Page 56 of 132 FirstFirst ... 64652535455565758596066106 ... LastLast
Results 551 to 560 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #551
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Evil network: 5.135.230.176/28 - OVH, malwr, RIG Exploit Kit ...

    FYI...

    Evil network: 5.135.230.176/28 - OVH
    - http://blog.dynamoo.com/2014/10/evil...ovh-eldar.html
    18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
    organisation: ORG-EM25-RIPE
    org-name: eldar mahmudov
    org-type: OTHER
    address: ishveran 9
    address: 75003 paris
    address: FR
    e-mail: mahmudik@ hotmail .com
    abuse-mailbox: mahmudik@ hotmail .com
    phone: +33.919388845
    mnt-ref: OVH-MNT
    mnt-by: OVH-MNT
    changed: noc@ ovh .net 20140621
    source: RIPE
    There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block- traffic going to it."
    * http://malware-traffic-analysis.net/.../06/index.html

    Diagnostic page for AS16276 (OVH)
    - https://www.google.com/safebrowsing/...?site=AS:16276
    "... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
    ___

    malwr
    - https://malwr.com/
    Oct. 19, 2014 - "Last Comments:
    Malware.
    222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080
    "
    - https://malwr.com/about/ >> http://www.shadowserver.org/ *

    - 222.236.47.53: https://www.virustotal.com/en/ip-add...3/information/
    - 195.206.7.69: https://www.virustotal.com/en/ip-add...9/information/
    - 46.55.222.24: https://www.virustotal.com/en/ip-add...4/information/
    - 162.144.60.252: https://www.virustotal.com/en/ip-add...2/information/
    - 91.212.253.253: https://www.virustotal.com/en/ip-add...3/information/
    - 95.141.32.134: https://www.virustotal.com/en/ip-add...4/information/

    Bot Count Graphs
    * https://www.shadowserver.org/wiki/pm...untYearly#toc1
    Page last modified on Sunday, 19 October 2014
    ___

    - http://blog.dynamoo.com/2014/10/fina...spam-uses.html
    17 Oct 2014
    ... ShippingLable_HSDAPDF.scr
    - https://www.virustotal.com/en/file/9...is/1413566277/
    ... Comments:
    Full list of CnCs:
    5.135.28.118: https://www.virustotal.com/en/ip-add...8/information/
    185.20.226.41: https://www.virustotal.com/en/ip-add...1/information/
    5.63.155.195: https://www.virustotal.com/en/ip-add...5/information/
    ___

    RIG Exploit Kit Dropping CryptoWall 2.0
    - http://www.threattracksecurity.com/i...ryptowall-2-0/
    Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
    * http://blog.dynamoo.com/2014/10/efax...0204-spam.html

    206.253.165.76: https://www.virustotal.com/en/ip-add...6/information/

    Last edited by AplusWebMaster; 2014-10-19 at 22:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #552
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice' xls, doc malware SPAM, Dropbox phish ...

    FYI...

    Fake 'unpaid invoice' SPAM - xls malware
    - http://myonlinesecurity.co.uk/acorn-...l-xls-malware/
    20 Oct 2014 - "An email pretending to be an unpaid invoice and threatening court action with a subject of 'Acorn Engineering Limited trading' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Acorn-Maintenance-Engineering-logo...
    October 20, 2014
    Head Office
    Acorn Engineering Limited trading
    as Acorn Maintenance
    Acorn House
    20 Wellcroft Road
    Slough
    Berkshire
    SL1 4AQ
    Tel: 01753 386 073
    Fax: 01753 409 672
    Dear ...
    Reference: 48771955-A8
    Court action will be the consequence of your ignoring this letter.
    Despite our telephone calls on October 10 and our letters of September 25, 2014 and October 20, 2014, and your promise to pay, payment of your account has still not been received. If full payment is not received by October 22, 2014 court action will be taken against your company.
    If you allow this to happen you will incur court costs and you may forfeit your company’s credit status because the name of your company will be recorded by the major credit reference agencies. This may deter others from supplying you.
    You are also being charged debt recovery costs and statutory interest of 8% above the reference rate (fixed for the six month period within which date the invoices became overdue) pursuant to the late payment legislation.
    To stop this from happening please pay in full now the overdue invoice which is also attached to this letter.
    Yours truly,
    signature-Mishenko.gif (626?272)
    Nadine Cox,
    Accountant
    Acorn Engineering Limited
    Enclosure (Attachment)


    20 October 2014: Copy4313_B0.zip: Extracts to: Invoice_7380901925299.xls.exe
    Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Excel xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1413800273/
    ___

    Fake PDF invoice SPAM
    - http://www.symantec.com/connect/blog...ore-you-expect
    Oct 20, 2014 - "... Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
    Malicious .pdf file attached to suspicious email:
    > http://www.symantec.com/connect/site...31/Fig1_19.png
    While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be. The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader... attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image... The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service”... If successful, the malware is then able to steal confidential information entered into Web browsers by the user. Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief*."
    * http://www.symantec.com/security_res...022-99&tabid=2
    ___

    Fake 'LogMeIn Security Update' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/octobe...e-pdf-malware/
    20 Oct 2014 - "An email that says it is an announcement that you need to install a new 'LogMeIn security certificate' which pretends to come from LogMeIn .com < auto-mailer@ logmein .com > with a subject of October 16, 2014 'LogMeIn Security Update' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ity-update.png

    20 October 2014: cert_client.zip: Extracts to: cert_1020.scr
    Current Virus total detections: 1/52* . This October 16, 2014 'LogMeIn Security Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a legitimate file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1413811609/
    ___

    Fake 'my new photo ' SPAM - trojan variant
    - http://blog.mxlab.eu/2014/10/20/late...rojan-variant/
    Oct 20, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “my new photo ”... sent from the spoofed email addresses and has the following short body:

    my new photo

    The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe . The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen. At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en-gb/fil...is/1413812842/
    ___

    Fake Invoice SPAM – word doc malware
    - http://myonlinesecurity.co.uk/adobe-...d-doc-malware/
    20 Oct 2014 - "An email pretending to come from Adobe with the subject of 'Adobe Invoice' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has an attachment that looks like a proper word.doc but something has disinfected all copies on its travels. All copies that I have received have been -less- than 1kb in size and are empty files with a name only adb-102288-invoice.doc . They are almost certainly supposed to be the typical malformed word docs, that contain a macros script -virus- we have been seeing so much recently that will infect you if you open or even preview them when you have an out of date or vulnerable version of Microsoft word on your computer... The email looks like:
    Adobe(R) logo
    Dear Customer,
    Thank you for signing up for Adobe Creative Cloud
    Service.
    Attached is your copy of the invoice.
    Thank you for your purchase.
    Thank you,
    The Adobe Team
    Adobe Creative Cloud Service...


    Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most (if not all) malicious files that are attached to emails will have a faked extension..."

    - http://blog.dynamoo.com/2014/10/adob...-spam-adb.html
    20 Oct 2014
    Screenshot: https://1.bp.blogspot.com/-mt-vGbR2Q...1600/adobe.png
    > https://www.virustotal.com/en-gb/fil...is/1413809174/
    ... Behavioural information
    TCP connections
    62.75.182.94: https://www.virustotal.com/en-gb/ip-...4/information/
    208.89.214.177: https://www.virustotal.com/en-gb/ip-...7/information/
    ___

    Dropbox phish - hosted on Dropbox
    - http://www.symantec.com/connect/blog...hosted-dropbox
    Updated: 18 Oct 2014 - "... In this scam, messages included links to a -fake- Google Docs login page hosted on Google itself. We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a -fake- Dropbox login page, hosted on Dropbox itself.
    Fake Dropbox login page:
    > http://www.symantec.com/connect/site...ropbox%201.png
    The -fake- login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing. The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well. After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
    Security warning:
    > http://www.symantec.com/connect/site...ropbox%202.jpg
    Upon saving or emailing the user's credentials to the scammer, the PHP script simply -redirects- the user to the real Dropbox login page. Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications. Symantec reported this phishing page to Dropbox and they immediately took the page down..."

    Last edited by AplusWebMaster; 2014-10-20 at 20:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #553
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM - malware

    FYI...

    Fake Invoice SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/humber...d-doc-malware/
    21 Oct 2014 - "An email pretending to come from 'Humber Merchants Group' ps [random number]@humbermerchants .co.uk with a word document attachment and the subject of 'Industrial Invoices' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Attached are accounting documents from Humber Merchants
    Humber Merchants Group
    Head Office:
    Parkinson Avenue
    Scunthorpe
    North Lincolnshire
    DN15 7JX
    Tel: 01724 860331
    Fax: 01724 281326 ...


    21 October 2014: 15040BII3646501.doc - Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1413890645/
    ___

    Fake Adobe Invoice Spam
    - http://threattrack.tumblr.com/post/1...e-invoice-spam
    Oct 21, 2014 - "Subjects Seen:
    Adobe Invoice
    Typical e-mail details:
    Dear Customer,
    Thank you for signing up for Adobe Creative Cloud Service.
    Attached is your copy of the invoice.
    Thank you for your purchase.
    Thank you,
    The Adobe Team
    Adobe Creative Cloud Service


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...etU1r6pupn.png

    Malicious File Name and MD5:
    invoice.zip (CABA79FCEB5C9FEF222C89C423AA2485)
    invoice.exe (29684FBB98C1883A7A08977CB23E90B6)


    Tagged: Adobe, Wauchos
    ___

    Fake Invoice SPAM - malware
    - http://myonlinesecurity.co.uk/please...voice-malware/
    21 Oct 2014 - "An email pretending to come from cato-chem .com < sales@ cato-chem .com > with a fake invoice has a subject of Please find attached PI copies of Invoice is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ke-invoice.png

    21 October 2014: proforma invoice.zip: Extracts to proforma invoice.exe
    Current Virus total detections: 17/54*. This Please find attached PI copies of Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a barcode as the icon instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1413858604/
    ___

    ThetaRay turns to maths to detect cyber threats
    - http://www.reuters.com/article/2014/...0IA1JV20141021
    Oct 21, 2014 - "As businesses face a growing threat of cyber attacks, Israeli start-up ThetaRay is betting on maths to provide early detection, enabling the shutdown of systems before damage can be done. The year-old company's first investor was venture capital firm Jerusalem Venture Partners. It is now also backed by heavyweights like General Electric, which uses ThetaRay to protect critical infrastructure such as power plants, and Israel's biggest bank, Hapoalim, which deployed the technology to detect bank account anomalies... Cyber security providers are moving away from protecting gateways with defenses such as firewalls to focus on detecting and preventing attacks before they penetrate organizations... Security experts estimate it can take more than -200- days to identify a cyber attack once it's been launched... Once a threat has been detected, ThetaRay leaves it up to humans to decide whether or not to shut down the system..."

    Last edited by AplusWebMaster; 2014-10-22 at 01:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #554
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Debt Recovery, customer service SPAM

    FYI...

    Fake Debt Recovery SPAM - PDF malware
    - http://myonlinesecurity.co.uk/bd-dig...e-pdf-malware/
    22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of 'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...t-recovery.png

    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    ___

    Fake customer service SPAM - doc malware
    - http://myonlinesecurity.co.uk/custom...d-doc-malware/
    22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

    This email contains an invoice file attachment ID:VZY563200VA
    Thanks!
    Kelli Horn .


    22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
    * https://www.virustotal.com/en/file/d...is/1413973355/
    ___

    Fake Malformed or infected word docs with embedded macro viruses
    - http://myonlinesecurity.co.uk/malfor...macro-viruses/
    22 Oct 2014 - "We are seeing loads of emails with Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. Opening this malicious word document will infect you if Macros are enabled and simply previewing it in windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."

    - http://blog.dynamoo.com/2014/10/this...oice-file.html
    22 Oct 2014
    Screenshot: https://3.bp.blogspot.com/-1zwDnotAB...600/image1.gif
    VT1: https://www.virustotal.com/en-gb/fil...is/1413981604/
    ... Behavioural information
    DNS requests
    VBOXSVR.ovh.net: 213.186.33.6: https://www.virustotal.com/en-gb/ip-...6/information/
    TCP connections
    178.250.243.114: https://www.virustotal.com/en-gb/ip-...4/information/
    91.240.238.51: https://www.virustotal.com/en-gb/ip-...1/information/
    VT2: https://www.virustotal.com/en-gb/fil...is/1413982865/
    ___

    Fake Wells Fargo SPAM – PDF malware
    - http://myonlinesecurity.co.uk/wells-...e-pdf-malware/
    22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a secure message
    Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    In order to view the secure message please download it using our Cloud Hosting...


    22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
    Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1413986180/
    ... Behavioural information
    TCP connections
    188.165.214.6: https://www.virustotal.com/en-gb/ip-...6/information/
    82.98.161.71: https://www.virustotal.com/en-gb/ip-...1/information/
    188.165.237.144: https://www.virustotal.com/en-gb/ip-...4/information/
    80.157.151.17: https://www.virustotal.com/en-gb/ip-...7/information/
    UDP communications
    173.194.71.127: https://www.virustotal.com/en-gb/ip-...7/information/
    ___

    Flash Player exploit in-the-wild - CVE-2014-0569
    - https://blog.malwarebytes.org/exploi...vulnerability/
    Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
    * https://helpx.adobe.com/security/pro...apsb14-22.html
    The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**... stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
    > https://blog.malwarebytes.org/wp-con...-2014-0569.png
    It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
    >> http://www.adobe.com/software/flash/about/
    The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
    ** http://malware.dontneedcoffee.com/20...2014-0569.html

    > https://blog.malwarebytes.org/tag/fiesta-ek/

    Last edited by AplusWebMaster; 2014-10-23 at 00:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #555
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Order Confirmation', 'bank detail' SPAM, Flash exploits in-the-wild ...

    FYI...

    Fake 'Order Confirmation' SPAM
    - http://blog.dynamoo.com/2014/10/fake...rnational.html
    23 Oct 2014 - "This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
    From: Elouise Massey [Elouise.Massey@ supertouch .com]
    Date: 23 October 2014 10:52
    Subject: Order Confirmation
    Hello,
    Thank you for your order, please check and confirm.
    Kind Regards
    Elouise
    Allied International Trading Limited ...


    In the sample I received, the attachment was -corrupt- but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run[1] (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
    87.106.84.226
    84.40.9.34
    jvsfiles .com
    "

    1] http://blog.dynamoo.com/2014/10/fake...nts-group.html

    62.75.182.94: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake 'bank detail' SPAM - trojan
    - http://blog.mxlab.eu/2014/10/23/fake...ntains-trojan/
    Oct 23, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “New bank details”. This email is sent from the spoofed address “”Bitstamp .net” <no_reply@ bitstamp .net>”, while the real SMTP sender is AmericanExpress@ welcome .aexp .com, and has the following body:
    New banking details
    Dear Bitstamp clients,
    We would like to inform you that Bitstamp now has new bank details, please check attached file.
    We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
    Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
    Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
    Best regards
    CEO, Nejc Kodrič
    Bitstamp LIMITED


    The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr. The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S. At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total*. Now, MX Lab has also intercepted some emails -without- the malicious attachment but be aware that this email is a risk..."
    * https://www.virustotal.com/en/file/8...is/1414073432/
    ... Behavioural information
    DNS requests
    VBOXSVR. ovh .net: 213.186.33.6: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Two exploit kits prey on Flash Player flaw patched only last week
    - http://net-security.org/malware_news.php?id=2892
    23.10.2014 - "Two exploit kits prey on Flash Player flaw patched only last week... The integer overflow vulnerability in question (CVE-2014-0569*) can allow attackers to execute arbitrary code via unspecified vectors, and is deemed critical (high impact, easily exploitable)... the time period was very short, and technical information about the vulnerability and exploit code hasn't yet been shared online... The exploit kits are used to deliver the usual assortment of malware, and some of the variants have an extremely low detection rate... If you use Adobe Flash Player, and you haven't implemented the latest patches, now would be a good time to rectify that mistake."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-0569 - 10.0

    - http://atlas.arbor.net/briefs/index#1049793989
    Elevated Severity
    23 Oct 2014

    - http://www.securitytracker.com/id/1031019
    CVE Reference: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
    Oct 14 2014
    Impact: Execution of arbitrary code via network, User access via network
    Fix Available: Yes Vendor Confirmed: Yes
    Solution: The vendor has issued a fix (13.0.0.250 extended support release, 15.0.0.189 for Windows/Mac, 11.2.202.411 for Linux)...
    Flash 15.0.0.189 released: https://helpx.adobe.com/security/pro...apsb14-22.html
    Oct 14, 2014

    For I/E: http://download.macromedia.com/get/f...5_active_x.exe

    For Firefox (Plugin-based browsers): http://download.macromedia.com/get/f..._15_plugin.exe

    Flash test site: http://www.adobe.com/software/flash/about/
    ___

    Fake 'Order Confirmation' SPAM
    - http://blog.dynamoo.com/2014/10/fake...rnational.html
    23 Oct 2014 - "This -fake- Order Confirmation spam pretends to come from supertouch .com / Allied International Trading Limited - but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
    From: Elouise Massey [Elouise.Massey@ supertouch .com]
    Date: 23 October 2014 10:52
    Subject: Order Confirmation
    Hello,
    Thank you for your order, please check and confirm.
    Kind Regards
    Elouise
    Allied International Trading Limited ...


    In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run* (read that post for more details) and is very poorly detected, although -blocking- access to the following IPs and domains might help mitigate against it:
    87.106.84.226
    84.40.9.34
    jvsfiles .com
    "
    * http://blog.dynamoo.com/2014/10/fake...nts-group.html
    ___

    Fake VoiceMail SPAM
    - http://blog.dynamoo.com/2014/10/voic...cemailcom.html
    23 Oct 2014 - "Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, -don't- open it.
    From: "Voice Mail" [voicemail_sender@ voicemail .com]
    Date: Thu, 23 Oct 2014 14:31:22 +0200
    Subject: voice message from 598-978-8974 for mailbox 833
    You have received a voice mail message from 598-978-8974
    Message length is 00:00:33. Message size is 264 KB.
    Download your voicemail message from dropbox service below (Google Disk
    Drive Inc.) ...


    Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51*... 188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system... Recommended blocklist:
    188.165.214.6
    inaturfag .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1414075720/
    ___

    Fake BoA SPAM – PDF malware
    - http://myonlinesecurity.co.uk/mamie-...e-pdf-malware/
    23 Oct 2014 - "'Mamie French Bank of America Unknown incoming wire' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
    EFT Amount: $ 6,200.00
    Remitted From: SSA TREAS 310 MISC PAY
    Designated for: UNKNOWN
    Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
    If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
    Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00 a.m., June 24, 2014.
    Thank you.
    Mamie French
    Senior Accountant
    Bank of America ...


    23 October 2014: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.scr
    Current Virus total detections: 10/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1414081814/

    Last edited by AplusWebMaster; 2014-10-24 at 15:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #556
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice, Fax SPAM

    FYI...

    Fake Invoice SPAM – Word doc malware
    - http://myonlinesecurity.co.uk/invoic...d-doc-malware/
    24 Oct 2014 - "'invoice 8014042 October' pretending to come from Sandra Lynch with a malformed word doc attachment containing a macro virus is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached your October invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 8014042 Account No 5608014042.
    Thanks very much
    Kind Regards
    Sandra Lynch


    24 October 2014: invoice_8014042.doc : Current Virus total detections: 0/54*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    * https://www.virustotal.com/en/file/9...is/1414141144/
    ___

    Fake Fax SPAM.. again.
    - http://blog.dynamoo.com/2014/10/youv...pam-again.html
    24 Oct 2014 - "Another day, another -fake- fax spam.
    From: Fax [fax@ victimdomain .com]
    To: luke.sanson@ victimdomain .com
    Date: 24 October 2014 10:54
    Subject: You've received a new fax
    New fax at SCAN2383840 from EPSON by https://victimdomain.com
    Scan date: Fri, 24 Oct 2014 15:24:22 +0530
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (eFax Drive is a file hosting service operated by J2, Inc.)


    The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54*... The malware also drops two executables on the system, kcotk.exe (VT 0/53**...) and ptoma.exe (VT 2/51***...)... Recommended blocklist:
    188.165.214.6
    rodgersmith .com
    "
    * https://www.virustotal.com/en/file/d...is/1414145184/

    ** https://www.virustotal.com/en-gb/fil...is/1414145764/

    *** https://www.virustotal.com/en-gb/fil...is/1414145784/
    ___

    Widespread malvertising - delivered ransomware
    - http://net-security.org/malware_news.php?id=2894
    24.10.2014 - "A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains. According to Proofpoint's calculations*, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer... In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX). Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit. The ransomware then encrypted the victims' hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key. The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many... This particular campaign now seems to be over - all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn't mean that the attackers have not switched to spreading CryptoWall 2.0 via other means..."
    * http://www.proofpoint.com/threatinsi...zes-brands.php
    ___

    Ebola-themed emails deliver malware, exploit Sandworm vulnerability (MS14-060)
    - http://net-security.org/malware_news.php?id=2895
    24.10.2014 - "US CERT has recently issued a warning* about malware-delivery campaigns using users' fear of the Ebola virus and its spreading as a bait. One of the most prolific campaigns is the one that -impersonates- the World Health Organization:
    > http://www.net-security.org/images/a...m-24102014.jpg
    The emails in question initially -linked- to the -malware- a variant of the DarkKomet RAT tool, used by attackers to access and control the victim's computer remotely and steal information. After a while, the attackers began to attach the malware directly to the message, as access to the malicious file hosted on a popular cloud data storage service was blocked quickly by service administrators, noted Tatyana Shcherbakova:
    > https://securelist.com/blog/spam-tes...us-or-malware/
    According to Websense researchers**, Ebola-themed malicious emails and documents are also being used by attackers taking advantage of the recently discovered Sandworm vulnerability (CVE-2014-4114***)..."
    * https://www.us-cert.gov/ncas/current...ware-Campaigns
    Oct 16, 2014
    ** http://community.websense.com/blogs/...tacks-Too.aspx
    *** https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-4114 - 9.3 (HIGH)
    ___

    Phalling for the phish...
    - http://blog.dynamoo.com/2014/10/do-p...-for-this.html
    24 Oct 2014 - "... a simple phishing spam..
    From: info@ kythea .gr
    Date: 24 October 2014 13:50
    Subject: payment
    this mail is to inform you that the payment have been made
    see the attached file for the payment slip
    ANTON ARMAS


    Attached is a file payment Slip (2).html which displays a popup alert:
    You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information

    The victim then gets sent to a phishing page, in this case at uere.bplaced .net/blasted/tozaiboeki.webmail .html which looks like this..
    > https://4.bp.blogspot.com/-dliSNtwDj...multiphish.jpg
    ... do people really fall for this? The frightening answer is.. probably, yes."

    bplaced .net: 5.9.107.19: https://www.virustotal.com/en/ip-add...9/information/

    Last edited by AplusWebMaster; 2014-10-24 at 17:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #557
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'New order' SPAM - malware

    FYI...

    Fake 'New order' SPAM - malware
    - http://myonlinesecurity.co.uk/daniel...order-malware/
    25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...-new-order.png

    25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
    Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en-gb/fil...is/1414216443/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #558
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake KLM e-Ticket SPAM, Tech spt scam shutdown ...

    FYI...

    Fake KLM e-Ticket SPAM – PDF malware
    - http://myonlinesecurity.co.uk/klm-e-...e-pdf-malware/
    27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service @klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...air_ticket.png

    27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to: e-Ticket_klm_Itinerary _pdf.exe
    Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1414404573/
    ___

    Fake 'invoice xxxxxx October' SPAM - malicious Word doc
    - http://blog.dynamoo.com/2014/10/rand...ce-xxxxxx.html
    27 Oct 2014 - "There have been a lot of these today:
    From: Sandra Lynch
    Date: 27 October 2014 12:29
    Subject: invoice 0544422 October
    Please find attached your October invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
    Thanks very much
    Kind Regards
    Sandra Lynch


    The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
    * https://www.virustotal.com/en/file/7...is/1414436717/

    83.96.174.219: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Phish... linked with “Dyre” Banking Malware
    - https://www.us-cert.gov/ncas/alerts/TA14-300A
    Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
    Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
    ___

    FTC gets courts to shut down tech support scammers
    - http://www.theinquirer.net/inquirer/...pport-scammers
    Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
    * http://www.ftc.gov/news-events/press...h-support-scam

    > http://www.consumer.ftc.gov/blog

    Last edited by AplusWebMaster; 2014-10-28 at 14:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #559
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM, Fake 'Ebola Alert Tool' ...

    FYI...

    Fake Invoice SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/please...d-doc-malware/
    28 Oct 2014 - "An email saying 'Please find attached INVOICE number 224244 from Power EC Ltd' pretending to come from soo.sutton[random number]@ powercentre .com with a subject of 'INVOICE [random number] from Power EC Ltd' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Please find attached INVOICE number 224244 from Power EC Ltd

    28 October 2014 : INVOICE263795.doc - Current Virus total detections: 3/54*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... macro malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1414506485/

    ** http://myonlinesecurity.co.uk/malfor...macro-viruses/

    - http://blog.dynamoo.com/2014/10/invo...-ltd-spam.html
    28 Oct 2014
    > https://www.virustotal.com/en/file/4...is/1414519923/
    Recommended blocklist:
    62.75.184.70: https://www.virustotal.com/en/ip-add...0/information/
    116.48.157.176: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'Ebola Alert Tool' ...
    - https://blog.malwarebytes.org/online...-anything-but/
    Oct 27, 2014 - "... More news of infection outside Africa such as this could further fuel the ever-increasing fear and anxiety for one’s own life and well-being, especially in terms of how one interacts with the outside world. People are trying to be more careful in their dealings than usual, always wanting to be on the know about the latest happenings. This is why web threats banking on perennial hot topics like Ebola could be effective lures against users, especially in the long run... Upon initial visit to the page, users are presented with the following prompt at the top-middle part of the screen:
    > https://blog.malwarebytes.org/wp-con...s-1024x341.jpg
    Below is a screenshot of the downloaded file with an overview of its details:
    > http://blog.malwarebytes.org/wp-cont.../ebolafile.png
    EbolaEarlyWarningSystem.exe has a low detection rate as of this writing—four vendors detect it out of 53*... Upon execution, it displays a user interface prompting users to install the ONLY Search toolbar with links to its EULA and Privacy Policy pages. Once users click the “Agree” button, they are again presented with other offers to download, such as a program called Block-n-Surf (a supposed tool used to protect children from adult-related content, System Optimizer Pro (a tool that purportedly optimizes the user’s system), oneSOFTperday (a tool that gives users access to free apps), and a remote access tool among others:
    > https://blog.malwarebytes.org/wp-con...all5.png?w=564
    Once programs are installed, the following have been observed from affected systems: All browser default search pages are changed to ONLY Search:
    > http://blog.malwarebytes.org/wp-cont...onlysearch.png
    Once users open a new browser tab, affiliate sites are loaded up (e.g. a site offering insurance):
    > http://blog.malwarebytes.org/wp-cont...-affiliate.png
    Browser windows open to prompt user to install more programs:
    > http://blog.malwarebytes.org/wp-cont...0/pckeeper.png
    System Optimizer Pro executes:
    > https://blog.malwarebytes.org/wp-con...exec.png?w=555
    - Affected machine slows down
    - Shortcut files are created on the desktop
    During testing, we haven’t seen any installation of the Ebola Early Warning System toolbar or evidence of warning alerts. We implore users not to be easily swayed with software solutions banking on the Ebola scare. They may be more about enticing internet users into downloading programs that may potentially do harm on their systems, instead of helping them be aware of the current situation**..."
    * https://www.virustotal.com/en/file/4...is/1414142257/

    ** http://www.cdc.gov/vhf/ebola/

    Last edited by AplusWebMaster; 2014-10-29 at 00:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #560
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon SPAM, Phish - spoofed Google Drive

    FYI...

    Fake 'Order confirmation' from Amazon SPAM - trojan
    - http://blog.mxlab.eu/2014/10/28/fake...ntains-trojan/
    Oct 28, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Order Details”. This email is send from the spoofed address “Amazon .co.uk ” and has the following body:

    Good evening,
    Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon .co.uk.
    Order Details
    Order R:131216 Placed on October 09, 2014
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon...


    The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary). The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/1...is/1414490630/

    - http://myonlinesecurity.co.uk/amazon...tails-malware/
    29 Oct 2014
    - https://www.virustotal.com/en/file/6...is/1414584579/
    ___

    Phish - spoofed Google Drive
    - http://blog.trendmicro.com/trendlabs...le-drive-site/
    Oct 29, 2014 - "Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack* uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses**.
    Fake Google Drive Site: Users may receive an email that contains links that lead to the spoofed Google Drive site.
    Spammed message containing links to fake site:
    > http://blog.trendmicro.com/trendlabs...akegdrive1.jpg
    The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
    Fake Google Drive site:
    > http://blog.trendmicro.com/trendlabs...akegdrive2.jpg
    To trick the user into thinking nothing suspicious is afoot, the phishing site -redirects- the user to a .PDF file from a -legitimate- site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
    After logging in, users are redirected to a legitimate site:
    > http://blog.trendmicro.com/trendlabs...akegdrive3.jpg
    ... Mobile Users, Also Affected: Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
    Screenshot of PDF prompt download in mobile devices:
    > http://blog.trendmicro.com/trendlabs...drive_fig8.jpg
    ... Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar. Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename .com> versus <sitename .org>). They should also check the security of the site before sharing any information... We have notified Google about this phishing page."

    * http://blog.trendmicro.com/trendlabs...-google-drive/

    ** http://blog.trendmicro.com/trendlabs...ltiple-emails/
    ___

    Fake ticketmaster SPAM – PDF malware
    - http://myonlinesecurity.co.uk/ticket...e-pdf-malware/
    29 Oct 2014 - "'ticketmaster tickets have been sent' pretending to come from confirmation-noreply@ ticketmaster .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Thank you for choosing Ticketmaster.
    This email is to confirm ticket(s) have been purchased and attached:
    Your Delivery Option is: printed
    Your Transaction number is: 869064,00410 ...


    29 October 2014: tikets224069_order_type_print_order_details.pdf.zip:
    Extracts to: tikets109873_order_type_print_order_details.pdf.exe
    Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1414593309/
    ___

    'Virtual Assistant' - PUP download site
    - https://blog.malwarebytes.org/online...ual-assistant/
    Oct 29, 2014 - "... suddenly there’s a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y? We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12/53*). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side:
    > https://blog.malwarebytes.org/wp-con...0/virtual1.jpg
    A virtual assistant! She isn’t very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:
    Please upgrade your media player for faster hd playback.
    It only takes a minute on broadband and theres no restart required
    Just click this button and follow the easy steps onscreen.

    > https://blog.malwarebytes.org/wp-con...0/virtual2.jpg
    ... I haven’t seen a virtual assistant / automated online assistant / video spokesperson / video web presenter / whatever they’re called this week used to promote a PUP (Potentially Unwanted Program) download before... Who knows what.. advertising will offer up next..."
    * https://www.virustotal.com/en/file/c...is/1414085568/
    ... Behavioural information
    TCP connections
    66.77.96.162: https://www.virustotal.com/en/ip-add...2/information/
    87.248.208.11: https://www.virustotal.com/en/ip-add...1/information/
    90.84.55.33: https://www.virustotal.com/en/ip-add...3/information/
    63.245.201.112: https://www.virustotal.com/en/ip-add...2/information/

    1] http://blog.malwarebytes.org/wp-cont...svouchers5.jpg

    2] http://blog.malwarebytes.org/wp-cont...obamapads4.jpg
    ___

    Hacks use Gmail Drafts to update their Malware and Steal Data
    - http://www.wired.com/2014/10/hackers...re-steal-data/
    10.29.14 - "... Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer. With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden. Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data* in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still..."
    * https://www.virusbtn.com/virusbullet...1408-IcoScript
    ___

    Dangers of opening suspicious emails: Crowti ransomware
    - http://blogs.technet.com/b/mmpc/arch...ansomware.aspx
    28 Oct 2014 - "... MMPC has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts -both- enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis... We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first -before- clicking on a link or opening the attachment... The graph below shows how Crowti ransomware has impacted our customers during the past month.
    Daily encounter data for Win32/Crowti ransomware:
    > http://www.microsoft.com/security/po.../a/crowti1.png
    Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
    Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014:
    > http://www.microsoft.com/security/po.../a/crowti2.png
    Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
    VOICE<random numbers>.scr
    IncomingFax<random numbers>.exe
    fax<random numbers>.scr/exe
    fax-id<random numbers>.exe/scr
    info_<random numbers>.pdf.exe
    document-<random numbers>.scr/exe
    Complaint_IRS_id-<random numbers>.scr/exe
    Invoice<random numbers>.scr/exe
    The attachment is usually contained within a zip archive. Opening and running this file will launch the malware... Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities... Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall... we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend... This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company... There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a -habit- of regularly updating your software can help reduce the risk of infection... we also recommend running a real-time security product..."

    Last edited by AplusWebMaster; 2014-10-29 at 22:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •