Page 42 of 132 FirstFirst ... 323839404142434445465292 ... LastLast
Results 411 to 420 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #411
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Threat Metrics / Malware magnets ...

    FYI...

    Malware magnets ...
    Cisco's threat metrics show pharmaceutical and chemical firms are 11 times more susceptible to Web malware
    - http://www.infoworld.com/t/cyber-cri...magnets-238909
    Mar 24, 2014 - "... Cyber crime has been estimated* at costing the U.S. economy $100 billion annually, with smaller companies feeling the pain** more often due to inadequate defenses. If Cisco's analyses are on track - and the numbers hold true for people outside of Cisco's customer base - attacks are likely to grow even more targeted to match their victims in the future, with narrower niches singled out by attackers based on their industry."
    * http://www.infoworld.com/d/security/...00-jobs-223352

    ** http://www.infoworld.com/d/security/...r-crime-216543

    Feb 2014 Threat Metrics
    - http://blogs.cisco.com/security/febr...hreat-metrics/
    Mar 21, 2014 - "Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.
    > http://blogs.cisco.com/wp-content/up...eb2014Rate.jpg
    The ratio of unique non-malicious hosts to unique malware hosts was fairly constant between the two months, at 1:4808 in January 2014 and 1:4775 in February 2014. Likewise, the rate of unique non-malicious IP addresses to malicious IP addresses was also similar between the two months, at 1:1330 in January 2014 compared to 1:1352 in February 2014.
    > http://blogs.cisco.com/wp-content/up...b2014hosts.jpg
    While Java malware encounters were 4% of all web malware encounters in January 2014, that rate increased to 9% in February. Of particular interest was the increase in the rate of Java malware encounters involving versions older than Java 7 or Java 6, which increased to 33% of all Java malware encounters in February 2014 from just 13% in the month prior.
    > http://blogs.cisco.com/wp-content/up...eb2014java.jpg
    During the month of February 2014, risk ratings for companies in the Media & Publishing vertical increased 417%, Utilities increased 218%, and Insurance 153%. Companies in Pharmaceutical & Chemical remained at a consistent high rate, with a slight increase from a 990% risk rating in January 2014 to an 1100% risk rating in February. To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.
    > http://blogs.cisco.com/wp-content/up...eb2014vert.jpg
    Following a January 2014 spam volume decrease of 20% in January 2014, spam volumes increased 73% in February 2014...
    > http://blogs.cisco.com/wp-content/up...014spamvol.jpg
    The top five global spam senders in February 2014 were the United States at 16.5%, followed by the Russian Federation at 12.41%, with Spain, China, and Germany a distant 3.77%, 3.39%, and 3%, respectively. Though the Russian Federation was also in the number two spot in January 2014, it was a significant volume increase from only 5.10% of global spam origin that month."
    ___

    Secure Message from various banks – fake PDF malware
    - http://myonlinesecurity.co.uk/secure...e-pdf-malware/
    Mar 27, 2014 - "... pretends to come from various banks is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... We have seen a couple of different versions over the last few days from different banks, including HSBC, and Natwest...
    Subjects seen are:
    You have a new Secure Message
    You have received a secure message

    HSBC secure mail
    Secure Message
    You have received a secure message
    Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
    First time users – will need to register after opening the attachment...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...ecure-mail.png

    Natwest Secure Message:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk...


    27 March 2014 : Version 1 (NatWest bank) SecureMessage.zip (8kb Extracts to SecureMessage.exe (19kb)
    Current Virus total detections: 5/51* MALWR Auto Analysis **
    27 March 2014 : Version 2 (HSBC) SecureMessage.zip (11kb) Extracts to SecureMessage.exe (24kb)
    Current Virus total detections: 0/51*** MALWR Auto Analysis ****
    This You have received a secure message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    * https://www.virustotal.com/en/file/e...12a4/analysis/

    ** https://malwr.com/analysis/ZmFkZDRhN...Q5YzlhODQ1Zjg/

    *** https://www.virustotal.com/en/file/e...3cbb/analysis/

    **** https://malwr.com/analysis/NGI0NjVmY...RjMDVmYmMyZTQ/
    ___

    Facebook You send new photo – fake PDF malware
    - http://myonlinesecurity.co.uk/facebo...e-pdf-malware/
    Mar 27, 2014 - "... pretending to be from Facebook is another one from the current Androm bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This campaign follows on from other similar attempts to infiltrate your computer using Facebook as a theme...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...-new-photo.png

    27 March 2014 DCIM_IMAGEForYou.rar (40kb) Extracts to DCIM_IMAGEForYou.scr
    Current Virus total detections: 1/51* MALWR Auto Analysis**
    This You send new photo is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...9404/analysis/

    ** https://malwr.com/analysis/ZWQyMjdkY...hjZWVlNTVjMmM/

    Last edited by AplusWebMaster; 2014-03-27 at 18:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #412
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Bank acct. security warning, Something evil on 192.95.44.0/27

    FYI...

    Fake Bank acct. security warning – fake PDF malware
    - http://myonlinesecurity.co.uk/bankin...e-pdf-malware/
    28 Mar 2014 - "Banking account security warning pretending to come from FRAUD ALERT SYSTEM <k.cooper@ fraudalert .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Many of these bank themed emails are extremely difficult to distinguish from phishing scams. It is becoming very frequent that the same or almost identical emails are being used over and over. Sometimes they have a link to a -fake- website where they expect you to give them your details. Other times it contains a html file that they want you to -click- on and enter details. This time they have a -fake- pdf file that if you are unwise enough to open it would infect your computer and enroll it into the Zeus botnet...
    Subjects seen:
    Important: Unauthorized attempt to access your banking account
    Banking account security warning
    Attention! Your credit card is being used

    Emails seen:
    Dear Sir or Madam,
    The banking security system has just registered an external attempt to use your credit card from an unknown location.
    In view of the fact that the safety of the credit card account is in danger we strongly recommend you to use the emergency instructions given in the attachments.
    To protect users from attacks and fraudulent activities coming from within the banking system itself we need your permission to start the investigation and adjust the security measurements. If the required steps won’t be completed the account will be temporarily suspended and will be available after visiting a local office.
    Step-by-step instructions and emergency phone number are in attachments to the email.
    Truly yours,
    PCI DSS Chief officer
    K. Cooper ...


    28 March 2014 : Fraud alert document 778-1.zip (345kb) Extracts to Fraud alert document 778-1.exe
    Current Virus total detections: 4/51* MALWR Auto Analysis**
    This Banking account security warning is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    * https://www.virustotal.com/en/file/5...3c50/analysis/

    ** https://malwr.com/analysis/NjE0ZmFmM...U5NjcyNTkyZTc/
    ___

    Something evil on 192.95.44.0/27 (OVH Canada)
    - http://blog.dynamoo.com/2014/03/some...vh-canada.html
    28 Mar 2014 - "192.95.44.0/27 (spotted by Frank Denis*) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x .org / Penziatki although now OVH seem to be masking the customer details. I can see the following active subdomains within this range, all of which can be assumed to be malicious...
    (Long list of URLs at the dynamoo URL above.)
    I recommend that you apply the following blocklist:
    192.95.44.0/27
    accruespecialiste .ru
    reachprotectione .ru
    reachmape .ru
    acquireconnectionse .ru
    "
    * https://twitter.com/jedisct1/status/449309681408684032
    ___

    Sky .com SPAM leads to Gameover Zeus
    - http://blog.dynamoo.com/2014/03/skyc...pam-leads.html
    28 Mar 2014 - "This -fake- Sky spam has a malicious attachment:
    Date: Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
    From: "Sky.com" [statement@ sky .com]
    Subject: Statement of account
    Afternoon,
    Please find attached the statement of account.
    We look forward to receiving payment for the February invoice as this is now due for
    payment.
    Regards,
    Darrel ...


    The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51*. The Malwr analysis** shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa .net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij .biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of -other- autogenerated domains.
    Recommended blocklist:
    50.116.4.71
    aulbbiwslxpvvphxnjij .biz
    lpuoztsdsnvyxdyvwpnlzwg .com
    ..."
    (More domains listed at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1396011158/

    ** https://malwr.com/analysis/N2ZkYWFiN...k1MGI3MTYwNDU/
    ___

    New Man-in-the-Middle attacks leveraging rogue DNS
    - http://atlas.arbor.net/briefs/index#-1333965473
    27 Mar 2014
    Elevated Severity
    New Man-in-the-Middle attacks are manipulating DNS settings and posing as websites of over 70 different financial institutions in order to capture login credentials.
    Source:
    - http://blog.phishlabs.com/new-man-in...ging-rogue-dns
    Mar 26, '14 - "... new wave of "Man-in-the-Middle" (MitM) attacks targeting users of online banking and social media. Customers of more than 70 different financial institutions are being targeted. In these attacks, hackers use -spam- to deliver malware that changes DNS settings and installs a rogue Certificate Authority (CA). The DNS changes point to the hacker's clandestine DNS name server so that users are directed to proxy servers instead of legitimate sites... The browser displays the proper website name and displays the familiar security icon to indicate a trusted, secure connection. The hacker's proxy sits between the authorized user and the real website, capturing login credentials and injecting code into the browsing session. This allows the hacker to take total control of the user's account and carry out unauthorized banking transactions as well as other actions...
    > http://blog.phishlabs.com/hs-fs/hub/...itM_Attack.png
    The hacker initiates these attacks by using spam to deliver malware to victims via malicious attachments... these spam emails contain a message designed to entice the user to open an attached RTF (Rich Text Format) document. The document contains an OLE (Object Linking and Embedding) object which is actually an executable program file. This program is the malware which changes the DNS and Certificate Authority settings that allow the attack to be performed without any outward signs visible to the user.
    > http://blog.phishlabs.com/hs-fs/hub/...sed_as_RTF.png
    On many systems, double-clicking an embedded program will execute it. Cybercriminals may use tools to create specially crafted RTF document files that display a familiar data file icon and a caption in most popular word processing programs; thus hiding or obscuring clues to the executable nature of the object, such as the EXE filename extension... The malware embedded in the spammed documents is a backdoor RAT (Remote Administration Tool) with an initial payload containing instructions to change DNS and security settings when initialized. The file is a Win32 PE (Portable Executable) EXE file and is actually a compiled form of an AutoIt script. The AutoIt scripting tools used offer the option to obfuscate the compiled code, and the version used to produce this malware makes it more difficult to decompile or reverse engineer the resulting EXE file than earlier versions. Some but not all of the samples found have been run through a second "cryptor" to aid in evading detection by anti-malware tools... One of the first actions performed by the malware is changing the DNS settings on the infected user’s PC. The malware configures the PC to use the hacker's rogue DNS server... PhishLabs continues to monitor these attacks and is working with others to mitigate the threat."
    ___

    CVE-2014-0322* integrating Exploit Kits
    - http://atlas.arbor.net/briefs/index#1584606323
    27 Mar 2014
    Elevated Severity
    The disclosed CVE-2014-0322 vulnerability affecting Internet Explorer 9 and 10 is now being integrated into exploit kits.
    This follows previously observed patterns of 0-day exploit code first being developed and used by APT actors for specific targets, then later adapted by cyber criminals for use in exploit kits targeting a much wider range of users who have not yet applied security updates.

    Source: http://malware.dontneedcoffee.com/20...loit-kits.html

    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-0322 - 9.3 (HIGH)
    Last revised: 03/16/2014

    Last edited by AplusWebMaster; 2014-03-28 at 23:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #413
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Android.MisoSMS - malware, Google Public DNS intercepted, Credit Card SCAM ...

    FYI...

    Android.MisoSMS - malware ...
    - http://www.fireeye.com/blog/technica...with-xtea.html
    Mar 31, 2014 - "FireEye labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December* — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft. Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email... The newest version of MisoSMS suggests that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment."
    * http://www.fireeye.com/blog/?p=4126
    (More detail available at both fireeye URLs above.)
    ___

    Who’s Behind the ‘BLS Weblearn’ Credit Card SCAM
    - http://krebsonsecurity.com/2014/03/w...dit-card-scam/
    Mar 31, 2014 - "A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers... At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574)...
    onlinelearningaccess .com, one of the fraudulent affiliate marketing schemes that powers these -bogus- micropayments:
    > http://krebsonsecurity.com/wp-conten...ningaccess.png
    ... it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network behind the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta. And, just like with the $9.84 scam*, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue .com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine)... If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again. For more on this scam, check out these posts from DailyKos** and Consumerist***."
    * http://krebsonsecurity.com/2014/01/d...t-card-hustle/

    ** http://www.dailykos.com/story/2014/0...-fraud-warning

    *** http://consumerist.com/2014/03/19/ch...-transactions/
    ___

    Fake cclonline "Order Despatched" – fake doc malware
    - http://myonlinesecurity.co.uk/cclonl...e-doc-malware/
    Mar 31, 2014 - "... pretending come from sales@ cclonline .com and to be a notification about a computer being despatched to you via DPD courier services is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
    Dear ellie,
    We are pleased to confirm that your order reference 1960096 has been despatched via Economy Courier. You will find the full details of your order and this delivery in the attached document. In a few hours, your consignment 0255417316 can be tracked through the DPD website by clicking the following link: www .dpd .co .uk/tracking/trackingSearch.do?search.searchType=1&search.consignmentNumber=0255417321
    You may receive further information concerning your consignment direct from DPD via email and/or SMS
    Should you have any queries regarding your purchase, our customer service staff will be pleased to assist. E-mail mailto:custservice@ cclonline .com or telephone 01274 471206.
    Thank you for choosing CCL Computers.
    Yours sincerely...


    31March 2014: DESPATCH_NOTE_B18E7F.zip (72kb) Extracts to disp_75464354787914325.doc.exe
    Current Virus total detections: 2/51* . This cclonline .com – Order Despatched is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper doc file with a fake Bluetooth icon instead of the .exe file it really is..."
    * https://www.virustotal.com/en/file/c...892c/analysis/
    ___

    ADP Benefit Election Spam
    - http://threattrack.tumblr.com/post/8...-election-spam
    Mar 31, 2014 - "Subjects Seen:
    Benefit Elections
    Typical e-mail details:
    Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
    Please sign and send it back.
    Regards,
    ADP TotalSource Benefits Team


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...ybc1r6pupn.png

    Malicious File Name and MD5:
    CBE_Form.zip (60770AD82549984031FD3615E180EC83)
    CBE_Form.scr (20406804C43D11DA25ABC2714697EC59)


    Tagged: ADP, Upatre
    ___

    Google’s Public DNS intercepted in Turkey
    - http://googleonlinesecurity.blogspot...in-turkey.html
    Mar 29, 2014 - "We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers). A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for... imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service."

    Last edited by AplusWebMaster; 2014-03-31 at 22:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #414
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 64.202.116.124, Fake PDF malware...

    FYI...

    Something evil on 64.202.116.124
    - http://blog.dynamoo.com/2014/04/some...202116124.html
    1 Apr, 2014 - "64.202.116.124 (HostForWeb, US) is currently hosting exploit kits (see this example*). I recommend that you block traffic to this IP or the domains listed in this pastebin**. Most of the domains listed are dynamic DNS ones. If you block all such domains in that list it is nice and managable:

    in .ua
    myftp .org
    sytes .net
    hopto .org
    no-ip .biz
    myvnc .com
    sytes .net
    no-ip .info
    tobaccopeople .com
    "
    * http://urlquery.net/report.php?id=1396348899312

    ** http://pastebin.com/Pq4kDit6

    - https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake message from your attorney - PDF malware
    - http://myonlinesecurity.co.uk/messag...e-pdf-malware/
    1 April 2014 - "... pretending to be from your neighbour is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This one also has a rootkit component so the malware it downloads & ruins, attempts to stay hidden on your computer...
    Hi, there!
    This is your neighbor writing here. Today your attorney popped you, but you were out, so he left a message for you.
    I have attached the file in this email, so you can open and check everything you need.
    Your attorney told me it is quite urgent and as soon as you check this message you should call him back.
    If something is not clear, you can find the cell phone number of your attorney into the file, so you can dial it at once...


    1 April 2014 please call me back asap.zip (346kb) Extracts to please call me back asap.exe
    Current Virus total detections: 6/51*. This message from your attorney is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...6e81/analysis/
    ___

    Fake rbs .com "RE: Copy" SPAM
    - http://blog.dynamoo.com/2014/04/rbsc...copy-spam.html
    1 Apr 2014 - "This very terse spam has a malicious attachment:
    Date: 1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
    From: Kathryn Daley [Kathryn.Daley@ rbs .com]
    Subject: RE: Copy
    (Copy-01042014)


    The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50*. The Malwr analysis** shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt .ro/script/0104UKd.bis . The malware then tries to contact a number of other domains. I recommend using the following blocklist:
    50.116.4.71
    photovolt .ro
    aulbbiwslxpvvphxnjij .biz
    ..."
    (More listed at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1396353996/

    ** https://malwr.com/analysis/MWY4M2M3Y...JjMDhlYmM3ZmY/
    ___

    Royal Mail Lost Package Spam
    - http://threattrack.tumblr.com/post/8...t-package-spam
    Apr 1, 2014 - "Subjects Seen:
    Failure to deliver
    Typical e-mail details:
    Dear <email address>
    Royal Mail has detained your package #98159-5424.Unfortunately some important information is missing to complete the delivery.
    Please fulfil the documents attached, and send it back to: onlinepostage@ royalmail.com
    The RM International Mail Branch holding will notify you of the reason for detention .


    Malicious File Name and MD5:
    rm_332009105C.zip (AB0041BC7687AE92E378B145663519C5)
    Deliery_info_7383461243.pdf.exe (3F54A5BBAD1B63263135DC97037447E1)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...ITU1r6pupn.png
    ___

    Bogus email “ACH failed...” - trojan in .scr format
    - http://blog.mxlab.eu/2014/03/31/emai...in-scr-format/
    Mar 31, 2014 - "... new trojan distribution campaign by email with the subject “ACH failed due to system failure”... has the following body:
    ACH PAYMENT CANCELLED
    The ACH Transfer (ID: 87052955198926), recently submitted from your savings account (by you or any other person), was CANCELLED by other financial institution.
    Rejection Reason: See details in the acttached report.
    Transfer Report: report_87052955198926.pdf (Adobe Reader PDF)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association


    The attached ZIP file has the name report_87052955198926.zip and contains the 19 kB large file report_28740088654298.scr. The trojan is known as W32/Trojan.MNWL-4927 or TROJ_GEN.F0D1H00CV14. At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
    SHA256: 1ab76103d28fda1ed11d2019e7c47df3d57401aee43e7df785b057853f9c1f52 "
    * https://www.virustotal.com/en/file/1...1f52/analysis/

    ** https://malwr.com/analysis/OTg5MWRiN...YzYjgzNzUyMGM/

    Last edited by AplusWebMaster; 2014-04-01 at 20:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #415
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 66.96.223.204 + 213.229.69.41, Facebook SPAM...

    FYI...

    Something evil on 66.96.223.204
    - http://blog.dynamoo.com/2014/04/some...696223204.html
    2 Apr 2014 - "66.96.223.204 (Network Operations Center, US) appears to be hosting some sort of malicious redirectors being used in current malware campaigns. VirusTotal gives a snapshot of the badness*.
    * https://www.virustotal.com/en-gb/ip-...4/information/
    Recommended blocklist:
    66.96.223.204 ..."
    (More URLs listed at the dynamoo URL above.)
    ___

    Something evil on 213.229.69.41
    - http://blog.dynamoo.com/2014/04/some...132296941.html
    2 Apr 2014 - "This tweet by Malmouse* got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness. First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way... VirusTotal gives a good overview of the badness on this IP**.
    ** https://www.virustotal.com/en-gb/ip-...1/information/
    ... All these domains appear to be recently registered with the exception of gfthost .com which has ns1.gfthost .com and ns2.gfthost .com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection... I recommend that you -block- 213.229.69.41 (Simply Transit, UK) ..."
    * https://twitter.com/malm0u53/status/451299152316882944
    ___

    Fake Facebook emails lead to Upatre Malware
    - http://blog.malwarebytes.org/securit...patre-malware/
    Apr 2, 2014 - "... SPAM messages in circulation bearing the message “Some men commented on your status”... Here’s the spam message currently landing in mailboxes, which looks like a Facebook notification:
    > http://cdn.blog.malwarebytes.org/wp-...04/fbcute1.jpg
    ... The -clickable- link leads to a Dropbox page which is currently offline. The Malware involved in this particular spam run claims to be a PDF file:
    > http://cdn.blog.malwarebytes.org/wp-...04/fbspam2.jpg
    The spammers are making use of the Windows feature which hides extensions of common file types...
    > http://cdn.blog.malwarebytes.org/wp-...04/fbspam3.jpg
    ... the so-called PDF is actually an .scr file, commonly used in Malware campaigns... As for the Malware itself, the VirusTotal score is currently pegged at 23/51*, a Malwr analysis can be seen here**... Upatre is well known for email campaigns and downloading additional Malware onto a compromised PC – from there, browser credentials, insecure passwords and anything else the attacker can think of could be up for grabs. Upatre often tends to go hand in hand with ZBot, which has many ties to Ransomware..."
    * https://www.virustotal.com/en/file/8...9322/analysis/

    ** https://malwr.com/analysis/M2YyMjYwN...NiYjQzMzljZTI/

    - http://myonlinesecurity.co.uk/facebo...e-pdf-malware/
    1 Apr 2014
    ___

    Fake Companies House "Annual Return" – fake PDF malware
    - http://myonlinesecurity.co.uk/compan...e-pdf-malware/
    2 Apr 2014 - "... 'Annual Return' pretending to be from Companies House <web-filing@ companies-house .gov .uk> received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer.They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Companies House
    Thank you for completing a submission Reference # (0282665).
    • (AR01) Annual Return
    Your unique submission number is 0282665
    Please quote this number in any communications with Companies House.
    Check attachment to confirm acceptance or rejection of this filing.
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission.
    Once accepted, these changes will be displayed on the public record...


    Fake Companies House(AR01) Annual Return received:
    > http://myonlinesecurity.co.uk/wp-con...ual-return.png
    2 April 2014: Ref_0282665.zip (7kb) - Extracts to Ref_04022014.scr
    Current Virus total detections: 14/51* . This (AR01) Annual Return received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...9dff/analysis/

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...2u81r6pupn.png
    ___

    Fake Bitdefender A/V ...
    - http://www.hotforsecurity.com/blog/f...2015-8262.html
    Mar 31, 2014 - "... -fake- Bitdefender antivirus download posted on YouTube leads users to fraudulent surveys and premium SMS scams. The video had hundreds of views and several French users posted messages to warn others.
    > http://www.hotforsecurity.com/wp-con...-plus-2015.jpg
    ... The grammatically-troubled spammers lure users into clicking on a URL-shortened link that hides a fraudulent website. The “Bitdefender” download is then blocked by a phony human verification warning. “It is very simple to verify, just complete any of the verification forms or surveys from the list below,” the message reads. The options include direct downloads, “how smart are you” surveys and selections of soccer games.
    > http://www.hotforsecurity.com/wp-con...lus-2015-1.jpg
    Users never get to download Bitdefender Antivirus Plus 2015, but they are redirected to scams such as premium SMS fraud that copies Facebook’s design to look like a legitimate app of the social network. For a month now, several “entrepreneurs” have also been spreading license keys for Bitdefender Total Security on Facebook. Bitdefender has reported the -fake- YouTube video and the -deceptive- Facebook profile and advises users to be cautious before downloading security software from third parties..."

    Last edited by AplusWebMaster; 2014-04-02 at 20:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #416
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Attachment inside an attachment - UPATRE ...

    FYI

    Attachment inside an attachment - UPATRE ...
    - http://blog.trendmicro.com/trendlabs...an-attachment/
    Apr 4, 2014 - "... the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments... a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The spam within spam technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE...
    An email from “Lloyds Bank” contains a .MSG attachment
    > http://blog.trendmicro.com/trendlabs...atre-spam1.png
    Opening the .MSG attachment reveals a malicious .ZIP file
    > http://blog.trendmicro.com/trendlabs...atre-spam2.png
    Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then downloads a NECURS variant detected as RTKT_NECURS.RBC. The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages... Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files..."
    ___

    SPAM: Important – New Outlook Settings – fake PDF malware
    - http://myonlinesecurity.co.uk/import...e-pdf-malware/
    Apr 4, 2014 - "... pretends to come from your own domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
    Please carefully read the attached instructions before updating settings.
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ thespykiller .co .uk and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.


    4 April 2014: OutlookSettings.zip (7kb) : Extracts to OutlookSettings.scr
    Current Virus total detections: 5/51*. This Important – New Outlook Settings is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
    * https://www.virustotal.com/en/file/2...7c53/analysis/
    ____

    Twitter Spam: Compromised Accounts and Websites lead to Diet Spam
    - http://www.symantec.com/connect/blog...lead-diet-spam
    4 Apr 2014 - "Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.
    Twitter miracle diet spam:
    > http://www.symantec.com/connect/site...Figure1_10.png
    ... Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.
    Fake promotional page used by spammers in this campaign
    > http://www.symantec.com/connect/site.../Figure2_6.png
    Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly .com. Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts... By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product... Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users..."
    ___

    Fiesta Exploits Kit Targeting High Alexa-Ranked Site
    - https://atlas.arbor.net/briefs/index#-564048760
    Elevated Severity
    3 Apr 2014
    Analysis: Exploits kits are easy to find and purchase, making attacks relatively easy for cybercriminals. Like other kits, Fiesta EK includes a number of exploits targeting widespread applications with disclosed vulnerabilities; it is rare for a kit to have zero-day capabilities... In addition, most vulnerabilities targeted by kits have patches available, including some updates available as far back as 2012. The most likely intended victims of EKs are therefore those with unpatched systems. Applying patches in a timely manner is absolutely critical for network security. Multiple Fiesta EK campaigns, including this current one, have made use of -dynamic- DNS (DDNS) domains to host exploits. Due to the widespread malicious use of DDNS, organizations should automatically scrutinize network traffic to DDNS in order to determine whether or not it is legitimate.
    Source: http://community.websense.com/blogs/...lexa-site.aspx
    ___

    CryptoDefense - CryptoLocker imitator ...
    - http://www.symantec.com/connect/blog...4000-one-month
    Mar 31, 2014 - "... CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone... Symantec has observed CrytoDefense being spammed out using emails such as the one shown:
    > http://www.symantec.com/connect/site.../Figure1_9.png
    ... Example of HOW_DECRYPT.HTML file:
    > http://www.symantec.com/connect/site.../Figure2_5.png
    ... malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past... Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page:
    > http://www.symantec.com/connect/site.../Figure3_3.png
    ... Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page:
    > http://www.symantec.com/connect/site.../Figure4_4.png
    ... As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server... To further protect against threats of this nature, it is recommended that you follow security best practices and -always- backup your files..."

    Last edited by AplusWebMaster; 2014-04-05 at 04:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #417
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Evernote leads to malware ...

    FYI...

    Fake Evernote – Image has been sent – leads to malware download
    - http://myonlinesecurity.co.uk/image-...ware-download/
    8 April 2014 - "... appears to come from Evernote service [support@ evernote .com}] another one from the current bot runs which try to drop loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment
    Image has been sent < your name>.
    DCIM_4199.jpg <http ://kingperu .com/1.html >
    28 Kbytes
    Go to Evernote <http ://kingperu .com/1.html>
    2014 Evernote. Privacy policy provides our policies and procedures for collecting, using, and disclosing your information.
    Users can access the Evernote service (the “Service”) through our website, applications on Devices, through APIs, and through third-parties.
    A “Device” is any computer used to access the Evernote Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...-been-sent.png

    Following the link in the email sends you to a page offering a download of Vio player (why on earth anybody would think that they need vio player to view an image in evernote, I really don’t know). You -don’t- get the download offering from the original page but that loads 3 sites in the background and you are randomly sent to one...
    8 April 2014 : setup.exe (565kb) : Current Virus total detections: 5/51*"
    * https://www.virustotal.com/en/file/5...21b4/analysis/
    ___

    Fake Sage SPAM ...
    - http://blog.dynamoo.com/2014/04/sage...d-copy-of.html
    8 April 2014 - "This -fake- Sage spam comes with a malicious attachment:
    Date: Tue, 8 Apr 2014 08:65:82 GMT
    From: Sage [Merrill.Sterling@ sage-mail .com]
    Subject: RE: BACs #3421309
    Please see attached copy of the original invoice.


    Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51*. The Malwr analysis** shows that it attempts to download a configuration file from [donotclick]hemblecreations .com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.
    Recommended blocklist:
    50.116.4.71
    aulbbiwslxpvvphxnjij .biz
    ..."
    (More URLs listed at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1396961704/

    ** https://malwr.com/analysis/MDBjYmFhY...Y0MjJlMWRhYTI/

    - https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Starbucks 'gift' email – fake PDF malware
    - http://myonlinesecurity.co.uk/starbu...e-pdf-malware/
    8 April 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is slightly more unusual than most others because they are sending a .exe file in the email and not a zipped file...
    Your friend just made an order at Starbucks Coffee Company a few hours ago.
    He pointed he is planning to make a special gift for you and he have a special occasion for that.
    We’ve arranged an awesome menu for that case that can really surprise you with our new flavors.
    In the attachment you can view the whole menu and the address and the exact time you can come and celebrate this day with your friend.
    He asked to stay anonymous in order to make some mystery and desire to come and enjoy this atmosphere.
    Have an awesome evening!


    Screenshot: http://myonlinesecurity.co.uk/wp-con...bucks-gift.png

    8 April 2014 Starbucks Coffee Company gift details on 12.04.2014.exe - Current Virus total detections: 4/50*. This Starbucks Coffee Company gift form your friend is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...2541/analysis/
    ___

    Bank of America CashPro Spam
    - http://threattrack.tumblr.com/post/8...a-cashpro-spam
    Apr 8, 2014 - "Subjects Seen:
    FW: Important documents
    Typical e-mail details:
    Important account documents
    Reference: C58
    Case number: 8924169
    Please scan attached document and fax it to +1 (888) 589-0271.
    Please note that the Terms and Conditions available below are the Bank’s most recently issued versions...


    Malicious File Name and MD5:
    AccountDocuments.zip (2A3034F7E6AD24B58CA11ED13AB2F84D)
    Account_Documents.scr (3CD24390EDAE91C0913A20CEF18B5972)


    Screenshots: https://gs1.wac.edgecastcdn.net/8019...TSR1r6pupn.png

    Tagged: Bank of America, CashPro, Upatre
    ___

    Scam Virus Shield app top paid app in Play Store
    - http://blog.malwarebytes.org/mobile-...in-play-store/
    Apr 8, 2014 - "An app claiming to be an antivirus solution climbed the charts as a top paid app in the Play Store...The problem is the app is a -fake-, a scam really. It does not scan for nor does it detect malware on Android devices...
    > http://cdn.blog.malwarebytes.org/wp-...ussheild03.jpg
    The app doesn’t do much but change the protection status and run a progress bar in the notification area. Although it appears to do a scan, it does not and has very limited functionality. The app is no longer in the Play Store and was first reported by Android Police*..."
    * http://www.androidpolice.com/2014/04...-a-total-scam/

    - http://cdn.androidpolice.com/wp-cont...7-02.08.02.png

    Last edited by AplusWebMaster; 2014-04-09 at 02:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #418
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Instagram SCAM, Fake eBay emails ...

    FYI...

    Instagram Scam: Lottery Winners impersonated to offer Money for Followers
    - http://www.symantec.com/connect/blog...oney-followers
    9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
    > http://www.symantec.com/connect/site...figure1_20.png
    ... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
    ___

    Something evil on 66.96.223.192/27
    - http://blog.dynamoo.com/2014/04/some...622319227.html
    9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
    66.96.223.192/27
    capcomcom .com
    chebuesx .com
    ..."
    (Long list at the dynamoo URL above.)
    * http://www.dynamoo.com/files/66.96.223.192-27.csv
    ___

    Fake eBay emails – Pharma SPAM
    - http://myonlinesecurity.co.uk/fake-d...y-pharma-spam/
    9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
    Your name,
    You have delayed mail
    View mails
    Yours truly
    eBayNotifier


    Screenshot: http://myonlinesecurity.co.uk/wp-con...-from-eBay.png ..."

    Last edited by AplusWebMaster; 2014-04-09 at 19:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #419
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake CDS, DHL SPAM ...

    FYI...

    Fake CDS Invoice – fake PDF malware
    - http://myonlinesecurity.co.uk/cds-in...e-pdf-malware/
    10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
    Dear client
    Please find attached your invoice number 168027
    If you have any queries with this invoice, please email us... or call us...
    For and on behalf ofThe CDS Group of Companies
    Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
    Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International...
    This message and any attachment are confidential and may be privileged...
    This email has been scanned...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...ds-invoice.png

    9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
    Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * http://myonlinesecurity.co.uk/dhl-de...e-pdf-malware/
    10 April 2014

    Fake DHL email Screenshot: http://myonlinesecurity.co.uk/wp-con...ery-report.png

    ** https://www.virustotal.com/en/file/1...is/1397115564/
    ___

    SCAM: Climate Change And Health Conference ...
    - http://blog.dynamoo.com/2014/04/ccah...nd-health.html
    10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
    From: CCAHC ccahc@ live .com
    Reply-To: ccahc@ e-mile .co .uk
    Date: 10 April 2014 16:04
    Subject: Call for Poster
    CCAHC: Climate Change And Health Conference 2014
    Dear Colleague,
    On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
    The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
    Sincerely yours,
    Professor Jon Lloyd
    Conference Chair
    Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom


    The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
    ___

    Fake UPS SPAM - Exception Notification – fake PDF malware
    - http://myonlinesecurity.co.uk/ups-ex...e-pdf-malware/
    10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
    UPS
    Discover more about UPS:
    Visit ups .com
    At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
    Important Delivery Information
    Tracking Number:1Z522A9A6892487822 [ clickable URL ]
    Rescheduled Delivery Date:14-April-2014
    Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
    Exception Resolution:PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
    Shipment Detail ...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...tification.png

    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."

    Last edited by AplusWebMaster; 2014-04-11 at 00:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #420
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.

    FYI...

    Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
    - http://blog.dynamoo.com/2014/04/some...275140237.html
    11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
    Intergenia, Germany
    62.75.140.236
    62.75.140.237
    62.75.140.238

    Network Operations Center (HostNOC), US
    64.120.207.253
    64.120.207.254

    A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
    Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
    (Long list of domains at the dynamoo URL above.)
    * http://wepawet.iseclab.org/view.php?...206144&type=js

    ** http://urlquery.net/report.php?id=1397206442682
    ___

    Fake UKMail - Proof of Delivery Report – fake PDF malware
    - http://myonlinesecurity.co.uk/proof-...e-pdf-malware/
    11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Dear Customer,
    Please find attached your requested Proof of Delivery (POD) Download Report
    ………………………………………………………………………………………………………………………
    iMail Logo
    “For creating, printing and posting your next day mail”
    click here to realise the savings that you could make
    Please consider the environment before printing this e-mail or any attachments.
    This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
    If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
    UK Mail Group Plc is registered and incorporated in England.
    Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
    Registered Company No.: 02800218.


    11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
    Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...8f0d/analysis/

    Last edited by AplusWebMaster; 2014-04-11 at 15:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •