Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Chrome updates / Changelog / inTuit SPAM...

    FYI...

    Fake Chrome updates return ...
    - http://www.gfi.com/blog/fake-google-...pdates-return/
    Jan 11, 2013 - "... fake Chrome update websites leading to Malware – has returned...
    > http://www.gfi.com/blog/wp-content/u...hromefake1.jpg
    The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”. If you attempt to download the file while using Chrome, the following prompt appears...
    > http://www.gfi.com/blog/wp-content/u...hromefake2.jpg
    The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal* as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog** (scroll down to the “data it tries to collect and steal”)... users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page***".
    * https://www.virustotal.com/file/19d0...2439/analysis/

    ** http://blog.shadowserver.org/2012/08...your-trackers/

    *** https://support.google.com/chrome/bi...n&answer=95414
    ___

    Fake Changelog SPAM / dimanakasono .ru
    - http://blog.dynamoo.com/2013/01/chan...akasonoru.html
    11 Jan 2013 - "This fake "Changelog" spam leads to malware on dimanakasono .ru:
    From: Ashley Madison [mailto:donotreply @ashleymadison .com]
    Sent: 10 January 2013 08:25
    Subject: Re: Fwd: Changelog as promised(updated)
    Hi,
    changelog update - View
    L. Cook


    The malicious payload is at [donotclick]dimanakasono .ru:8080/forum/links/column.php hosted on the following IPs:
    91.224.135.20 (Proservis UAB, Lithunia)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    212.112.207.15 (ip4 GmbH, Germany)
    The following IPs and domains are related and should be blocked:
    91.224.135.20
    187.85.160.106
    212.112.207.15
    belnialamsik .ru
    demoralization .ru
    dimanakasono .ru
    bananamamor .ru

    ___

    Fake Intuit SPAM / dmeiweilik .ru
    - http://blog.dynamoo.com/2013/01/payr...tuit-spam.html
    11 Jan 2013 - "This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik .ru:
    Date: Fri, 11 Jan 2013 06:23:41 +0100
    From: LinkedIn Password [password @linkedin .com]
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.
    Finances would be gone away from below account# ending in 0198 on Fri, 11 Jan 2013 06:23:41+0100
    amount to be seceded: 8057 USD
    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
    Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services
    =====
    From: messages-noreply @bounce .linkedin.com [mailto:messages-noreply @bounce .linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
    Sent: 10 January 2013 21:04
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
    • Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
    • amount to be seceded: 9567 USD
    • Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
    • Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    The malicious payload is at [donotclick]dmeiweilik .ru:8080/forum/links/column.php hosted on the same IPs as in this attack*:
    91.224.135.20 (Proservis UAB, Lithunia)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    212.112.207.15 (ip4 GmbH, Germany)
    The following IPs and domains are related and should be blocked:
    91.224.135.20
    187.85.160.106
    212.112.207.15
    belnialamsik .ru
    demoralization .ru
    dimanakasono .ru
    bananamamor .ru
    dmeiweilik .ru
    ..."
    * http://blog.dynamoo.com/2013/01/chan...akasonoru.html
    ___

    Blackhole SPAM runs...
    - http://blog.trendmicro.com/trendlabs...holiday-break/
    Jan 11, 2013 - "... now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank*, and Better Business Bureau**. In particular, the Better Business Bureau BHEK spam** claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit... we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware..."
    * http://blog.trendmicro.com/trendlabs...H_bhekspam.jpg

    ** http://blog.trendmicro.com/trendlabs...B_BHEKspam.jpg

    Last edited by AplusWebMaster; 2013-01-11 at 22:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •