Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2013-01-24, 15:15 #34
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Flash, LinkedIn, pharma, efax ...

    FYI...

    Fake Flash Updates - via SPAM attachment...
    - http://www.gfi.com/blog/fake-adobe-f...es-in-the-web/
    Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
    (Screenshots available at the gfi URL above.)
    ___

    Malicious BT SPAM
    - http://www.gfi.com/blog/beware-malic...ng-in-inboxes/
    Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."
    * http://gfisoftware.tumblr.com/post/4...ttachment-spam
    ___

    Fake ADP SPAM / 14.sofacomplete .com
    - http://blog.dynamoo.com/2013/01/adp-...mpletecom.html
    24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
    From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
    Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
    Digital Certificate About to Expire
    The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
    Days left before expiration: 1
    Expiration date: Jan 25 23:59:59 GMT-03:59 2013
    Renewing Your Digital Certificate
    1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
    2. Follow the instructions on the screen.
    3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
    Deleting Your Old Digital Certificate
    After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

    The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on 73.246.103.26 (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."
    ___

    Fake LinkedIn emails lead to client-side exploits and malware
    - http://blog.webroot.com/2013/01/24/f...s-and-malware/
    Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Name servers used by these malicious domains:
    Name server: ns1.http-page .net – 31.170.106.17 – Email: ezvalue @yahoo .com
    Name server: ns2.http-page .net – 7.129.51.158 – Email: ezvalue @yahoo .com
    Name Server: ns1.high-grades .com – 208.117.43.145
    Name Server: ns2.high-grades .com – 92.121.9.25
    Sample malicious payload dropping URL:
    hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
    Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
    Upon execution, the same creates the following process on the affected hosts:
    %AppData%\Bytaa\yjdoly.exe
    The following registry keys:
    HKEY_CURRENT_USER\Software\Microsoft\Rekime
    ... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
    177.1.100.2 :11709
    190.33.36.175 :11404
    213.109.254.122 :29436
    41.69.182.117 :29817
    64.219.114.114 :13503
    161.184.174.65 :14545
    93.177.174.72 :10119
    69.132.202.147 :16149    ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/224c...b58d/analysis/
    File name: info.ex_
    Detection ratio: 30/44
    Analysis date: 2013-01-23
    ___

    Fake pharma sites 24/1/13
    - http://blog.dynamoo.com/2013/01/fake...tes-24113.html
    24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
    Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
    From: "Account Info Change" [noreply @etraxx .com]
    Subject: Updated information
    Attention please:
    - Over 50 new positions added (view recently added products)
    - Free positions included with all accounts (read more here)
    - The hottest products awaiting you in the first weeks of the new year (read more here)
    - We want you to feel as comfortable as possible while you?re at our portal.
    Click Here to Unsubscribe

    As with a few days ago, these sites are hosted on:
    199.59.56.59 (Hostwinds, Australia)
    209.236.67.220 (WestHost Inc, US)
    Currently active spamvertised sites are as follows:
    (Long list available at the dynamoo URL above.)
    ___

    Fake Efax Corporate SPAM / epimarkun .ru
    - http://blog.dynamoo.com/2013/01/efax...imarkunru.html
    24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
    Date: Thu, 24 Jan 2013 04:04:42 +0600
    From: Habbo Hotel [auto-contact @habbo .com]
    Subject: Efax Corporate
    Attachments: Efax_Corporate.htm
    Fax Message [Caller-ID: 963153883]
    You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
    * The reference number for this fax is [eFAX-009228416].
    View attached fax using your Internet Browser.
    � 2013 j2 Global Communications, Inc. All rights reserved.
    eFax � is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax � Customer Agreement.

    There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs:
    50.31.1.104 (Steadfast Networks, US)
    94.23.3.196 (OVH, France)
    202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
    These IPs and domains are all malicious:
    50.31.1.104
    94.23.3.196
    202.72.245.146
    dmssmgf .ru
    esekundi .ru
    esenstialin .ru
    disownon .ru
    epimarkun .ru
    damagalko .ru
    dumarianoko .ru
    epiratko .ru
    dfudont .ru     ..."

    Last edited by AplusWebMaster; 2013-01-25 at 00:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules