Page 123 of 123 FirstFirst ... 2373113119120121122123
Results 1,221 to 1,225 of 1225

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1221
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,635

    Thumbs down Fake Email account notice - Phish

    FYI...

    Fake Email account notice – Phish
    ... 'Your Mailbox Will Be Terminated'
    - https://myonlinesecurity.co.uk/your-...l-credentials/
    16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...er.co_.uk-.png

    If you follow the link you see a webpage looking like this:
    https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
    (you can put any email address at the end of the link & get the same page with email already filled in).
    The red countdown continues to decrease in time while the page is open:
    > https://myonlinesecurity.co.uk/wp-co...ail_update.png

    ... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
    > https://myonlinesecurity.co.uk/wp-co...il_update2.png

    ... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

    deadsocial .com: 184.154.216.243: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/71...24c7/analysis/

    Last edited by AplusWebMaster; 2017-06-17 at 14:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1222
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,635

    Thumbs down Fake DHL SPAM

    FYI...

    Fake DHL SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...spam-email.png

    dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
    http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
    Other download locations -embedded- in other versions of the macro include
    http ://okinawa35 .net/m/iop.exe
    The XLS file looks like:
    > https://myonlinesecurity.co.uk/wp-co...nvoice_xls.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1497948303/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    202.218.50.130

    3] https://www.virustotal.com/en/file/1...e217/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    travel-taxi .net: 203.183.93.149: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/2b...c1d5/analysis/

    okinawa35 .net: 202.218.50.130: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/8b...fd1c/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1223
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,635

    Thumbs down Fake 'Invoice', 'Receipt to print' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/the-r...nvoice-emails/
    21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-79898702.png

    79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
    Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...9cd8/analysis/
    INV-09837592.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/b...is/1498057764/
    _005C0000.mem

    1] https://twitter.com/mpvillafranca94/...44503720247296

    - http://blog.talosintelligence.com/20...-campaign.html
    June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
    > https://1.bp.blogspot.com/-O9IsDuPG5...600/image3.jpg
    ___

    Fake 'Receipt to print' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/recei...ivers-malware/
    21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-to-print.png

    Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
    Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
    http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
    Manual examination and basic decoding of the WSF file shows these download locations:
    tag27 .com/08345ug? > 162.210.102.220
    78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
    malamalamak9 .net/08345ug? > 74.122.121.8
    randomessstioprottoy .net/af/08345ug > 119.28.86.18
    shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1498051603/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    162.210.102.220
    119.28.86.18
    74.122.121.8


    *** https://www.virustotal.com/en/file/1...is/1480617465/

    Last edited by AplusWebMaster; 2017-06-22 at 15:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1224
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,635

    Thumbs down Fake 'INVOICE' SPAM

    FYI...

    Fake 'INVOICE' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/confi...liver-malware/
    26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...SE-INVOICE.png

    Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
    Update: after a bit of manual editing & investigating I was able to find the download location:
    https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
    http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1498451330/
    Order Ref-22550.doc

    ** https://www.virustotal.com/en/file/f...is/1498457573/
    OtoGQj9.hta

    *** https://malwr.com/analysis/ZDI4ZWFmY...YzMjAzNjBkNjY/

    dev.null .vg: 104.27.187.29: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/22...9263/analysis/
    104.27.186.29: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/22...9263/analysis/

    allafrance .com: 85.14.171.25: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/09...eb4e/analysis/
    ___

    Fake 'invoice' SPAM - links to malware doc file
    - https://myonlinesecurity.co.uk/more-...liver-malware/
    26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
    http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...0767-00057.png

    Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
    http ://carbeyondstore .com/cianrft/ > 72.52.246.64
    http ://motorgirlstv .com/kdm/ > 202.191.62.208
    http ://nonieuro .com/xauqt/ > 216.104.189.202
    http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
    http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
    Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1498480442/

    ** https://jbxcloud.joesecurity.org/analysis/297919/1/html

    *** https://www.virustotal.com/en/file/b...is/1498478920/

    facyl .com.br: 187.45.187.130: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/f8...44e5/analysis/

    Last edited by AplusWebMaster; Today at 14:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1225
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,635

    Thumbs down Fake 'Fattura' SPAM, Protect Your Cloud...

    FYI...

    Fake 'Fattura' SPAM - delivers xls attachment malware
    - https://myonlinesecurity.co.uk/more-...nking-trojans/
    27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
    Update: I am 100% assured* that this is Trickbot banking Trojan...
    * https://twitter.com/_operations6_/st...80802136707073

    Screenshot: https://myonlinesecurity.co.uk/wp-co...a_it_spam1.png

    Attachment: https://myonlinesecurity.co.uk/wp-co...a_it_spam2.png

    The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
    > https://myonlinesecurity.co.uk/wp-co...nvoice-xls.png

    FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
    https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/d...9395/analysis/
    1_FATTURA num. 5999 del 27-06-2017.xls

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.173.218.138

    3] https://www.virustotal.com/en/file/8...19f8/analysis/
    nvidia4.dvr

    3eee22abda47 .faith: 46.173.218.138: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/a0...eca1/analysis/
    ___

    Protect Your Cloud - from Ransomware
    > http://www.darkreading.com/cloud/9-w...d/d-id/1329221
    6/27/2017

    Last edited by AplusWebMaster; Today at 19:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •