SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012...video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.c...cked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.c...ed-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.c...ware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."

[AplusWebMaster]

FYI...

Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil...817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad and should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."

- http://centralops.net/co/DomainDossier.aspx
network: IP-Network: 108.178.59.0/26
network: State:Italy
network: Country-Code: IT
___

BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-...housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz:
Date: Tue, 25 Sep 2012 11:42:18 +0200
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
Blocking 199.195.116.185 would probably be prudent..."

[AplusWebMaster]

FYI...

FTC halts computer spying
* http://www.ftc.gov/opa/2012/09/designware.shtm
09/25/2012

Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/201...yware-scandal/

[AplusWebMaster]

FYI...

Spear Phishing Emails increase 56% ...
- http://blog.fireeye.com/research/201...ng-emails.html
2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
• File names relating to shipping grew from 19.20% to 26.35%.
• Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
• Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."

* http://www.fireeye.com/resources/pdf...hing-words.pdf

[AplusWebMaster]

FYI...

IRS SPAM - 3 different versions ...
- http://blog.dynamoo.com/2012/09/irs-...ancom-and.html
26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
Date: Wed, 26 Sep 2012 20:44:47 +0530
From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Hello,
Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
For detail information, please refer to:
https ://www.irs .gov/Login.aspx?u=E8710D9E9
Email address: [redacted]
Sincerely yours,
Barry Griffin
IRS Customer Service representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 11:09:45 -0400
From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Dear business owners,
Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
For the details please refer to:
https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
Email address: [redacted]
Sincerely yours,
Damon Abbott
Internal Revenue Service Representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 19:53:28 +0400
From: Internal Revenue Service [weirdpr6@polysto.com]
To: [[redacted]]
Subject: IRS report of not approved tax bank transfer
Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
Rejected Tax transaction
Tax Transaction ID: 52007291963155
Reason ID See details in the report below
State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV

Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."

[AplusWebMaster]

FYI...

Fake iPhone sales emails/sites ...
- http://blog.webroot.com/2012/09/27/f...iate-networks/
Sep 27, 2012 - "... cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns... a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants... It all starts with a spam campaign offering brand new iPhones for a decent price in an attempt by one of the network participants to acquire traffic which will ultimately convert into sales.
Sample spamvertised email offering cheap and easy-to-obtain iPhones"
> https://webrootblog.files.wordpress....te_network.png
... an example of an affiliate network participant targeting English-speaking users, even though the actual web site is targeting Russian-speaking users...
Sample screenshot of the entry page for the iPhone selling affiliate network:
> https://webrootblog.files.wordpress....te_network.png
(More samples available at the blog.webroot URL above)...
We advise bargain hunters to avoid clicking on links found in spam emails, avoid entering their credit card details on sites found in spam emails, and to avoid purchasing -any- kind of item promoted in these emails."

[AplusWebMaster]

FYI... multiple entries:

Intuit SPAM - Shipment / art-london .net
- http://blog.dynamoo.com/2012/10/intu...londonnet.html
1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware...
Date: Mon, 1 Oct 2012 21:31:57 +0430
From: "Intuit Customer Service" [battingiy760@clickz.com]
To: [redacted]
Subject: Intuit Shipment Confirmation
Dear [redacted],
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
ORDER DETAILS
Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
Quantity Item
1 Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
Shipment Information:
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Email: [redacted]
Questions about your order? Please visit Customer Service.
Return Policy and Instructions
Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...

The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless."
___

Fake Intuit order confirmation
- http://security.intuit.com/alert.php?a=59
10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
Below is a copy of the email people are receiving:
> http://security.intuit.com/images/yourintuitorder.jpg
... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
___

Sendspace SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/send...yunatorru.html
1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator .ru:
Date: Mon, 1 Oct 2012 10:40:29 +0300
From: Twitter
To: [redacted]
Subject: You have been sent a file (Filename: [redacted]-9038870.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...

The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 84.22.96.0/19 ) as this attack* earlier today.
* http://blog.dynamoo.com/2012/10/nach...yunatorru.html
___

Evolution1 SPAM / 69.194.194.221
- http://blog.dynamoo.com/2012/10/evol...194194221.html
1 Oct 2012 - "I haven't seen this spam before, it leads to malware on 69.194.194.221:
Date: Mon, 01 Oct 2012 15:44:59 +0200
From: "INTUIT" [D6531193@familyhealthplans.com]
Subject: Information regarding Employer Contribution
INTUIT
Attn: Account Holder
You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
http ://intuithealthemployer .lh1ondemand .com
Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
Intuit Health Debit Card Powered by Evolution1 Employer Services..."

The malicious payload is on 69.194.194.221 (Solar VPS, US) ..."
___

NACHA SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/nach...yunatorru.html
1 Oct 2012 - "This fake NACHA spam leads to malware on onlinebayunator.ru:
Date: Mon, 1 Oct 2012 04:16:46 -0500
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: ACH Transfer rejected
The ACH debit transfer, initiated from your bank account, was canceled.
Canceled transaction:
Transfer ID: FE-764029897226US
Transaction Report: View
Valentino Dickey
NACHA - The Electronic Payment Association
f0c34915-3e624bbb...

The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
Of note, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection."