Page 116 of 116 FirstFirst ... 1666106112113114115116
Results 1,151 to 1,152 of 1152

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1151
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,479

    Thumbs down Rogue Chrome extension, Fake 'Western Union' SPAM, 'BoA', 'TurboTax' phish

    FYI...

    Rogue Chrome extension - tech support scam
    - https://blog.malwarebytes.com/threat...-support-scam/
    Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
    > https://blog.malwarebytes.com/wp-con...17/02/TSS1.png
    ... We detect and remove this one as Rogue.ForcedExtension.
    IOCs:
    Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-add...7/information/
    104.27.184.37: https://www.virustotal.com/en/ip-add...7/information/
    lfbmleejnobidmafhlihokngmlpbjfgo
    Backend server (ad fraud/malvertising):
    amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-add...8/information/
    104.31.71.128: https://www.virustotal.com/en/ip-add...8/information/
    qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-add...3/information/
    Tech support scam:
    microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Western Union' SPAM - delivers java adwind
    - https://myonlinesecurity.co.uk/more-...r-java-adwind/
    21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
    1] https://myonlinesecurity.co.uk/?s=java+adwind
    The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
    2] https://myonlinesecurity.co.uk/spoof...s-java-adwind/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...rtra-rules.png

    DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58*
    Payload Security**

    WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1487577130/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/6...is/1487577144/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    83.243.41.200
    ___

    BoA 'Access Locked' - phish
    - https://myonlinesecurity.co.uk/bank-...phishing-scam/
    21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ily-Locked.png

    The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
    where you see a site looking like:
    > https://myonlinesecurity.co.uk/wp-co...FTP_signon.png "

    121.170.178.35: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/31...2497/analysis/
    ___

    'TurboTax' - phish
    - https://myonlinesecurity.co.uk/turbo...date-phishing/
    21 Feb 2017 - "Another phishing scam, this time TurboTax:

    Screenshot: https://myonlinesecurity.co.uk/wp-co...unt-Update.png

    The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
    > https://myonlinesecurity.co.uk/wp-co...shing-page.png "

    whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/29...26d6/analysis/

    Last edited by AplusWebMaster; 2017-02-21 at 23:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1152
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,479

    Thumbs down Fake 'Secure Bank Comm' SPAM, Dropbox phish

    FYI...

    Fake 'Secure Bank Comm' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...secure-doc.png

    22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2]
    Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is
    www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png
    which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/f...is/1487783258/

    2] https://www.virustotal.com/en/file/b...072b/analysis/

    1A] https://www.hybrid-analysis.com/samp...ironmentId=100

    2A] https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://www.virustotal.com/en/file/8...3427/analysis/

    4] https://twitter.com/GossiTheDog/stat...53695299518464

    TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/8d...e0cb/analysis/

    sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/77...a633/analysis/
    ___

    Dropbox phish
    - https://myonlinesecurity.co.uk/you-h...pbox-phishing/
    22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter all your details, pretending that you can now sign into dropbox using your email address. After giving the details you get sent to the genuine DropBox site:

    Screenshot: https://myonlinesecurity.co.uk/wp-co...hing_email.png

    The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites, there usually are with these scams) where you see a page looking like:
    > https://myonlinesecurity.co.uk/wp-co...x_phishing.png
    Select -any- of the links and you get:
    > https://myonlinesecurity.co.uk/wp-co..._phishing1.png "

    pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/85...552e/analysis/

    Last edited by AplusWebMaster; Yesterday at 22:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •