Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Fake MS email phish delivers Zeus via Java vuln ...

    FYI...

    Fake MS email phish delivers Zeus via Java vuln ...
    - https://isc.sans.edu/diary.html?storyid=14020
    Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
    We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
    The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
    Received: from [101.5.162.236] ([101.5.162.236]) by
    inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
    A legitimate header snippet:
    Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
    101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-98503...15.C.KK.DlNkNK , which points to the above mentioned services agreement.
    (Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
    Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
    047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
    034:034:02:065:071:034"/></applet>
    The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
    Contemplate disabling Java(5) until the -next- update(6) is released..."

    * http://windows.microsoft.com/en-US/w...ices-agreement

    ** http://community.websense.com/blogs/...ploit-kit.aspx

    3) https://www.virustotal.com/file/2510...8bc9/analysis/
    File name: Leh.jar
    Detection ratio: 8/42
    Analysis date: 2012-09-01 05:28:51 UTC

    4) https://www.virustotal.com/file/98bb...is/1346461231/
    File name: updateflashplayer.exe
    Detection ratio: 6/42
    Analysis date: 2012-09-01 01:00:31 UTC

    5) http://krebsonsecurity.com/how-to-un...m-the-browser/

    6) https://isc.sans.edu/diary.html?storyid=14017
    ___

    101.5.162.236
    101.5.0-255.*
    inetnum: 101.5.0.0 - 101.5.255.255
    netname: TSINGHUA-CN
    country: CN
    origin: AS4538
    http://www.google.com/safebrowsing/d...c?site=AS:4538
    ... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
    ___

    - https://krebsonsecurity.com/2012/08/...ged-two-flaws/
    "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

    Last edited by AplusWebMaster; 2012-09-02 at 14:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon email exploits recent Java vuln ...

    FYI...

    Fake ‘Amazon order’ email exploits recent Java vuln ...
    - http://community.websense.com/blogs/...erability.aspx
    03 Sep 2012 - "... Websense... has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit. If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data. Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681*)... On 1st September, Websense... intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
    > http://community.websense.com/cfs-fi...2D00_550x0.jpg
    Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit... an analysis of this file can also be found on VirusTotal**..."

    * http://community.websense.com/blogs/...2012-4681.aspx

    ** https://www.virustotal.com/file/2510...8bc9/analysis/
    File name: 9c5abf8889c34b3a36c6699b40ef6717c95ac6e1
    Detection ratio: 12/42
    Analysis date: 2012-09-03

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Google email contains a trojan ...

    FYI...

    Another round of "Spot the Exploit E-Mail"
    - https://isc.sans.edu/diary.html?storyid=14029
    Last Updated: 2012-09-04 - "We have come to expect quality phishing/fake email work these days...
    > https://isc.sans.edu/diaryimages/amexemail1.png
    > https://isc.sans.edu/diaryimages/amexemail2.png
    > https://isc.sans.edu/diaryimages/amexemail3.png
    ... javascript will then -redirect- the user to one of these two IP addresses:
    96.47.0.163, 108.178.59.26
    both IP addresses yield heavily obfuscated javascript. The wepawet analysis can be found here:
    - http://wepawet.iseclab.org/view.php?...69729c&type=js
    It appears to be the usual "what vulnerable plugin are you running today?" javascript."
    ___

    Fake Google email contains a trojan ...
    - http://h-online.com/-1698349
    04 Sep 2012 - "Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply @google .com" with the subject "Suspicious sign in prevented" is being sent en masse -claiming- that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion. However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they -never- contain attachments; users that receive such an email are advised to delete them. According to VirusTotal*, the trojan is currently only detected by just half of 42 anti-virus programs..."
    * https://www.virustotal.com/file/df0b...c23a/analysis/
    File name: Google_Accounts_Alert-3944-J5I-4169.zip
    Detection ratio: 21/42
    Analysis date: 2012-09-04 09:25:32 UTC
    ___

    Fake ‘Wire Transfer Confirmation’ emails lead to Black Hole exploit kit ...
    - http://blog.webroot.com/2012/09/04/s...e-exploit-kit/
    Sep 4, 2012 - "Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Sample exploits served: CVE-2010-0188; CVE-2010-1885
    Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e * ..."
    * https://www.virustotal.com/file/932f...fd00/analysis/
    File name: 7fe4d2e52b6f3f22b2f168e8384a757e
    Detection ratio: 32/42
    Analysis date: 2012-08-28
    ___

    Fake LinkedIn spam leads to malware ...
    - http://blog.dynamoo.com/2012/09/link...85926-and.html
    4 Sep 2012 - "This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop .com:

    Date: Tue, 04 Sep 2012 10:43:03 +0100
    From: "noreply" [noreply@linkedin.com]
    Subject: Link LinkedIn Mail
    LinkedIn
    REMINDERS
    Invitation reminders:
    • From Charlie Alexander (Mexico Key Account Director at Quanta)
    PENDING MESSAGES
    • There are a total of 5 messages awaiting your response. Visit your InBox now.
    Don't want to receive email notifications? Adjust your message settings.
    LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.


    The malicious payload (report here*)..."
    * http://wepawet.iseclab.org/view.php?...746065&type=js
    Detection results
    Detector Result
    Jsand 2.3.4 malicious
    In particular, the following URL was found to contain malicious content:
    hxxp :// 108.178.59.26 /bv6rcs3v1ithi.php?w=6de4412e62fd13be
    Exploits
    Name Description Reference
    HPC URL Help Center URL Validation Vulnerability CVE-2010-1885 ...

    ... My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff."

    Last edited by AplusWebMaster; 2012-09-04 at 18:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'QuickBooks Update: Urgent’ emails lead to BlackHole exploit kit

    FYI...

    Fake 'QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
    - http://blog.webroot.com/2012/09/05/i...e-exploit-kit/
    Sep 5, 2012 - "... cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails. The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts...
    Screenshot of a sample spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Client-side exploits serving URL: hxxp ://roadmateremove .org /main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27
    ... Name servers part of the campaign’s infrastructure:
    ns1.chemrox .net – 208.91.197.27; 173.234.9.17
    ns2.chemrox .net – 7.25.179.23
    Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 * ...
    * https://www.virustotal.com/file/eee0...8137/analysis/
    File name: f621be555dc94a8a370940c92317d575
    Detection ratio: 33/42
    Analysis date: 2012-09-01
    ...Once executed, the sample phones back to 87.120.41.155 :8080/mx5/B /in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus greeeting card emails serve exploits and malware

    FYI...

    Bogus greeeting card emails serve exploits and malware
    - http://blog.webroot.com/2012/09/06/c...s-and-malware/
    Sep 6, 2012 - "Remember the recently profiled 123greetings .com themed malicious campaign? It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URLs in a clear attempt to improve their click-through rates...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd* – ... Trojan.JS.Iframe.aby; Trojan.Webkit!html
    Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597** – ... W32/Yakes.AP!tr
    Once executed, the malware phones back to 216.38.12.158 :8080/mx/5/B/in... Another domain is known to have been responding to the same IP in the past..."
    * https://www.virustotal.com/file/dcb5...is/1346492654/
    File name: greetings.html
    Detection ratio: 5/42
    Analysis date: 2012-09-01
    ** https://www.virustotal.com/file/df92...1ffc/analysis/
    File name: 97273d9507c8d78679c8cdf591715760aef0c59c
    Detection ratio: 24/42
    Analysis date: 2012-09-03

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down $100 billion in losses to cybercrime

    FYI...

    $100 billion in losses to cybercrime ...
    - http://h-online.com/-1701983
    6 Sep 2012 - "According to Symantec's 2012 Norton Cybercrime Report*, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim. A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report... Around 40% of people don't use complex passwords or don't change their passwords regularly. There appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services. Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries."
    * http://www.symantec.com/about/news/r...id=20120905_02
    Sept. 5, 2012
    ___

    - http://yro.slashdot.org/story/12/09/...ut-just-as-bad
    Sep 6, 2012
    > http://blogs.cio.com/security/17375/...ages-disappear

    Last edited by AplusWebMaster; 2012-09-07 at 20:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •