demo.providenthousing .com"
* https://www.virustotal.com/en-gb/fil...is/1399452001/
** https://www.virustotal.com/en-gb/fil...is/1399452578/
___
More PUPs - using Instagram as Lure
- http://blog.malwarebytes.org/securit...agram-as-lure/
May 7, 2014 - "... In the case of Instagram, what we’ve seen out there could pose greater risk than, say, your average phishing site. Doing a Google search surely yields sites where one can download several programs involving Instagram. Some of which can either be classed as “image viewers” or “image and video downloaders” publicly-accessible accounts. Most of the files I sampled below belong to the latter:
> http://blog.malwarebytes.org/wp-cont.../instagram.png
Since Instagram can be visited via Web browsers, we can easily say that these downloads target any Windows computer user who just want to keep copies of photos and videos that are likely not their own. We ran these potentially unwanted programs (PUPs) on VirusTotal and got the following...
1) https://www.virustotal.com/en/file/d...is/1398865443/
2) https://www.virustotal.com/en/file/d...is/1398865443/
3) https://www.virustotal.com/en/file/d...is/1398864970/
(More listed at the malwarebytes URL at the top.)
... Internet slowdown, unwanted redirection to sites and possible installation of other programs without the user’s consent are just some of the obvious signs users may experience once these programs are installed. Like what we always advise our blog readers, please avoid downloading such programs onto your system as doing so will increase its security risks..."
___
Fake Google+ Survey - Phish ...
- http://www.hoax-slayer.com/fraudulen...ing-scam.shtml
May 7, 2014 - "Email purporting to be from the 'All Domain Mail Team' at Google+ asks recipients to participate in a 'spam and fraudulent verification survey'. The email is -not- from Google+ or anybody else at Google. It is a phishing scam designed to trick users into giving their Google account login details to criminals...
Screenshot: http://www.hoax-slayer.com/images/fr...ing-scam-1.jpg
... claims to be from the 'All Domain Mail Team' at Google's social network Google+. It claims that the team is running a 'spam and fraudulent verification survey' and asks users to click a link to participate. It warns that if the verification survey is 'not gotten' within 24 hours, the team will assume that the recipient is a 'fraulent user' and his or her email account will be shut down... These login details will be collected by criminals and used to hijack the Google accounts belonging to the victims. The one set of login credentials can be used to access many different Google services. Thus, the criminals may be able to steal private information stored in various Google applications as well as use Gmail and Google+ accounts to launch further spam and scam campaigns..."
:mad::mad: :fear:
-
Infected malformed PDF, Ransomware on Android ...
FYI...
Infected malformed PDF attachments to emails
- http://myonlinesecurity.co.uk/infect...hments-emails/
8 May 2014 - "We are now seeing lots of infected -malformed- PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are -malformed- and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser. They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader. They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit... It is vital that you make sure Adobe PDF reader is updated to the latest version 11.0.6* and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe... these malformed PDFs do -not- preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser... it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out..."
* https://helpx.adobe.com/security/pro...apsb14-01.html
___
Koler Trojan or other ransomware on Android
- http://blog.malwarebytes.org/mobile-...re-on-android/
May 7, 2014 - "A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app. Uncovered by security researcher Kafeine*, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device. Traced back to the team that brought us the Reverton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.
> http://cdn.blog.malwarebytes.org/wp-.../akoler04b.jpg
While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window. Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds. This causes removal problems because you don’t have enough time to uninstall through normal methods. Removal: The good news is you don’t have to pay the ransom to remove. First off, Malwarebytes Anti-Malware Mobile** detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device. However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed... Safe Mode: The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove..."
(See the Complete procedure at the malwarebytes URL above.)
* http://malware.dontneedcoffee.com/20...-for-your.html
** https://www.malwarebytes.org/mobile/
Related: http://www.webroot.com/blog/2014/05/...ed-ransomware/
May 7, 2014
- http://blog.kaspersky.com/new-ransomware-for-android/
May 8, 2014
:fear: :mad:
-
Fake HMRC, Fake Trusteer SPAM
FYI...
Fake HMRC SPAM / VAT0781569.zip
- http://blog.dynamoo.com/2014/05/hmrc...781569zip.html
9 May 2014 - "This -fake- HMRC spam comes with a malicious attachment:
Date: Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
Subject: Successful Receipt of Online Submission for Reference 0781569
Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.
It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52*. This is part one of the infection chain. Automated analysis... shows that components are then downloaded from the following locations:
[donotclick]bmclines .com/0905UKdp.rar
[donotclick]gamesofwar .net/img/icons/0905UKdp.rar
[donotclick]entslc .com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas .com/css/b01.exe
The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52**. Automated analysis... shows that this makes a connection to a server at 94.23.32.170 (OVH, France). The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52***. Analysis of this shows... that it attempts to connect to several different email services, presumably to send out spam."
* https://www.virustotal.com/en-gb/fil...is/1399629443/
** https://www.virustotal.com/en-gb/fil...is/1399629644/
*** https://www.virustotal.com/en-gb/fil...is/1399629683/
___
Fake Trusteer Security Update – PDF malware
- http://myonlinesecurity.co.uk/truste...e-pdf-malware/
9 May 2014 - "... pretending to be from Trusteer Support is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
Customer Number: 4086477
Important Security Update
Online Banking Protection Software Update from Trusteer
— THIS IS AN AUTOMATED RESPONSE. NO REPLY IS NECESSARY —
Please be sure to restart your computer after installing the new update
Sincerely, Trusteer Technical Support
Your internet banking account is valuable to fraudsters. That’s why criminals are always looking for new ways to get your online banking details and penetrate your account. Anti-virus and firewalls can’t detect the latest attacks, leaving you vulnerable.
To protect you against online fraud, please take a moment to Update Rapport – dedicated online banking security software from the experts at Trusteer. It only takes a few minutes to download and install, and there’s no need to restart your computer...
Screenshot: http://myonlinesecurity.co.uk/wp-con...ity-Update.png
9 May 2014: derek_RaportUpdate.zip (24 kb) Extracts to Trusteer Update Now.scr
Current Virus total detections: 8/52* ...
This Important Security Update is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...2aff/analysis/
- http://threattrack.tumblr.com/post/8.../trusteer-spam
May 9, 2014
Tagged: Trusteer, Upatre
:mad: :fear::fear:
-
Fake PayPal, BBB SPAM ...
FYI...
Fake PayPal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal...e-pdf-malware/
12 May 2014 - "PayPal Notification of payment received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. These emails are absolutely identical to the genuine emails that you receive from PayPal when someone sends you money, especially after selling something on eBay . The difference is the link to the transaction goes to a fake site that tries to download a malware file to your computer, that appears to be a PDF...
Screenshot: http://myonlinesecurity.co.uk/wp-con..._new_funds.png
12 May 2014: PP_detalis_726716942049.pdf.exe ( 485 kb)
Current Virus total detections: 0/51*
This PayPal Notification of payment received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...265f/analysis/
___
BBB SPAM - Washington Metro Area ...
- http://threattrack.tumblr.com/post/8...etro-area-spam
12 May 2014 - "Subjects Seen:
RE:Case #2475314
Typical e-mail details:
Owner/Manager
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
We look forward to your prompt attention to this matter.
Sincerely, BBB of Metropolitan Washington DC and Eastern Pennsylvania
Malicious File Name and MD5:
Complaint.zip (F72C05A0A0C4C188B07ECE7806CC0F44)
ComplaintToManager.scr (F89D06A787094FE2DC1AF6B2C0914C17)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...QFX1r6pupn.png
Tagged: bbb, Upatre
- http://myonlinesecurity.co.uk/better...e-pdf-malware/
12 May 2014 - "Better Business Bureau Complaint with subject of RE:Case #8396880 pretending to come from Refugio Ratliff [Refugio_Ratliff@ bbb .org] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
May 12, 2014
Owner/Manager
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
We look forward to your prompt attention to this matter.
Sincerely,
BBB of Metropolitan Washington DC and Eastern Pennsylvania
12 May 2014 : Complaint.zip ( 7kb) Extracts to ComplaintToManager.scr
Current Virus total detections: 2/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...2998/analysis/
___
“Your Photos Are being Used” Phish
- http://blog.malwarebytes.org/fraud-s...phishing-lure/
May 12, 2014 - "We’re seeing some reports that an old favourite of scammers everywhere is currently in circulation on social media sites such as Tumblr. If you receive a message from a friend which says:
OMG YOUR PHOTOS ARE BEING USED ON THIS SITE
then be very careful should you happen to click the link, because you may well be sent to a fake login page. In this case, the scammers use some Javascript to bounce the victim from a Tumblr spam blog to a fake Facebook login which they’ll need to use to see the supposed photos. Anybody filling in their details and hitting enter will of course have their username and password sent to the attacker.
> http://cdn.blog.malwarebytes.org/wp-.../05/tumblr.png
...
> http://cdn.blog.malwarebytes.org/wp-...5/phish-fb.png
This sort of scam is often seen on Twitter, and regularly puts in a guest appearance or twelve on other sites. Any urgent-sounding messages sent your way which suggest imminent personal embarrassment of some description should be treated with healthy skepticism until you’ve confirmed that a) the message is genuine and b) it really was worth saving up for a one way ticket to the Sahara desert all those years ago. It’s very likely you’re going to be fine – however, you won’t be able to say the same for accounts being handed over to a scammer using a little shock and awe (but mostly shock) as a bait to spirit away some logins."
___
- http://blog.trendmicro.com/trendlabs...ltiple-emails/
May 12, 2014 - "... Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones..."
:mad: :fear::fear:
-
Paypal Phish Flood, Fake invoice malware ...
FYI...
Paypal Phish Flood
- http://blog.malwarebytes.org/fraud-s...hishing-flood/
May 13, 2014 - "... noticed a trend in phishing scams over the last week, namely that a specific style of PayPal phish e-mail has been flooding potential victims. The text of the phishing e-mail includes:
Dear Member,
Recently, there's been activity in your PayPal account that seems unusual compared to your normal account activities. Pleaselog in to PayPal to confirm your identity and update your password and security questions.
To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds,remove any bank accounts, or remove credit cards.
Click here to login <- Phishing Page
What's going on?
We're concerned that someone is using your PayPal account without your knowledge. Recent activity on your account seems tohave occurred from a suspicious location or under circumstances that may be different than usual.
What to do
Log in to your PayPal account as soon as possible. We may ask you to confirm information you provided when you created your account to make sure you're the account holder. We'll then ask you to change your password and security questions...
They then advise to wait until PayPal responds within 72 hours after all tasks are complete, however we know that by that time, any credit or accounts associated with your PayPal login are likely to be compromised. We have seen a massive amount of domains being employed to host the actual phishing page, which looks like this:
> http://cdn.blog.malwarebytes.org/wp-...yPal_Phish.png
In addition to the many locations this -scam- is being hosted, the amount of observed IP addresses sending the phishing attack is so far over 500. So keep an eye out for any such scam. In addition, there seems something oddly ‘phishy’ about the pattern of these attacks and as we uncover more we will update this post..."
___
Fake Computer Support Services invoice – PDF malware
- http://myonlinesecurity.co.uk/comput...e-pdf-malware/
13 May 2014 - "Computer Support Services fake invoice with subject of Computer Support Services JJBCL0104291 pretending to come from Computer Support Services [Bishop.j@ blackjj .co .uk] < random names @ blacjj .co .uk > is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... email looks like
Dear Carole We have created a new invoice for you. To view your statement including a pdf of this invoice please download the attachment.
Invoice Details
Invoice Number:
Description: 1/4/14 – 30/4/14
Amount: £67.80
Payment Details
Account Number: 01706454
Sort Code: 400822
Account Name: Computer Support Services
Kind Regards, Jennifer Eden Computer Support Services T: 0161 8505080 F: 0161 929 0049 W: www. blackjj .co .uk
13 May 2014 Report_ID30D74D9365D2AC998DC.zip (63 kb) : Extracts to invoice_65476859394857_pdf.exe
Current Virus total detections: 0/52*
This Computer Support Services fake invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...56e7/analysis/
___
Citibank Commercial Banking Form Spam
- http://threattrack.tumblr.com/post/8...king-form-spam
May 14, 2014 - "Subjects Seen:
Important - Commercial Form
Typical e-mail details:
Please scan attached document and fax it to +1 800-285-6016 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-0106 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Yours faithfully
Lilly Mccann
Commercial Banking
Citibank N.A
Lilly.Mccann@ citibank .com
Malicious File Name and MD5:
CommercialForm.zip (5881899D33E80B0B33139BBDED43D9BB)
CommercialForm.scr (F7F5269B1031FF35B8F4DF1000CBCBBB)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...VdL1r6pupn.png
Tagged: Citibank, Upatre
___
Microsoft Exchange Voice mail Spam
- http://threattrack.tumblr.com/post/8...oice-mail-spam
May 14, 2014 - "Subjects Seen:
You have received a voice mail
Typical e-mail details:
You received a voice mail : VOICE933-947-8474.wav (24 KB)
Caller-Id: 933-947-8474
Message-Id: XA6TL3
Email-Id: <email address>
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server
Malicious File Name and MD5:
VoiceMail.zip (B41AF487FC1D362DF736EAC5E14CF5FF)
VoiceMail.scr (DDBA4AD13DE7D5AE604729405C180D65)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...QEg1r6pupn.png
Tagged: Voicemail, Upatre
:fear::fear: :mad:
-
Fake NatWest, 401K Fund SPAM ...
FYI...
Fake NatWest SPAM ...
- http://myonlinesecurity.co.uk/natwest-statement/
15 May 2014 - "NatWest Statement is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
View Your April 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It’s available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience...
Screenshot: http://myonlinesecurity.co.uk/wp-con...-statement.png
15 may 2014 : Statement-pdf.zip (14 kb) : Extracts to Statement-pdf.scr
Current Virus total detections: 7/53*
This NatWest Statement is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...1030/analysis/
- http://blog.dynamoo.com/2014/05/natw...ins-bitly.html
15 May 2014 - "This -fake- NatWest spam sends victims to a malicious download via a bit.ly link... The link in the email goes to [donotclick]bit .ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53*...
* https://www.virustotal.com/en-gb/fil...is/1400164292/
___
Fake 401K Fund Spam
- http://threattrack.tumblr.com/post/8...rformance-spam
May 15, 2014 - "Subjects Seen:
401k April 2014 Fund Performance and Participant Communication
Typical e-mail details:
Co-op 401k Plan Participants
Attached you will find the April 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
Please contact me if you have any questions.
Elsie Mosley
Employee Benefits/Plan Administrator...
Malicious File Name and MD5:
April-2014-401k-Fund.zip (B5B2231F7110B15F70DB7968134A5A98)
April-2014-401k-Fund.scr (81928270710BAD7443BDBCAA253E4094)
Screenshot: https://31.media.tumblr.com/eb6512d5...c4p1r6pupn.png
Tagged: 401K, Upatre
___
Fake justice .co.uk - REMINDER NOTICE ...
- http://myonlinesecurity.co.uk/fake-j...notice-ignore/
15 May 2014 - "Fake justice .co.uk REMINDER NOTICE DO NOT IGNORE is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... a spurious parking ticket, hoping to extort a large sum of money from you...
UK central Police svc notice: http://www.actionfraud.police.uk/ale...e-emails-mar14
Email looks like:
REMINDER NOTICE DO NOT IGNORE
To: submit@ thespykiller .co .uk Case: C5067787
Please print attached form and fax it to +44 020 4869 0219 Your vehicle was recorded parked on our Clients Private Property driveways on the 15.05.2014 and remained on site for 2 hour 28 min. A notice was sent to you on 10.04.2014 which gave 28 days to pay full PARKING CHARGE or challenge the issue. The amount of £78.00 is now due...
Screenshot: http://myonlinesecurity.co.uk/wp-con...NOT-IGNORE.png
15 May 2014: Form-STD-Vehicle-150514.zip ( 11kb) Extracts to Form-STD-Vehicle-150514.scr
Current Virus total detections: 5/53*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...5ce4/analysis/
:fear: :mad:
-
Fake TT PAYMENT SPAM, High Fashion Scams ...
FYI...
Fake TT PAYMENT COPY - SPAM ...
- http://blog.dynamoo.com/2014/05/tt-p...copy-spam.html
19 May 2014 - "This spam has a malicious attachment:
Date: Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject: Re TT PAYMENT COPY
please confirm the attachment payment Copy and get back to me?
Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53*. Automated analysis tools... don't reveal what is happening, but you can guarantee it is nothing good."
* https://www.virustotal.com/en-gb/fil...is/1400507439/
___
High Fashion to High Risk ...
- http://blog.malwarebytes.org/fraud-s...-to-high-risk/
May 19, 2014 - "... Suffice to say that several Fashion Weeks have come and gone since 2014 started... more runway events have been announced and are already scheduled to happen within the next two to three weeks... it’s highly likely that you may encounter the sites we’ve found these past few days. We have also noted that such sites have increased in number, with most of them carrying the brands Louis Vuitton, Chanel, Gucci, Hermes, and Oakley.
> http://cdn.blog.malwarebytes.org/wp-...uisvuitton.png
...
> http://cdn.blog.malwarebytes.org/wp-...uccioutlet.png
... What fantasylouisvuitton, guccioutlet, and fashionshop-usa have in common goes beyond not having an easy way for anyone to verify the products they say for authenticity. All these sites redirect to random JS (JavaScript) scripts hosted on js(dot)users(dot)51(dot)la, a site that has been associated with many -malicious- activities in the past*. Google Safe Browsing flags it as “suspicious”... Meanwhile, Tumblr users have been inundated with spam posts from users claiming to be students who have put up their own personal fashion site and wishing others to visit it. This is an old Tumblr scam designed to encourage the clicking of adverts, which is often against the Terms of Service (ToS) of many advertising networks and can be seen as a form of click fraud. In this case, scammers specifically looked for those interested in fashion... When it comes to dealing with scams and potentially risky websites, users are always at the losing end. Thus, avoiding such sites, in general, and sticking to visiting legitimate and/or official selling sites of popular brands are best practices to keep in mind."
* https://www.virustotal.com/en/domain...a/information/
___
Targeted Attack Trends - 2H 2013
- http://blog.trendmicro.com/trendlabs...ok-at-2h-2013/
May 19, 2014 - "Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.
Most commonly exploited vulnerabilities related to targeted attacks
> http://blog.trendmicro.com/trendlabs.../tareport2.jpg
... Spear phishing* is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers. In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks... Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of. Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions..."
> http://about-threats.trendmicro.com/...ify-in-2h-2013
... The latter half of 2013 also bore witness to a series of threat landscape updates that show the aggressive stance of present-day attackers... While bad actors prefer using tried-and-tested attack vectors-such as spear-pshing emails, vulnerabilities, and malware-research shows that they are on the move in terms of diversifying their victims all over the world..."
* http://searchsecurity.techtarget.com...spear-phishing
- http://www.secureworks.com/resources...cve-2014-1761/
May 16, 2014
- http://www.reuters.com/article/2014/...A4I09420140519
May 19, 2014 - "The United States on Monday charged five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets, ratcheting up tensions between the two world powers over cyber espionage. China immediately denied the charges, saying in a strongly worded Foreign Ministry statement the U.S. grand jury indictment was "made up" and would damage trust between the two nations... Federal prosecutors said the suspects targeted companies including Alcoa Inc, Allegheny Technologies Inc, United States Steel Corp, Toshiba Corp unit Westinghouse Electric Co, the U.S. subsidiaries of SolarWorld AG, and a steel workers' union. Officials declined to estimate the size of the losses to the companies, but said they were "significant." The victims had all filed unfair trade claims against their Chinese rivals, helping Washington draw a link between the alleged hacking activity and its impact on international business. According to the indictment, Chinese state-owned companies "hired" Unit 61398 of the People's Liberation Army "to provide information technology services" including assembling a database of corporate intelligence..."
___
E-On Energy Bill Spam
- http://threattrack.tumblr.com/post/8...ergy-bill-spam
May 19, 2014 - "Subjects Seen:
Unable to process your most recent bill payment
Typical e-mail details:
Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.
Malicious File Name and MD5:
Eonenergy-Bill-29052014.zip (73C46BEB4997D121D88E4DA220EB8E75)
Eonenergy-Bill-29052014.scr (FE272CDACF8BB7C3A8B264BFDF3772FD)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...RJh1r6pupn.png
Tagged: eon, Upatre
- http://myonlinesecurity.co.uk/e-ener...-bill-payment/
19 May 2014
> http://myonlinesecurity.co.uk/wp-con...ll-payment.png
* https://www.virustotal.com/en/file/a...6675/analysis/
:fear: :mad:
-
Fake Sage, LexisNexis Invoice SPAM ...
FYI...
Fake Sage Invoice SPAM leads to malware
- http://blog.dynamoo.com/2014/05/fake...o-malware.html
20 May 2014 - "This -fake- Sage spam leads to malware:
Date: Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From: Sage [Wilbur.Contreras@ sage-mail .com]
Subject: FW: Invoice_6895366
Please see attached copy of the original invoice (Invoice_6895366).
Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52*. The Malwr analysis** shows that it then goes on to download further components from [donotclick]protecca .com/fonts/2005UKdp.zip [108.163.165.122]..."
* https://www.virustotal.com/en-gb/fil...is/1400575304/
** https://malwr.com/analysis/MWRiODI4N...hjZDFlNzRkMDI/
- https://www.virustotal.com/en-gb/ip-...2/information/
- http://myonlinesecurity.co.uk/fake-j...notice-ignore/
Updated 20 May 2014 - "... Another big run of these this morning. See the notice on Justice .co.uk* and Action Fraud** where they are asking you to report these to them..."
* https://www.justice.gov.uk/help/fraud
** http://www.actionfraud.police.uk/ale...e-emails-mar14
Screenshot: http://myonlinesecurity.co.uk/wp-con...NOT-IGNORE.png
- http://threattrack.tumblr.com/post/8...f-justice-spam
May 20, 2014
Tagged: UK Ministry of Justice, Upatre
___
Fake LexisNexis Invoice – PDF malware
- http://myonlinesecurity.co.uk/lexisn...e-pdf-malware/
20 May 2014 - "LexisNexis Invoice Notification for May 2014 pretending to come from LexisNexis [einvoice.notification@ lexisnexis .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
There was an invoice issued to your company: thespykiller .co.uk Please double click the PDF attachment to open or print your invoice.
To view full invoice details or for any Online Account Management options, download PDF attachment.
Account Number 278QCB
Invoice Number 195709944451
Invoice Date May 20, 2014
Invoice Amount $3.809.00
Account Balance $0.00
You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement...
Screenshot: http://myonlinesecurity.co.uk/wp-con...r-May-2014.png
20 May 2014 LexisNexis_Invoice_05202014.zip (12 KB) Extracts to
LexisNexis_Invoice_05202014.scr - Current Virus total detections: 0/52*
This LexisNexis Invoice Notification for May 2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1400601699/
___
SCAM: FIFA World Cup Tickets
- http://blog.trendmicro.com/trendlabs...d-cup-tickets/
March 20, 2014 - "As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted -fake- FIFA websites selling game tickets... For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for 8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website. At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email... This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe... remember that -only- FIFA is authorized to sell tickets for the World Cup games..."
___
iBanking: Exploiting the Full Potential of Android Malware
- http://www.symantec.com/connect/blog...ndroid-malware
20 May 2014 - "Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model... iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile -botnets- and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection... One of the most active iBanking users is the Neverquest* crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula**. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe... Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection. Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data..."
* http://malware.dontneedcoffee.com/20...ed-by-the.html
** http://www.symantec.com/security_res...112803-2524-99
:mad::mad: :sad:
-
Something evil on 93.171.173.173, FireEye confirms DOJ’s findings on APT ...
FYI...
Something evil on 93.171.173.173 ...
- http://blog.dynamoo.com/2014/05/some...173-sweet.html
21 May 2014 - "93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of -hijacked- GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites. For example [donotclick]www.f1fanatic .co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
[donotclick]adv.atlanticcity .house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp .biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way)... The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves... The EK page itself has a VirusTotal detection rate of 0/53*, although hopefully some of the components it installs will trigger a warning."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1400664015/
93.171.173.173: https://www.virustotal.com/en-gb/ip-...3/information/
- http://centralops.net/co/DomainDossier.aspx
93.171.173.173
inetnum: 93.171.172.0 - 93.171.175.255
country: RU ...
origin: AS29182
Diagnostic page for AS29182 (ISPSYSTEM-AS)
- https://www.google.com/safebrowsing/...?site=AS:29182
"Of the 16625 site(s) we tested on this network over the past 90 days, 264 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-05-22, and the last time suspicious content was found was on 2014-05-22... Over the past 90 days, we found 87 site(s) on this network... appeared to function as intermediaries for the infection of 393 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 260 site(s)... that infected 3562 other site(s)..."
___
FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity
- http://www.fireeye.com/blog/technica...-activity.html
May 20, 2014 - "Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the -same- unit that Mandiant publicly unmasked last year in the APT1 report*. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property... Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are... "
(More detail at the fireeye URL above.)
* http://intelreport.mandiant.com/
___
“Amazoon” Phishing
- http://blog.malwarebytes.org/fraud-s...zoon-phishing/
May 21, 2014 - "Be warned that there are some typo happy phishers looking out for login credentials... take a trip down the Amazoon:
> http://cdn.blog.malwarebytes.org/wp-...5/amazoon1.jpg
It reads:
Verify your Amazoon account
Dear Amazon user,
We need to confirm your account information,
you must confirm your amazon account before we close it.
Click the link below to confirm your account information using our secure server.
Clicking the “Manage” link will take victims to a page asking for username and password information:
> http://cdn.blog.malwarebytes.org/wp-...5/amazoon2.jpg
After this, they’re faced with a page asking for personal information (name, address, phone number and so on):
> http://cdn.blog.malwarebytes.org/wp-...5/amazoon3.jpg
The page after this one is broken – looks like the host has taken it down mid-blog so hopefully nobody else will be scammed by this one. Typically the pattern for this kind of thing would be login details, personal information then card data. While we can’t say for sure what lay in wait at step 3, we can say to be on your guard for any more emails from “Amazoon” and -never- hand over personal data such as card details in response to emails you’ve been sent."
>> http://www.dilbert.com/2014-05-19/
___
Fake Contrat Commercant SPAM – PDF malware
- http://myonlinesecurity.co.uk/contra...e-pdf-malware/
21 May 2014 - "Contrat Commercant N: 9579514 pretending to come from Rick Goddard [Rick.Goddard@ credit-agricole .fr] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This is written entirely in French...
Email looks like :
Bonjour,
Enchante d’avoir fait votre connaissance. Je vous confirme que j’ai bien recupere les documents..
Pouvez-vous me dire si vous souhaitez conserver le contrat commercant n°9579514 ? En effet, sans action de notre part, il sera automatiquement resilie le 22 mai 2014.
Pour eviter automatiquement resilie accorder 2 minutes au service Credit Agricole en remplissant le formulaire ci-joint.
Rick Goddard ...
21 May 2014: Contrat_9579514.zip ( 8kb) Extracts to Contrat_210514.scr
Current Virus total detections: 0/52* ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...bc09/analysis/
___
PrimeAspire (primeaspire .com) spam
- http://blog.dynamoo.com/2014/05/prim...ecom-spam.html
21 May 2014 - "Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
From: Team@ primeaspire .com
To: donotemail@ wearespammers .com
Date: 20 May 2014 13:32
Subject: PrimeAspire - The Freelance Platform
Hello,
Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.
The platform is completely free and used by talented people looking for freelance projects.
Learn more
Thanks,
The PrimeAspire team ...
Screenshot: http://4.bp.blogspot.com/-a2q8a983zh...rimeaspire.png
.. CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service... Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239... promoting your startup through spam is always a very bad move..."
:fear: :mad:
-
Browlock -redirects- via Google Image Search ...
FYI...
Browlock -redirects- via Google Image Search
- http://blog.malwarebytes.org/fraud-s...-image-search/
May 22, 2014 - "We saw a website offering up a downloadable version of what they claim is Telltale’s Back to the Future game. The site had apparently been -hacked- allowing those who compromised it to add redirect code onto the website. As a side effect of this, clicking on their image via the initial returned results from a Google image search while using Chrome will mean your browser is redirected to a Browlock scam page, complete with dire warnings placed on top of the preview image which is now adrift in a sea of fakery:
> http://cdn.blog.malwarebytes.org/wp-...ocksearch1.png
... we’re looking at a typical “Your PC has been encrypted, pay us money to return your files” message – the translation of which can be seen over on the F-Secure website* – and depending on your browser set up, you may have a few problems getting rid of the page. For example:
> http://cdn.blog.malwarebytes.org/wp-...ocksearch2.jpg
Once the box is on the screen, there is no way to open another tab or indeed navigate to one that is already open. For similar reasons, you won’t be able to close the browser either. The browser is trapped in a loop of confirmation pop-up boxes and our old friend CTRL+ALT+DEL will be required to kill the browser in Task Manager. The end-user isn’t under too much risk here – the scam page is simply -pretending- that the PC has had all files encrypted, and wants them to pay up to get their hands back on valuable personal data. There have been instances in the past where Fake AV has taken advantage of image search and caused problems for Mac users, and here’s a Youtube video** of the Windows equivalent. In this case, if you’re ever able to get the popup out of the way AND close the image AND open up the vanilla website AND read the Russian text…you should close the browser via the wonder of Task Manager and go do something else anyway. Your data is safe, no need to hand over cash to scammers!"
* http://www.f-secure.com/weblog/archives/00002698.html
** http://www.youtube.com/watch?v=1oxAK4TP6Uk
___
Malvertising ads on popular site leads to Silverlight exploit, Zeus Trojan
- http://blog.malwarebytes.org/exploit...t-zeus-trojan/
May 22, 2014 - "Malicious ads displayed on legitimate websites (malvertising) are something we see a lot of these days... third-party content is always a bit iffy because you just can’t control it. Case in point, a popular website recently suffered a malvertising attack. Our honeypots detected the malicious redirection from a compromised ad in the wee hours of last Friday morning. We contacted both the site owners and the advertising agency and the malicious traffic stopped shortly after. Over the course of the weekend and the beginning of the week, we exchanged some further emails to get a better understanding about the attack, which turned out to be an Ad server compromise... the advertising agency had suffered a server compromise themselves. I managed to talk to them and they were willing to share information about the attack that affected them and in turn their customers. After browsing their log files they noticed a peculiar IP address that had logged in through SSH and had connected to their email server. But interestingly the attacker waited patiently before doing anything nefarious. It appears the attacker was reading their emails and simply waiting for something valuable to come up. Finally, a new ad campaign with a high volume website was started and details were shared via email. Almost immediately after, the attacker redirected the tracking for the ad server to his own malicious site (rotator)... The goal of this malvertising attack is to -redirect- unsuspecting users to an exploit kit landing page in order to infect their computers... Drive-by download through Angler exploit kit: The exploit kit landing page is heavily obfuscated to make detection harder... Following successful exploitation of the machine, a payload is dropped. This one is none other than the infamous Zeus/Zbot banking Trojan... The best defence is a layered one and it starts with browser protection. To stop the Silverlight exploit you need to be running the latest version of the software*... also another notable external connection to an IP (37.57.26.167) based in the Ukraine... good Anti-Malware protection running in the background can also protect you against the threat, either by blocking the malicious site or the dropped payload... Thanks to the advertising agency for sharing some of the details on their compromise. Hopefully this will be helpful to other website owners."
(More detail at the malwarebytes URL above.)
* http://www.microsoft.com/getsilverli...l/Default.aspx
- http://atlas.arbor.net/briefs/
Elevated Severity
May 23, 2014
Microsoft Silverlight vulnerabilities were recently targeted in a malvertising campaign redirecting victims to exploit kits.
Analysis: Malicious ads in the AppNexus network redirected victims to malicious sites hosting the Angler Exploit Kit containing Silverlight exploits. Angler EK has shown a significant increase in attacks against Silverlight since late April... Like many other exploit kits, Angler EK makes use of disclosed, patched vulnerabilities rather than zero-days. The two Silverlight vulnerabilities exploited in this campaign, CVE-2013-0074 and CVE-2013-3896, both have available patches and published exploit code... Angler EK also contains exploits for other applications including Java and Flash, whose security issues are frequently discussed. Given the widespread and growing usage of Silverlight, including by popular video streaming site Netflix, it is likely that Silverlight will continue to be targeted. Users who have Silverlight installed should ensure that it is up-to-date.
:mad: :fear:
-
Targeted attacks, Malware via Dropbox ...
FYI...
Targeted attacks against Taiwan gov't agencies
- http://blog.trendmicro.com/trendlabs...nt-agencies-2/
May 23, 2014 - "... We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware. The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable. In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference... We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks... We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012."
(More detail at the trendmicro URL above.)
___
Fake NatWest email downloads malware via Dropbox
- http://blog.dynamoo.com/2014/05/fake...s-malware.html
May 23, 2014 - "This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.
From: NatWest .co.uk [noreply@ natwest .co.uk]
Date: 23 May 2014 11:36
Subject: NatWest Statement
View Your May 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience.
Thank you for managing your account online.
Sincerely,
NatWest Bank ...
The link in the email goes to [donotclick]dl.dropboxusercontent .com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52*. Automated analysis tools... show that it downloads a component from [donotclick]accessdi .com/wp-content/uploads/2014/04/2305UKmw.zip ... The Malwr analysis shows that it then downloads some additional EXE files:
ibep.exe (VT 2/52, Malwr report)
kuten.exe (VT 3/52, Malwr report)
sohal.exe (VT 2/52. Malwr report)
As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot."
(More detail and links at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1400846756/
___
Fake eBay Customer List is Bitcoin Bait
- http://krebsonsecurity.com/2014/05/e...-bitcoin-bait/
May 22, 2014 - "... an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds... There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five... the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it..."
:mad: :fear::fear:
-
Fake Voice Msg – PDF malware ...
FYI...
Fake Voice Msg – PDF malware
- http://myonlinesecurity.co.uk/voice-...e-pdf-malware/
26 May 2014 - "Voice Message from < random number> pretending to come from message @ <random email address> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Today we are seeing a mass run of the common voice message malware theme. 2 different versions of these so far today. Loads of slightly different subjects
Voice Message from +07720-160332
Voice message transmission report: 2014.05.26_4B10694078
Incoming voice message [2014_05_26_9E57221633]
Incoming Voice Message [+07457706455]
They all come via one of the bots and have an alleged sender of message@any name you can think of .com/co.uk/net etc. Emails look like:
You have a new Voice Message!
Sender: +07457706455
Date: 2014-05-24 13:19:26 UTC
ID: 2014-05-26_0D87942690
26 May 2014: voice_message_2014-05-26_75555857A9.zip Extracts to voice_message_2014-05-26_3C51847781.exe
Current Virus total detections: 2/53* . This Voice Message from is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1401119086/
- https://www.virustotal.com/en/file/7...1e96/analysis/
:fear: :mad:
-
eBay phish, Mobile ransomware, iPhone hijacks? ...
FYI...
eBay phish ...
- http://myonlinesecurity.co.uk/ebay-phishing/
27 May 2014 - "... Today we started to receive eBay phishing emails that aren’t connected with the password reset that eBay are requesting all users to do, but a more typical -phish- with a message saying an eBay member has left you a message regarding item no #2389452906... always -ignore- the links in these emails and log in to your eBay account manually and check the My Messages link inside eBay. That is the -only- way to be guaranteed that it is the correct site. This one is quite well crafted and until you look very closely at the web address, you could quite easily believe that you are on the genuine eBay site.... Email looks like:
Question about Item #2389452906- Respond Now
eBay sent this message on behalf of an eBay member through My Messages.
Dear member,
eBay member timeautoparts has left you a message regarding item #2389452906
Click here to view the message
Regards,
eBay
Screenshot: http://myonlinesecurity.co.uk/wp-con...hish-email.png
If you follow the links in the email, you end up on a page looking like this:
Screenshot: http://myonlinesecurity.co.uk/wp-con...phish_site.png
... after giving your details are sent to a confirmation page that looks like this asking to conform your email address and email password. The phishers want 2 bites at the cherry and not only want your eBay account log in details but also your email account log in details so they can use that to spread their spam and malware:
> http://myonlinesecurity.co.uk/wp-con...firm_email.png
... That then bounces you to the genuine eBay site where you don’t realise that you have given your details to a phishing site..."
- http://www.hoax-slayer.com/ebay-pass...ications.shtml
May 27, 2014 - "... the genuine eBay notification does -not- ask you to click a link. Instead, it asks that you go to eBay in your usual way and login to change your password..."
___
Aussie Apple devices, including the iPhone, are being hijacked
- http://www.theage.com.au/digital-lif...527-zrpbj.html
May 27, 2014 - "Owners of Apple devices across Australia are having them digitally held for ransom by hackers demanding payment before they will relinquish control. iPad, iPhone and Mac owners in Queensland, NSW, Western Australia, South Australia and Victoria have reported having their devices held hostage. One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud "lost phone" message that said "Oleg Pliss" had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked... It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle. A similar name is listed on LinkedIN as a banking professional in Ukraine, while there are others in Russia. Affected users in Australia have been discussing the issue on Twitter and Apple's own support forum*."
* https://discussions.apple.com/thread...art=0&tstart=0
How to defend against... iCloud attack
> http://blogs.computerworld.com/cyber...-icloud-attack
May 27, 2014 - "... If you have a passcode for your device, then you don't have a problem -- just use the passcode to get into your device again, and change your iCloud password. Find My iPhone can only set its own code if you have not created your own passcode for the device... Some reports claim the following steps may help locked out users regain control of their device..."
(More detail at the computerworld URL above.)
- http://www.f-secure.com/weblog/archives/00002707.html
May 27, 2014
- http://www.databreaches.net/iphone-o...-their-phones/
May 27, 2014
___
Ransomware Moves to Mobile
- http://blog.trendmicro.com/trendlabs...ves-to-mobile/
May 26, 2014 - "Ransomware continues to make waves... it is now targeting mobile devices... cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware. This is detected as ANDROIDOS_LOCKER.A ... The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI. It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content. The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions... To -avoid- these threats, we strongly suggest that you -disable- your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy. This setting can be found under Security in the system settings of Android devices..."
:mad: :fear: