Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM, Malvertising...

    FYI...

    Fake Invoice SPAM - malicious attachment ...
    - http://blog.dynamoo.com/2014/08/moru...ware-spam.html
    27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
    From: Madikwe, Gladness [GMadikwe@mcm.co.uk]
    Date: 27 August 2014 10:43
    Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
    Hello ,
    Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
    Thank you
    Regards
    Gladness B Madikwe
    Sales & Marketing Clerk
    Morupule Coal Mine ...


    Screenshot: http://1.bp.blogspot.com/-1wXuSVrxkn...0/moropule.png

    Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
    * https://www.virustotal.com/en-gb/fil...is/1409133512/
    ___

    Malvertising: Not all Java from java .com is legit
    - http://blog.fox-it.com/2014/08/27/ma...is-legitimate/
    Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
    Java .com
    Deviantart .com
    TMZ .com
    Photobucket .com
    IBTimes .com
    eBay .ie
    Kapaza .be
    TVgids .nl
    The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
    198.27.88.157: https://www.virustotal.com/en/ip-add...7/information/
    94.23.252.38: https://www.virustotal.com/en/ip-add...8/information/
    178.32.21.248: https://www.virustotal.com/en/ip-add...8/information/
    There is no silver bullet to protect yourself from malvertising. At a minimum:
    - Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
    - Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
    - Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
    (More detail at the fox-it URL above.)
    ___

    "Customer Statements" - malware SPAM
    - http://blog.dynamoo.com/2014/08/cust...ware-spam.html
    27 Aug 2014 - "This brief spam has a malicious PDF attachment:
    Fom: Accounts [hiqfrancistown910@ gmail .com]
    Date: 27 August 2014 09:51
    Subject: Customer Statements
    Good morning,attached is your statement.
    My regards.
    W ELIAS


    Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
    * https://www.virustotal.com/en-gb/fil...is/1409135030/
    ___

    Royal Bank of Canada Payment Spam
    - http://threattrack.tumblr.com/post/9...a-payment-spam
    Aug 27, 2014 - "Subjects Seen:
    The Bank INTERAC to Leo Dooley was accepted.
    Typical e-mail details:
    The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
    The transfer is now complete.
    Message recipient: The rating was not provided.
    See details in the attached report.
    Thank you for using the Service INTERAC Bank RBC Royal Bank.


    Malicious File Name and MD5:
    INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
    INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Uqn1r6pupn.png

    Tagged: RBC, Upatre
    ___

    AT&T DocuSign Spam
    - http://threattrack.tumblr.com/post/9...-docusign-spam
    Aug 27, 2014 - "Subjects Seen:
    Please DocuSign this document: Contract_changes_08_27_2014 .pdf
    Typical e-mail details:
    Hello,
    AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.


    Malicious URLs:
    79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
    Malicious File Name and MD5:
    Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
    Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...IWp1r6pupn.png

    79.172.51.73: https://www.virustotal.com/en-gb/ip-...3/information/

    Tagged: ATT, DocuSigin, Upatre

    - http://myonlinesecurity.co.uk/please...e-pdf-malware/
    27 Aug 2014
    ___

    ADP Past Due Invoice Spam
    - http://threattrack.tumblr.com/post/9...e-invoice-spam
    Aug 27, 2014 - "Subjects Seen:
    ADP Past Due Invoice
    Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here...


    Malicious URLs:
    81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
    Malicious File Name and MD5:
    invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
    invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...D3h1r6pupn.png

    81.80.82.27: https://www.virustotal.com/en-gb/ip-...7/information/

    Tagged: ADP, Upatre
    ___

    Fake Payment Advice SPAM - PDF malware
    - http://myonlinesecurity.co.uk/paymen...e-pdf-malware/
    27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Disclaimer:
    This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
    AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
    Cell 270 547-9194


    27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)
    Extracts to Payment_Advice_Note_27.08.2014.PDF.scr
    Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1409154303/

    Last edited by AplusWebMaster; 2014-08-27 at 23:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •