Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005

    Thumbs down Fake Flash, LinkedIn, pharma, efax ...


    Fake Flash Updates - via SPAM attachment...
    Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
    (Screenshots available at the gfi URL above.)

    Malicious BT SPAM
    Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."

    Fake ADP SPAM / 14.sofacomplete .com
    24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
    From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
    Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
    Digital Certificate About to Expire
    The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
    Days left before expiration: 1
    Expiration date: Jan 25 23:59:59 GMT-03:59 2013
    Renewing Your Digital Certificate
    1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
    2. Follow the instructions on the screen.
    3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
    Deleting Your Old Digital Certificate
    After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

    The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."

    Fake LinkedIn emails lead to client-side exploits and malware
    Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Name servers used by these malicious domains:
    Name server: ns1.http-page .net – – Email: ezvalue @yahoo .com
    Name server: ns2.http-page .net – – Email: ezvalue @yahoo .com
    Name Server: ns1.high-grades .com –
    Name Server: ns2.high-grades .com –
    Sample malicious payload dropping URL:
    hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
    Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
    Upon execution, the same creates the following process on the affected hosts:
    The following registry keys:
    ... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs: :11709 :11404 :29436 :29817 :13503 :14545 :10119 :16149
    (More detail at the webroot URL above.)
    File name: info.ex_
    Detection ratio: 30/44
    Analysis date: 2013-01-23

    Fake pharma sites 24/1/13
    24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
    Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
    From: "Account Info Change" [noreply @etraxx .com]
    Subject: Updated information
    Attention please:
    - Over 50 new positions added (view recently added products)
    - Free positions included with all accounts (read more here)
    - The hottest products awaiting you in the first weeks of the new year (read more here)
    - We want you to feel as comfortable as possible while you?re at our portal.
    Click Here to Unsubscribe

    As with a few days ago, these sites are hosted on: (Hostwinds, Australia) (WestHost Inc, US)
    Currently active spamvertised sites are as follows:
    (Long list available at the dynamoo URL above.)

    Fake Efax Corporate SPAM / epimarkun .ru
    24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
    Date: Thu, 24 Jan 2013 04:04:42 +0600
    From: Habbo Hotel [auto-contact @habbo .com]
    Subject: Efax Corporate
    Attachments: Efax_Corporate.htm
    Fax Message [Caller-ID: 963153883]
    You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
    * The reference number for this fax is [eFAX-009228416].
    View attached fax using your Internet Browser.
    � 2013 j2 Global Communications, Inc. All rights reserved.
    eFax � is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax � Customer Agreement.

    There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs: (Steadfast Networks, US) (OVH, France) (Mongolian Railway Commercial Center, Mongolia)
    These IPs and domains are all malicious:
    dmssmgf .ru
    esekundi .ru
    esenstialin .ru
    disownon .ru
    epimarkun .ru
    damagalko .ru
    dumarianoko .ru
    epiratko .ru
    dfudont .ru

    Last edited by AplusWebMaster; 2013-01-25 at 00:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts