Page 128 of 128 FirstFirst ... 2878118124125126127128
Results 1,271 to 1,273 of 1273

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1271
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,730

    Thumbs down Fake 'Forskolin' SPAM

    FYI...

    Fake 'Forskolin' SPAM - using spoofed email addresses
    - https://myonlinesecurity.co.uk/anoth...ail-addresses/
    22 Sep 2017 - "... malspam campaign again today pushing the crappy, scummy, useless 'Forskolin weight loss' junk... Some subjects in the original emails include (there are hundreds of variants): These pretend to be Facebook notifications about missed private messages or pending notifications:
    You photos that will be deleted in 1 days
    You have notification that will be removed in 5 hours
    For You new message that will be removed in 6 days
    Private message that will be deleted in 3 hours
    You friend that will be deleted in 5 hours
    You have notification that will be deleted in 7 days


    The Hotmail emails look like:
    - https://myonlinesecurity.co.uk/wp-co...ects_email.png

    The original emails look like these:
    - https://myonlinesecurity.co.uk/wp-co.../support_3.png

    - https://myonlinesecurity.co.uk/wp-co.../support_2.png

    - https://myonlinesecurity.co.uk/wp-co.../support_1.png

    The links go to a multitude of -compromised- sites but all eventually end today on
    http ://weight4forlossdiet-4tmz .world/en/caus/forskolin/?bhu=8mczFswKd5ZrUCttf15dChmqRGCWobCch
    (with a different random reference number) where you see a page looking like this:
    > https://myonlinesecurity.co.uk/wp-co...tloss-scam.png
    This shows the importance of having correct authentication set up on your email server with DMARC* reporting, so you know when your email address is being spoofed and used in a mass malspam campaign:
    > https://myonlinesecurity.co.uk/wp-co...c_rejects2.png

    * https://myonlinesecurity.co.uk/anoth...uld-use-dmarc/ "

    weight4forlossdiet-4tmz .world: 192.254.79.249: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/5b...ec06/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1272
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,730

    Thumbs down Fake 'BL copy' SPAM

    FYI...

    Fake 'BL copy' SPAM - RTF exploit delivers malware
    - https://myonlinesecurity.co.uk/fwd-b...liver-malware/
    24 Sep 2017 - "An email with the subject of 'Fwd: BL copy' coming from pedro.estaba@ cindu .com.ve with a malicious word doc attachment delivers malware using the RTF exploit CVE-2017-0199. The word doc is actually a RTF doc. It is highly likely that recipients will get a similar email with different senders and email body content, imitating various innocent companies. These download -multiple- different malwares.
    > https://nvd.nist.gov/vuln/detail/CVE-2017-0199
    Last Modified: 04/12/2017
    CVSS v2 Base Score: 9.3 HIGH

    Screenshot: https://myonlinesecurity.co.uk/wp-co...09/BL-copy.png

    The CVE-2017-0199 exploit was plugged in all supported versions of Microsoft Office back in April 2017, with additional fixes in subsequent Security updates including September 2017. If you have not applied the patches, then simply opening or even just -previewing- these word docs in your email client or windows explorer might be enough to infect you...

    export.doc - Current Virus total detections 24/59[1]. Payload Security[2]. Both Payload Security and manual analysis shows a download of an HTA file from
    http ://birsekermasali .com/hta/docs.hta (VirusTotal 15/59[3]) (Payload Security[4]) which contains encoded / encrypted commands to download
    http ://birsekermasali .com/js/boss/payment.exe which is giving a 404.
    I decided to dig around a bit on the open directories on birsekermasali .com and see what I could find. Trying
    http ://birsekermasali .com/js/boss/ gave me a password required prompt, but trying the
    http ://birsekermasali .com/hta/ gave me -2- additional -HTA- files:

    allfiles.hta (VirusTotal 6/58[5]) (Payload Security[6]) which downloads
    http ://birsekermasali .com/js/boss/invoices.exe (VirusTotal 38/65[7]) (Payload Security[8])
    kelly.hta (VirusTotal 14/59[9]) (Payload Security[10]) Which downloads
    http ://birsekermasali .com/js/kels/docs.exe (VirusTotal 46/65[11]) (Payload Security[12]) which in turn downloads
    http ://birsekermasali .com/js/kels/dates.exe (VirusTotal 41/59[13]) (Payload Security[14])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/8...is/1506187514/

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14

    3] https://www.virustotal.com/en/file/7...is/1506231952/
    docs[1].hta

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    74.125.206.106
    162.221.190.147
    209.9.53.57
    69.172.201.153
    198.54.116.113
    213.167.231.2
    112.175.232.227
    23.227.38.64
    121.127.250.125


    5] https://www.virustotal.com/en/file/1...is/1506234023/
    allfiles.hta

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    74.125.206.106
    162.221.190.147
    209.9.53.57
    69.172.201.153
    198.54.116.113
    213.167.231.2
    112.175.232.227
    23.227.38.64
    121.127.250.125


    7] https://www.virustotal.com/en/file/6...is/1506170974/

    8] https://www.hybrid-analysis.com/samp...ironmentId=100

    9] https://www.virustotal.com/en/file/f...is/1506234037/
    kelly.hta

    10] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    198.54.115.96


    11] https://www.virustotal.com/en/file/f...is/1506035556/
    output.112274294.txt

    12] https://www.hybrid-analysis.com/samp...ironmentId=100

    13] https://www.virustotal.com/en/file/2...is/1506118256/

    14] https://www.hybrid-analysis.com/samp...ironmentId=100

    birsekermasali .com: 192.185.115.14: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/c0...03a3/analysis/
    > https://www.virustotal.com/en/url/da...7cbc/analysis/

    Last edited by AplusWebMaster; 2017-09-24 at 13:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1273
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,730

    Thumbs down Fake 'Voice Message' SPAM

    FYI...

    Fake 'Voice Message' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/fake-...ky-ransomware/
    25 Sep 2017 - "... Locky ransomware.... They are sticking with 'Voice Message' theme again today. It is an email with the subject of 'Message from 02031136950' (random phone number) pretending to come from server@ random number.um .broadviewnet .net. They all come from 'Message Server' and the email address is server@ random number.um .broadviewnet .net...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...2031136950.png

    Voice Message(02031136950.7z: Extracts to: Voice Message(02090039814).vbs - Current Virus total detections 10/58*. Payload Security**. These -vbs- files download from a large number of -compromised- sites. This example contacts
    asheardontheradiogreens .com/YTkjdJH7w1
    tertrodefordown .info/af/YTkjdJH7w1
    artplast .uz/YTkjdJH7w1?
    where a txt file is downloaded. The file is a actually a renamed.exe file (VirusTotal 17/65***). With these if there is a ? at the end of a URL, you get a renamed.txt file. If there is no ? you get an .exe that has no extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1506322168/
    Voice Message(02090039814).vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    199.30.241.139

    *** https://www.virustotal.com/en/file/b...is/1506322258/
    YTkjdJH7w1.txt

    asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/cd...05d7/analysis/

    tertrodefordown .info: 49.51.36.73: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/fa...0c52/analysis/

    artplast .uz: 62.209.133.18: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/2e...f65d/analysis/

    Last edited by AplusWebMaster; Yesterday at 18:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •