SCAM and SPAM ...
FYI... multiple entries:
iPad SCAM ...
- http://www.gfi.com/blog/twitter-dm-l...-to-ipad-scam/
Oct 24, 2012 - "We have been reading reports of malware and phishing attacks by means of suspicious direct messages to get user systems infected or have user information and credentials stolen, a ploy that is fast becoming common in the Twittersphere now more than ever. One GFI Labs blog reader gave us the heads up on the latest DM currently making rounds on Twitter. The message says:
did you see your pics with her facebook(dot)com/45569965114786…
Users who click the embedded link are led to a Facebook app page, which then executes a PHP script—
> http://www.gfi.com/blog/wp-content/u...nd-traffic.png
... —before redirecting them to this:
> http://www.gfi.com/blog/wp-content/u...ge-300x181.jpg
It appears to be a genuine Facebook event page; however, the URL has made obvious that it’s not at all related to the said social networking site.
Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click - Click here.:
> http://www.gfi.com/blog/wp-content/u...am-300x222.jpg
...
> http://www.gfi.com/blog/wp-content/u...ge-300x285.png
... Others are redirected to this ad campaign page we’re probably familiar with:
> http://www.gfi.com/blog/wp-content/u...ge-300x201.png
We have determined that more than 4,500 Internet users have visited the dodgy Facebook app page; however, it is unclear how many have fallen victim to these scams... quick reminder to our readers: think before you click..."
___
Contract SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/cont...castrooru.html
24 Oct 2012 - "This fake contact spam leads to malware on fidelocastroo .ru:
Date: Tue, 23 Oct 2012 12:33:51 -0800
From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject: Fw: Contract from Wilburn
Attachments: Contract_Scan_DS23656.htm
Hello,
In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
Best regards,
Wilburn TIMMONS, secretary
The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo .ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:
202.3.245.13 (President of French Polynesia*)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
* http://blog.dynamoo.com/2012/10/pres...polynesia.html ..."
___
Bogus Windows License SPAM - in the Wild
- http://www.gfi.com/blog/bogus-window...s-in-the-wild/
Oct 24, 2012 - "... Below is a screenshot of a new spam run in the wild... presents to recipients a very suspicious but very free license for Microsoft Windows that they can download. Sounds too good to be true? It probably is.
> http://www.gfi.com/blog/wp-content/u...22-300x124.png
From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,
You can download your Microsoft Windows License here -
Microsoft Corporation
Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.
> http://www.gfi.com/blog/wp-content/u...ole-300x83.png
This spam is a launchpad for a Blackhole-Cridex attack on user systems. This method is likewise being used by the most recent campaign of the “Copies of Policies” spam*, also in the wild..."
* http://gfisoftware.tumblr.com/tagged/Copies-of-Policies
___
Wire Transfer SPAM / ponowseniks .ru
- http://blog.dynamoo.com/2012/10/wire...wseniksru.html
24 Oct 2012 - "This fake wire transfer spam leads to malware on ponowseniks .ru:
Date: Wed, 24 Oct 2012 04:26:12 -0500
From: FedEx [info@emails.fedex.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments: Report_Trans99252.htm
Dear Bank Operator,
WIRE TRANSFER: FEDW-30126495944197210
STATUS: REJECTED
You can find details in the attached file. (Internet Explorer format)
The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks .ru:8080/forum/links/column.php hosted on some familar IP addresses:
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)"
___
BBB SPAM / samplersmagnifyingglass .net
- http://blog.dynamoo.com/2012/10/bbb-...gglassnet.html
24 Oct 2012 - "This fake BBB spam leads to malware on samplersmagnifyingglass .net:
Date: Wed, 24 Oct 2012 22:10:18 +0430
From: "Better Business Bureau" [noreply@bbb.org]
Subject: Better Business Beareau Appeal #42790699
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
On a website above please enter your complain id: 42790699 to review it.
We are looking forward to hearing from you.
-----------------------------------
Faithfully,
Rebecca Wilcox
Dispute advisor
Better Business Bureau
The malicious payload is on [donotclick]samplersmagnifyingglass .net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking."
