Fake invoice, Voicemail SPAM ...
FYI...
Fake invoice SPAM leads to DOC exploit
- http://blog.dynamoo.com/2013/11/invo...ommercial.html
6 Nov 2013 - "This -fake- invoice email leads to a malicious Word document:
From: Dave Porter [mailto:dave.porter@blueyonder .co .uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd
Dear Customer :
Your invoice is attached to the link below:
[donotclick]http ://www.vantageone .co .uk/invoice17731.doc
Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Victoria Commercial Ltd
The email originates from bosmailout13.eigbox .net 66.96.186.13 which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone .co .uk/invoice17731 .doc which appears to be a -hacked- legitimate web site.
Detection rates have continued to improve throughout the day and currently stand at 10/47*. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys .com
feeds.nsupdatedns .com
It is the same attack as described by Blaze's Security Blog** and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60 ..."
* https://www.virustotal.com/en-gb/fil...is/1383746893/
** http://bartblaze.blogspot.co.uk/2013...-exploits.html
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...0/information/
___
Fake voice mail SPAM / VoiceMail.zip
- http://blog.dynamoo.com/2013/11/voic...nown-spam.html
6 Nov 2013 - "This -fake- voice mail spam comes with a malicious attachment:
Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From: Administrator [voice9@ victimdomain]
Subject: Voice Message from Unknown (886-966-4698)
- - -Original Message- - -
From: 886-966-4698
Sent: Wed, 6 Nov 2013 22:22:28 +0800
To: recipients@ victimdomain
Subject: Private Message
The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file. This malware file has a detection rate of 3/47* at VirusTotal. Automated analysis tools... show an attempted connection to twitterbacklinks .com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before** in this type of attack. Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28... domains are consistent with the ones compromised here*** and it is likely that they have all also been compromised."
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28 ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1383748084/
** http://blog.dynamoo.com/search/label/Xeex
*** http://blog.dynamoo.com/2013/10/susp...617117628.html
:mad::mad: :fear:
Fake voicemail, Visa, DocuSign, FedEx SPAM ...
FYI...
Fake voicemail SPAM / Voice_Mail.exe
- http://blog.dynamoo.com/2013/11/you-...mail-spam.html
7 Nov 2013 - "This -fake- voice mail spam has a malicious attachment:
Date: Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From: Microsoft Outlook [no-reply@ victimdomain .net]
Subject: You received a voice mail
You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
Caller-Id:
698-333-5643
Message-Id:
80956-84B-12XGU
Email-Id:
[redacted]
This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server
Screenshot: https://lh3.ggpht.com/-TcGTepv34NQ/U.../voicemail.png
Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47* and automated analysis tools... show an attempted connection to amazingfloorrestoration .com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious."
* https://www.virustotal.com/en-gb/fil...is/1383838216/
- https://www.virustotal.com/en/ip-add...6/information/
___
Visa Recent Transactions Report Spam
- http://threattrack.tumblr.com/post/6...ns-report-spam
Nov 7, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Dion_Andersen
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom
Malicious File Name and MD5:
payment.exe (A4D868FB8A01CA999F08E5739A5E73DC)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...xPM1r6pupn.png
___
DocuSign - Internal Company Changes Spam
- http://threattrack.tumblr.com/post/6...y-changes-spam
Nov 7, 2013 - "Subjects Seen:
Please DocuSign this document : Company Changes - Internal Only
Typical e-mail details:
Sent on behalf of <email address>.
All parties have completed the envelope ‘Please DocuSign this document: Company Changes - Internal Only..pdf’.
To view or print the document download the attachment. (self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to <email domain>
Malicious File Name and MD5:
Company Changes - Internal Only.PDF.zip (1B853B2962BB6D5CAA7AB4A64B83EEFF)
Company Changes - Internal Only.PDF.exe (03C3407D732A94B05013BD2633A9E974)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...8NO1r6pupn.png
___
My FedEx Rewards Spam
- http://threattrack.tumblr.com/post/6...x-rewards-spam
Nov 7, 2013 - "Subjects Seen:
Your Rewards Order Has Shipped
Typical e-mail details:
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Malicious File Name and MD5:
Order history page.zip (EE074EAACC3D444563239EF0C9F4CE0D)
Order history page.pdf.exe (DF86900EC566E13B2A8B7FD9CFAC5969)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...7MY1r6pupn.png
:mad: :fear:
Malware sites to block, Voicemail SPAM, Styx and Nuclear ...
FYI...
Malware sites to block - (Nuclear EK)
- http://blog.dynamoo.com/2013/11/malw...3-nuclear.html
8 Nov 2013 - "The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example*). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google. The domains are being used with subdomains, so they don't resolve directly. I have identified -3768- domains in this OVH range... The subdomains can found in this file [csv**] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30 ..."
(More domains listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7517029
** http://www.dynamoo.com/files/penziat...e-customer.csv
___
Fake Voicemail SPAM / MSG00049.zip and MSG00090.exe
- http://blog.dynamoo.com/2013/11/voic...49zip-and.html
8 Nov 2013 - "Another day, yet another -fake- voicemail message spam with a malicious attachment:
Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
From: Voicemail [user@ victimdomain .com]
Subject: Voicemail Message
IP Office Voicemail redirected message
Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47*. Automated analysis... shows an attempted connection to seminyak-italian .com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not".
* https://www.virustotal.com/en-gb/fil...is/1383936341/
- https://www.virustotal.com/en/ip-add...9/information/
___
Shylock/Caphaw Drops Blackhole for Styx and Nuclear
- http://www.threattracksecurity.com/i...x-and-nuclear/
Nov 8, 2013 - "In early October, news of the arrest of “Paunch” and his cohorts in Russia... Because of this, experts in the security industry had noticed the lack of new updates for the BHEK. Our experts in the Labs also concurred a possible dropping of threats involving the BHEK. With this in mind, it’s highly likely for online criminals to look for other alternatives...
> http://www.threattracksecurity.com/i...to-exploit.jpg
... Sutra TDS has been associated with a number of Web threats, such as exploits (BHEK), rogue AV and ransomware among others as part of their infection and/or propagation tactics for years. Even phishers have jumped into the bandwagon... steps you can take in protecting yourself against Styx-based threats:
• Make sure to update all your software in real-time. You might be better off using a patch management software to assist on this. Such programs run in the background and prompts users whenever it detects new updates for software users have installed on systems.
• Keep your antivirus software also up-to-date.
• Block or filter off URLs with patterns that resemble Sutra TDS landing pages. Please ask assistance from someone if you need to."
___
Key Bank Secure Message Spam
- http://threattrack.tumblr.com/post/6...e-message-spam
Nov 8, 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @ res. cisco .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.
Malicious File Name and MD5:
Secure_Message.zip (4301BE522A5254DBB5DBCF96023526B9)
Secure_Message.exe (8E0E9C0995B220FA8DFBC8BFFA54759F)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...bVl1r6pupn.png
:mad: :fear::fear:
Typhoon Scams, Adware sites to block ...
FYI...
Typhoon Scams... Email, Telephone, Door to Door
- http://www.threattracksecurity.com/i...one-door-door/
Nov 11, 2013 - "In the wake of Typhoon Haiyan, both law enforcement and members of the public are coming forward to make timely reminders related to donation scams.
1) Police in Huntsville, Ontario have warned of individuals from unverified donation campaigns* going door to door.
Sudden arrivals on your doorstep asking for donations related to any form of disaster should always be viewed with suspicion, and keep in mind that any form of ID can be faked convincingly. If the person is particularly pushy about you handing over money in a short period of time, be extra suspicious...
2) Anxious friends and relatives of those who have gone missing are apparently posting up too much personal information on social networks in their quest to re-establish contact... Avoid posting personal details to sites such as Twitter and Facebook.
3) In the US, cold calling from individuals claiming to be from the Salvation Army asking for Typhoon relief donations has begun. I did a little digging on the phone number listed, and it appears on a Snopes page*** related to Hurricane Sandy FEMA cleanup crews... If you want to donate through Salvation Army, you should visit their donation page** and keep cold calls to your telephone line on the back burner.
4) Scam emails are already in circulation. Expect the majority of these to ride on the coat-tails of efforts by organisations such as The Red Cross. One particularly devious tactic to watch out for is scammers giving you a real, genuine domain as a reply email to send your bank details to but including a fake as a CC address..."
(More detail at the threattracksecurity URL above.)
* http://moosefm.com/cfbg/news/14095-p...l-typhoon-scam
** https://donate.salvationarmyusa.org/TyphoonHaiyan
*** http://www.snopes.com/fraud/employment/femasandy.asp
___
- https://www.us-cert.gov/ncas/current...-Antivirus-and
Nov 12, 2013
___
Adware sites to block / "Consumer Benefit Ltd" ...
- http://blog.dynamoo.com/2013/11/cons...-sites-to.html
11 Nov 2013 - "A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report*) and GFilterSvc.exe (report**) both in C:\WINDOWS\SYSTEM32. The blocks are 212.19.36.192/27 and 82.98.97.192/28 ... Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature... the following domains and IPs are all part of these "Consumer Benefit Ltd" ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28 ..."
(More detail and URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1384162704/
** https://www.virustotal.com/en-gb/fil...is/1384162774/
___
Fake Confidential Message SPAM / To All Employees 2013.zip.exe
- http://blog.dynamoo.com/2013/11/to-a...l-message.html
11 Nov 2013 - "This -fake- "all employees" email comes with a malicious attachment:
Date: Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
From: DocuSign Service [dse@ docusign .net]
Subject: To all Employees - Confidential Message
Your document has been completed
Sent on behalf of administrator@victimdomain.
All parties have completed the envelope 'Please DocuSign this document:
To All Employees 2013.doc'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF) This document contains information confidential and proprietary to spamcop .net
DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring yoursignature, please contact the sender directly...
The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47*. Automated analysis... shows a callback to trc-sd .com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP."
* https://www.virustotal.com/en-gb/fil...is/1384175853/
- https://www.virustotal.com/en-gb/ip-...4/information/
___
Fake Paypal SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/iden...-587-spam.html
11 Nov 2013 - "For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a -fake- spam pretending to be from PayPal with a malicious attachment:
Date: Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-716-097-521-587
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-D503YC19DXP3
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks, PayPal...
Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47*, and automated analysis... shows an attempted connection to trc-sd .com which is the same domain seen in this attack**."
* https://www.virustotal.com/en-gb/fil...is/1384185446/
** http://blog.dynamoo.com/2013/11/to-a...l-message.html
___
American Express Suspicious Activity Report Spam
- http://threattrack.tumblr.com/post/6...ty-report-spam
Nov 11, 2013 - "Subjects Seen:
Recent Activity Report - Incident #6U7X67B05H6NGET
Typical e-mail details:
As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
Please review the “Suspicious Activity Report” document attached to this email.
Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress .com/phishing
Thank you for your Cardmembership.
Sincerely,
Lindsey_Oneal
Tier III Support
American Express Account Security
Fraud Prevention and Detection Network
Malicious File Name and MD5:
Incident#<random>.zip(14F92A367A01C5AD8F0C4A7062000FE6)
Incident#.exe (77F23BC4F0ECB244FAA61163B07EAEC7)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...fCm1r6pupn.png
Tagged:
American Express: http://threattrack.tumblr.com/tagged/American-Express
Upatre: http://threattrack.tumblr.com/tagged/Upatre
:mad: :fear:
Fake HMRC, Outlook SPAM, Dynamic DNS sites you might want to block ...
FYI...
Dynamic DNS sites you might want to block ...
- http://blog.dynamoo.com/2013/11/dyna...t-want-to.html
12 Nov 2013 - "These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is -abused- by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following... listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL*. The links go to the Google diagnostic page."
(Long list at the dynamoo URL above.)
* http://www.surbl.org/lists
___
Fake HMRC SPAM - HMRC_Message.zip and qualitysolicitors .com
- http://blog.dynamoo.com/2013/11/you-...ages-from.html
12 Nov 2013 - "This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors .com:
Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system.
2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices...
... there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47*. Automated analysis tools... show that it attempts to communicate with alibra .co .uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
[donotclick]synchawards .com/a1.exe
[donotclick]itcbadnera .org/images/dot.exe
a1.exe has a detection rate of 16/47**, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23 /forum/viewtopic.php
[donotclick]new.data.valinformatique .net/5GmVjT.exe
[donotclick]hargobindtravels .com/38emc.exe
[donotclick]bonway-onza .com/d9c9.exe
[donotclick]friseur-freisinger .at/t5krH.exe
dot.exe has a much lower detection rate of 6/47***... various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47***, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus."
Recommended blocklist:
59.106.185.23 ..."
(More URLS listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1384264864/
** https://www.virustotal.com/en-gb/fil...is/1384265605/
*** https://www.virustotal.com/en-gb/fil...is/1384266070/
___
Fake "Outlook Settings" SPAM - Outlook.zip
- http://blog.dynamoo.com/2013/11/impo...ings-spam.html
12 Nov 2013 - "This spam email has a malicious attachment:
Date: Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From: Undisclosed Recipients
Subject: Important - New Outlook Settings
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.
The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that). Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.
Screenshot: https://lh3.ggpht.com/-uZyweXA5n_g/U...tlook-icon.png
The detection rate at VirusTotal is 5/45*. Automated analysis tools... show an attempted connection to dchamt .com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean."
* https://www.virustotal.com/en-gb/fil...is/1384270918/
- https://www.virustotal.com/en-gb/ip-...3/information/
- http://threattrack.tumblr.com/post/6...-settings-spam
Nov 12, 2013 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at <sender e-mail address> and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.
Malicious File Name and MD5:
Outlook.zip (4D0A70E1DD207785CB7067189D175679)
Outlook.exe (C8D22FA0EAA491235FA578857CE443DC)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...TYV1r6pupn.png
___
Fake Tax/Accountant SPAM / tax 2012-2013.exe
- http://blog.dynamoo.com/2013/11/2012...countants.html
12 Nov 2013 - "This -fake- tax spam comes with a malicious attachment:
Date: Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: FW: 2012 and 2013 Tax Documents; Accountant's Letter
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.
This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.
Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-4dRp1ML5c40/U...0/tax-icon.png
VirusTotal detection rates are 17/47*. Automated analysis tools... show an attempted connection to nishantmultistate .com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack**, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea."
* https://www.virustotal.com/en-gb/fil...is/1384287261/
** http://blog.dynamoo.com/2013/11/impo...ings-spam.html
___
Department of Treasury Outstanding Obligation Spam
- http://threattrack.tumblr.com/post/6...bligation-spam
Nov 12, 2013 - "Subjects Seen:
Department of Treasury Notice of Outstanding Obligation - Case <random>
Typical e-mail details:
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Malicious File Name and MD5:
FMS-Case-<random>.zip (55D31D613A6A5A57C07D496976129068)
FMS-Case-{_Case_DIG}.zip.exe (B807F603C69AEA97E900E59EC99315B5)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Mit1r6pupn.png
:mad: :fear::fear:
Fake PayPal, CareerBuilder, Facebook SPAM ...
FYI...
Fake PayPal "Identity Issue" SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/this...uickbooks.html
13 Nov 2013 - "This -fake- PayPal (or is it Quickbooks?) spam has a malicious attachment:
Date: Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-679-223-724-838
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-TEBY66KNZPMU
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks,
PayPal ...
Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-sx8_WjDsH10/U...ntity-form.png
The detection rate for this at VirusTotal is 9/47*, automated analysis tools... shows an attempted connection to signsaheadgalway .com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack**, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP."
* https://www.virustotal.com/en-gb/fil...is/1384340556/
** http://blog.dynamoo.com/2013/11/you-...ages-from.html
___
CareerBuilder Notification Spam
- http://threattrack.tumblr.com/post/6...ification-spam
Nov 13, 2013 - "Subjects Seen:
CareerBuilder Notification
Typical e-mail details:
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: adobe.com
Best wishes in your job search !
Savannah_Moyer
Careerbuilder Customer Service Team
Malicious File Name and MD5:
CB_Offer_<random>.zip (B61D44F18092458F7B545A16D2FF77D6)
CB_Offer_<random>.exe (40AB8B0050E496FB00F499212B600DDB)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...QrQ1r6pupn.png
Tagged:
CareerBuilder: http://threattrack.tumblr.com/tagged/CareerBuilder
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___
Facebook Password Request Spam
- http://threattrack.tumblr.com/post/6...d-request-spam
Nov 13, 2013 - "Subjects Seen:
You requested a new Facebook password!
Typical e-mail details:
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
Malicious File Name and MD5:
Facebook-SecureMessage.zip (FE3AB674A321959B3EA83CF54666A763)
Transaction_{_tracking}.exe (95191C75EF4A87CBFA46C0818009312E)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...vP31r6pupn.png
Tagged:
Facebook: http://threattrack.tumblr.com/tagged/Facebook
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___
EXE-in-ZIP SPAM storm continues
- http://blog.dynamoo.com/2013/11/the-...continues.html
13 Nov 2013 - "Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46* which calls home... to amandas-designs .com on 80.179.141.8 (012 Smile Communications Ltd., Israel)
The second one is a -fake- Wells Fargo spam similar to this:
We have received this documents from your bank, please review attached documents.
Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...
In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47** and calls home... to kidgrandy .com on 184.154.15.190 (Singlehop, US). Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter."
* https://www.virustotal.com/en-gb/fil...is/1384377409/
** https://www.virustotal.com/en-gb/fil...is/1384377605/
- https://www.virustotal.com/en/ip-add...8/information/
- https://www.virustotal.com/en/ip-add...0/information/
:mad: :fear:
Google Drive phish, Caphaw malware attack...
FYI...
Google Drive phish...
- http://www.threattracksecurity.com/i...uri-technique/
Nov 14, 2013 - "... interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.
> http://www.threattracksecurity.com/i...cheedrive1.jpg
The email is called “Document”... This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:
bashoomal(dot)com/redirect.html
The end-user will be presented with a -fake- Google Drive login page which asks them to fill in their email address / password.
> http://www.threattracksecurity.com/i...cheedrive2.jpg
As you can see from the URL bar, this is another -phish- that tries to take advantage of the Data URI scheme... The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links..."
- https://isc.sans.edu/diary.html?storyid=17018
2013-11-13
___
Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malw...13-caphaw.html
14 Nov 2013 - "These domains and IPs appear to be involved in a Caphaw malware attack, such as this one*. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.
Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7696954
- http://www.virusradar.com/en/Win32_Caphaw.K/description
:mad::fear:
Fake BoA fax, Malware sites to block - (Caphaw)
FYI...
More Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malw...13-caphaw.html
15 Nov 2013 - "Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday* is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity). The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/11/malw...13-caphaw.html
- https://www.virustotal.com/en/ip-add...8/information/
- http://www.virusradar.com/en/Win32_Caphaw/detail
___
Fake BoA fax message SPAM / 442074293440-1116-084755-242.zip
- http://blog.dynamoo.com/2013/11/ring...x-message.html
15 Nov 2013 - "This -fake- fax message email has a malicious attachment:
Date: Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From: RingCentral [notify-us@ ringcentral .com]
Subject: New Fax Message on 11/15/2013 at 09:51:51 CST
You Have a New Fax Message
From
Bank of America
Received: 11/15/2013 at 09:51:51 CST
Pages: 5
To view this message, please open the attachment.
Thank you for using Ring Central .
Screenshot: https://lh3.ggpht.com/-bw4CETLVd5I/U...ingcentral.png
There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to aspenhonda .com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been -hacked-, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box."
* https://www.virustotal.com/en-gb/fil...is/1384537461/
- https://www.virustotal.com/en/ip-add...3/information/
___
Citigroup Secure Message Spam
- http://threattrack.tumblr.com/post/6...e-message-spam
Nov 15, 2013 - "Subjects Seen:
You have a new encrypted message from Citigroup Inc.
Typical e-mail details:
You have received a secure e-mail message from Citigroup Inc..
We care about your privacy, Citigroup Inc. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.
Malicious File Name and MD5:
SecureMessage.zip (969AEFFE28BC771C8453BF849450BC6A)
SecureMessage.exe(C2CD447FD9B19B7F062A5A8CF6299600)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...gMb1r6pupn.png
Tagged: CitiGroup, Upatre
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Authorization Form Email Messages - 2013 Nov 15
Fake Product Purchase Order Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Malicious Personal Pictures Attachment Email Messages - 2013 Nov 15
Fake Bank Payment Notification Email Messages - 2013 Nov 15
Fake Product Order Email Messages - 013 Nov 15
Fake Meeting Invitation Email Messages - 2013 Nov 15
Fake Payroll Invoice Notification Email Messages - 2013 Nov 15
Fake Product Quote Request Email Messages - 2013 Nov 15
Fake Shipping Order Information Email Messages - 2013 Nov 15
Fake Shipping Notification Email Messages - 2013 Nov 15
Fake Product Inquiry Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Fake Tax Document Email Messages - 2013 Nov 15
Fake Travel Information Email Messages - 2013 Nov 15
Email Messages with Malicious Attachments - 2013 Nov 15
(More detail and links at the cisco URL above.)
:mad: :fear:
Phone SCAM, Freenters breach, Survey Scams, Silverlight exploit ...
FYI...
Phone SCAM - (08445715179)
- http://blog.dynamoo.com/2013/11/0844...445715179.html
18 Nov 2013 - "This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:
ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.
In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here*), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill. Sadly, I don't know who is behind this scam, and in this case it was -illegally- sent to a TPS-registered number**. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO*** who may be able to take more serious action against these spammers."
* http://www.moneysavingexpert.com/new...ium-rate-calls
** http://www.tpsonline.org.uk/tps/number_type.html
*** http://www.ico.org.uk/complaints/marketing/2
___
Freenters Hit By Breach, Student Data Leaked
- http://www.threattracksecurity.com/i...-student-data/
Nov 18, 2013 - "If you’re a student who signed up to the Freenters free printing service, you may want to go and ensure your logins are safe and sound, as it appears they were compromised pretty badly.
> http://www.threattracksecurity.com/i...printpwn11.jpg
... Affected students were sent two separate emails which added to the confusion, with one stating “Passwords were secure” with a follow up advising them “we highly recommend you change your password for other accounts”... This might be a perfect time to ensure you’re not sharing passwords across sites and services, and think about using a password manager..."
___
PlayStation 4 and Xbox One Survey Scams ...
- http://blog.trendmicro.com/trendlabs...scams-spotted/
Nov 18, 2013 - "... We found a Facebook page that advertised a PS4 raffle. Users were supposed to visit the advertised site, as seen below:
> http://blog.trendmicro.com/trendlabs...3/11/ps4-1.jpg
The site urges users to “like” or “follow” the page, and then share it on social media sites. This could be a way for scammers to gain a wider audience or appear more reputable.
> http://blog.trendmicro.com/trendlabs...3/11/ps4-2.jpg
Afterwards, users are required to enter their name and email address. Instead of a raffle, they are led to a survey scam:
> http://blog.trendmicro.com/trendlabs...3/11/ps4-3.jpg
... Scams are also using the Xbox One as bait. However, the site in this currently inaccessible. Since the Xbox One has yet to be released, scammers could be waiting for the official launch before making the site live.
> http://blog.trendmicro.com/trendlabs...3/11/xbox1.jpg
The scams were not limited to Facebook. We spotted a site that advertised a Xbox One giveaway. Like the PS4 scam, users are encouraged to promote the giveaway through social media. Once they click the “proceed” button, they are led to a site that contains a text file they need for the raffle. But like other scams, this simply leads to a survey site.
> http://blog.trendmicro.com/trendlabs...3/11/xbox2.jpg
... Product launches have become a tried-and-tested social engineering bait. Earlier in the year, we saw scams that used Google Glass as a way to trick users. Early last year, the launch of the iPad 3 became the subject of many scams and spam. Users should always be cautious when it comes to online raffles and giveaways, especially from unknown or unfamiliar websites. If the deal seems too good to be true, it probably is..."
___
Netflix on your PC - Beware of Silverlight exploit
- http://blog.malwarebytes.org/exploit...light-exploit/
Nov 15, 2013 - "A vulnerability affecting Microsoft Silverlight 5 is being used in the wild to infect PCs that visit compromised or malicious websites... The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074*) on March 12, 2013. The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack:
> http://cdn.blog.malwarebytes.org/wp-...-11-13_016.png
... those that already have an older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk. Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
> http://cdn.blog.malwarebytes.org/wp-...ilverlight.png "
* http://technet.microsoft.com/en-us/s...letin/ms13-022
___
IRS Tax Payment Rejection Spam
- http://threattrack.tumblr.com/post/6...rejection-spam
Nov 18, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : 6LHIRS930292818 ) was Rejected
Typical e-mail details:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 6LHIRS930292818), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 6LHIRS930292818
Payment Amount: $ 2373.00
Transaction status: Rejected
ACH Trace Number: 268976180630733
Transaction Type: ACH Debit Payment-DDA
Malicious File Name and MD5:
FED TAX payment.zip (661649A0CA9F13B06056B53B9BC3CBA7)
FED TAX payment.exe (157BBC283245BBE5AB2947C446857FC9)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...bhC1r6pupn.png
Tagged: IRS, Upatre
:mad: :fear: