SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Tesco Phish ...
- http://myonlinesecurity.co.uk/tesco-...ards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
Tesco Customer Satisfaction program selected you to take part in our quick survey.
To earn your 150 £ reward, please click here and complete the form.

Screenshots:
- http://myonlinesecurity.co.uk/wp-con...-_rewards1.png

- http://myonlinesecurity.co.uk/wp-con...-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecurity.co.uk/statem...e-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarketshare.com/operat...10&qpcustomd=0
Browser Market Share
- http://www.netmarketshare.com/browse...=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.com/article/2014/...0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."

[AplusWebMaster]

FYI...

Phish - Paypal ...
- http://myonlinesecurity.co.uk/paypal...hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links in the email...
PayPal account information :
Hello,
Dear PayPal user ,
Your account will be limited if you not confirm it .
Need Assistance?
Some information on your account appears to be missing or incorrect.
Please update your account promptly so that you can continue to enjoy
all the benefits of your PayPal account.
If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
Please Login to confirm your information :
http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
Reference Number: PP-003-211-347-423
Yours sincerely,
PayPal

This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecurity.co.uk/wp-con...shing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."

[AplusWebMaster]

FYI...

Amazon phish ...
- http://myonlinesecurity.co.uk/amazon...tion-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecurity.co.uk/wp-con...nfirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails takes you to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malw...documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use
From: victimdomain
Date: 26 September 2014 09:41
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

You have a new voice
From: Voice Mail [Voice.Mail@ victimdomain]
Date: 26 September 2014 09:30
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

RBS: BACS Transfer : Remittance for JSAG244GBP
From: Douglas Byers [creditdepart@ rbs .co.uk]
Date: 26 September 2014 10:12
Subject: BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

New Fax
From: FAX Message [fax@victimdomain]
Date: 26 September 2014 10:26
Subject: New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...

... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/fil...is/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-...2/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-...1/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-...1/information/
___

Bill.com Spam
- http://threattrack.tumblr.com/post/9.../bill-com-spam
Sep 26, 2014 - "Subjects Seen:
Payment Details [Incident: 711935-599632]
Typical e-mail details:
We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
Regards,
Bill.com Payment Operations

Screenshot: https://gs1.wac.edgecastcdn.net/8019...HaW1r6pupn.png

Malicious File Name and MD5:
bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)

Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malw...plication.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From: noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date: 26 September 2014 12:26
Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

Important - BT Digital File
From: Cory Sylvester [Cory.Sylvester@ bt .com]
Date: 26 September 2014 12:51
Subject: Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...

RBS Bankline: Outstanding invoice
From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
To: <REDACTED>
Date: 26 September 2014 13:05
Subject: Outstanding invoice
{_BODY_TXT}
Dear [redacted],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here ...

In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malw...documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barcla...e-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction. Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt ...

26 September 2014: PaymentReceipt262.zip: Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
195.110.124.133: https://www.virustotal.com/en/ip-add...3/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/

[AplusWebMaster]

FYI...

Nuclear EK active on 178.79.182.106
- http://blog.dynamoo.com/2014/10/nucl...879182106.html
9 Oct 2014 - "It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can see the following sites active on that IP:
fuhloizle .tryzub-it .co.uk
fuhloizle .pgaof39 .com
fuhloizle .cusssa .org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea."
178.79.182.106: https://www.virustotal.com/en/ip-add...6/information/
___

chinaregistry .org.cn domain SCAM
- http://blog.dynamoo.com/2014/10/chin...main-scam.html
9 Oct 2014 - "This is an old scam that can safely be ignored.
From: Henry Liu [henry.liu@ chinaregistry .org.cn]
Date: 9 October 2014 07:53
Subject: [redacted] domain and keyword in CN
(Please forward this to your CEO, because this is urgent. Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards
Henry Liu
General Manager
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China ...

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either..."
(Short video at the dynamoo URL above.)
___

Bash Bug saga continues: Shellshock Exploit via DHCP
- http://blog.trendmicro.com/trendlabs...loit-via-dhcp/
Oct 8, 2014 - "The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including -Metasploit- code) available in the public domain, this vulnerability is being heavily exploited. Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS... techniques could be used by an attacker to compromise more machines within the network. Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses. An attacker can configure a compromised DHCP server or create a rogue DHCP server to send -malicious- information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors... Various techniques can be used to to exploit Shellshock over DHCP..."
(More detail at the trendmicro URL above.)

[AplusWebMaster]

FYI...

Fake Debt Recovery SPAM - PDF malware
- http://myonlinesecurity.co.uk/bd-dig...e-pdf-malware/
22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of 'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-con...t-recovery.png

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake customer service SPAM - doc malware
- http://myonlinesecurity.co.uk/custom...d-doc-malware/
22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

This email contains an invoice file attachment ID:VZY563200VA
Thanks!
Kelli Horn .

22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/d...is/1413973355/
___

Fake Malformed or infected word docs with embedded macro viruses
- http://myonlinesecurity.co.uk/malfor...macro-viruses/
22 Oct 2014 - "We are seeing loads of emails with Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. Opening this malicious word document will infect you if Macros are enabled and simply previewing it in windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."

- http://blog.dynamoo.com/2014/10/this...oice-file.html
22 Oct 2014
Screenshot: https://3.bp.blogspot.com/-1zwDnotAB...600/image1.gif
VT1: https://www.virustotal.com/en-gb/fil...is/1413981604/
... Behavioural information
DNS requests
VBOXSVR.ovh.net: 213.186.33.6: https://www.virustotal.com/en-gb/ip-...6/information/
TCP connections
178.250.243.114: https://www.virustotal.com/en-gb/ip-...4/information/
91.240.238.51: https://www.virustotal.com/en-gb/ip-...1/information/
VT2: https://www.virustotal.com/en-gb/fil...is/1413982865/
___

Fake Wells Fargo SPAM – PDF malware
- http://myonlinesecurity.co.uk/wells-...e-pdf-malware/
22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a secure message
Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting...

22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1413986180/
... Behavioural information
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-...6/information/
82.98.161.71: https://www.virustotal.com/en-gb/ip-...1/information/
188.165.237.144: https://www.virustotal.com/en-gb/ip-...4/information/
80.157.151.17: https://www.virustotal.com/en-gb/ip-...7/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en-gb/ip-...7/information/
___

Flash Player exploit in-the-wild - CVE-2014-0569
- https://blog.malwarebytes.org/exploi...vulnerability/
Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
* https://helpx.adobe.com/security/pro...apsb14-22.html
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**... stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
> https://blog.malwarebytes.org/wp-con...-2014-0569.png
It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
>> http://www.adobe.com/software/flash/about/
The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
** http://malware.dontneedcoffee.com/20...2014-0569.html

> https://blog.malwarebytes.org/tag/fiesta-ek/

[AplusWebMaster]

FYI...

Fake 'New order' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/new-or...d-doc-malware/
4 Nov 2014 - "'New order 7757100' from site is an email saying 'Thank you for ordering' pretending to come from random names at random companies with a subject of 'New order 7757100 from site' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is -malformed- and contains a macro script virus... DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be -blank- when opened...

Screenshots: http://myonlinesecurity.co.uk/wp-con...-from-site.png

- http://myonlinesecurity.co.uk/wp-con...iew-macros.png

4 November 2014 : Order561104135.doc - Current Virus total detections: 1/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1415093505/
___

Fake 'Remittance' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duco-r...d-doc-malware/
4 Nov 2014 - "An email saying 'Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP' pretending to come from DUCO with a subject of 'Remittance Advice November' [ random characters] with a malicious word document attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Dear Sir/Madam
Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
Regards,
Domenic Burton
Accounts Payable Department DUCO

4 November 2014 : De_BW574826C.doc - Current Virus total detections: 0/44*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1415106043/

- http://blog.dynamoo.com/2014/11/duco...mber-spam.html
4 Nov 2014
- https://www.virustotal.com/en/file/3...is/1415110852/
... Behavioural information
TCP connections
91.222.139.45: https://www.virustotal.com/en/ip-add...5/information/
213.140.115.29: https://www.virustotal.com/en/ip-add...9/information/
___

'C-93 Virus Alert' - Phish ...
- http://www.hoax-slayer.com/C93-virus...ing-scam.shtml
Nov 4, 2014 - "An email claiming to be from Windows Outlook warns that a 'C93 Virus' has been detected in your mailbox and you are therefore -required- to -click- a link to run a Norton anti-virus scan to resolve the issue. The email is -not- from Outlook or Microsoft. It is a phishing scam designed to trick you into giving your Microsoft Account login details to criminals... According to this email, which claims to be from 'Windows Outlook', a 'C93 Virus' has been detected in your mailbox. The message instructs you to click a link to run a Norton anti-virus scan that will 'remove all Trojan and viral bugs' from your account. But, warns the message, if you fail to run the scan, your mailbox will be -deactivated- ... Example:
Dear Outlook Member,
A C93 Virus has been detected in your mailbox, You are required to apply the new Norton AV security anti-virus to scan and to remove all Trojan and viral bugs from your mailbox Account, Failure to apply the scan your mailbox will be De-Activated to avoid our database from being infected.
Click on Optimal Scan and Log in to apply the service.
Thank you ...

If you click the link, you will be taken to a -fake- webpage that is designed to look like a genuine Microsoft account login. When you enter your login details and click the 'Sign In' button, you will be automatically -redirected- to a genuine Microsoft account page... the criminals can collect your login details and use them to hijack your real Microsoft Account. Because the same credentials are used to login to various Microsoft services, they are a valuable commodity for scammers... If you receive one of these -fake- virus warnings, do -not- click any links or open any attachments..."
___

Bitcoin bonanza - or blunders?
- https://www.virusbtn.com/blog/2014/11_04.xml
4 Nov 2014 - "... 'occasionally losing a lot of money through bugs and blunders... 'hard not to feel dizzy and somewhat overwhelmed by the security issues and implications.
> https://www.virusbtn.com/virusbullet...ontiroli-1.jpg
Malware targeting Bitcoin wallets or using other people's resources to mine for cryptocurrencies are perhaps the least of our worries. What about virus code (or worse, child abuse material) ending up in the blockchain? Or the common flaw of transaction malleability? Or the almost existential threat of the "51% attack"? Cryptocurrencies are here to stay, but they come with their own unique set of problems that we cannot ignore... we're not in Kansas anymore..."
(More detail at the top virusbtn URL.)

- https://www.virusbtn.com/blog/2014/10_31a.xml
31 Oct 2014
___

Facebook: gov't requests for user data rises 24%
- http://www.reuters.com/article/2014/...0IO21Z20141104
Nov 4, 2014 - "Facebook Inc said requests by governments for user information rose by about a quarter in the first half of 2014 over the second half of last year. In the first six months of 2014, governments around the world made 34,946 requests for data. During the same time, the amount of content restricted because of local laws increased about 19 percent... Google reported in September a 15 percent sequential increase in the number of requests in the first half of this year, and a 150 percent rise in the last five years, from governments around the world to reveal user information in criminal investigations."

[AplusWebMaster]

FYI...

Fake Invoice SPAM - Word doc malware attached
- http://myonlinesecurity.co.uk/email-...d-doc-malware/
18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

This email contains an invoice file attachment

So far today, I have seen 3 different size files attached to this email, All file names are random:
18 November 2014 : invoice_796732903.doc (59kb) Current Virus total detections: 1/55*

18 November 2014 : invoice_1952581.doc (41kb) Current Virus total detections: 1/55**

18 November 2014 : invoice_80943810.doc (22kb) Current Virus total detections: 0/54***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1416303264/

** https://www.virustotal.com/en/file/7...is/1416304606/

*** https://www.virustotal.com/en/file/6...is/1416304325/
___

Another Fake FAX SPAM run ...
- http://blog.dynamoo.com/2014/11/inco...ets-party.html
18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
From: Incoming Fax [no-reply@ efax .co.uk]
Date: 18 November 2014 13:16
Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
INCOMING FAX REPORT
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file...

This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
Recommended blocklist:
108.61.229.224
159593.webhosting58 .1blu .de "
* https://www.virustotal.com/en/file/d...is/1416318405/
... Behavioural information
TCP connections
108.61.229.224: https://www.virustotal.com/en/ip-add...4/information/
178.254.0.111: https://www.virustotal.com/en/ip-add...1/information/

** https://www.virustotal.com/en/file/5...is/1416318784/

- http://myonlinesecurity.co.uk/incomi...e-pdf-malware/
18 Nov 2014
- https://www.virustotal.com/en/file/d...is/1416321619/
___

Fake Voice msg SPAM again - PDF malware
- http://myonlinesecurity.co.uk/voice-...e-pdf-malware/
18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@ voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
You have received a voice mail message from 685-869-9737
Message length is 00:00:30. Message size is 225 KB.
Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...

18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1416321619/