SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

My Photos SPAM - malware
- http://myonlinesecurity.co.uk/photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/8...is/1408799346/

zip .net / 200.147.99.195: https://www.virustotal.com/en/ip-add...5/information/
- http://quttera.com/detailed_report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustotal.com/en/ip-add...8/information/
- http://quttera.com/detailed_report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.com/article/2014/...0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic..."

- http://www.reuters.com/article/2014/...0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

[AplusWebMaster]

FYI...

Phishing safety ...
- http://blog.trendmicro.com/trendlabs...-https-enough/
Sep 5, 2014 - "It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are -also- taking part in this switch... we recently spotted a case where users searching for the -secure- version of a gaming site were instead led to a phishing site. We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to -double- towards the latter part of 2014...
Number of HTTPS phishing sites from 2010 to 2014:
> http://blog.trendmicro.com/trendlabs...TTPS_count.jpg
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that -do- have valid certificates...
Screenshots of legitimate site (left) and phishing site (right):
> http://blog.trendmicro.com/trendlabs...ishingsite.jpg
... While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com). When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.” Note that the Common Name should be similar to the domain name...
Check the green icon bar and the domain name to determine if it is a legitimate site:
> http://blog.trendmicro.com/trendlabs...eenbaricon.jpg
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII)... Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Top affected countries:
> http://blog.trendmicro.com/trendlabs...untries-01.jpg ..."
___

Hoax email comes with malicious Word doc
- http://blog.dynamoo.com/2014/09/shak...omes-with.html
5 Sep 2014 - "... Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro... translates as:
Shakira dies in serious accident
This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..
To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.

When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:
Screenshot: https://4.bp.blogspot.com/-Fl3B4-2Dt...00/shakira.png

The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC. This malicious document has a VirusTotal detection rate of just 2/54*. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www .papeleriaelcid .com/aurora/ajax/ ... In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V."). Blocking the papeleriaelcid .com site and rejecting emails from 207.150.195.247 might be wise ..."
(English or other languages may be spammed out next.)
* https://www.virustotal.com/en-gb/fil...is/1409926479/
___

NatWest Phish: “You are Logging In from Different Cities”
- https://blog.malwarebytes.org/fraud-...ferent-cities/
Sep 5, 2014 - "There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden. Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one. The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:

Dear Customer,
During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.
NatWest customers are not permitted to log in from different places at same time, or using proxies.
For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.
However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.

The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a -phish- hosted on a -compromised- website... it’s always a good idea to hover over any clickable link in an email so you can check the final destination... with so many people traveling as part of their job nowadays this could easily snag a few victims."
___

Cryptographic Locker
- http://www.webroot.com/blog/2014/09/...raphic-locker/
Sep 5, 2014 - "... every few weeks we see a -new- encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken. This is the last thing anyone wants to see:
> https://www.webroot.com/blog/wp-cont...nd-cropped.png
This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit... this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer* will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution..."
* http://www.shadowexplorer.com/

[AplusWebMaster]

FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo.com/2014/09/impo...oice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
From: NatWest Invoice [invoice@ natwest .com]
Date: 18 September 2014 11:06
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below ...
Thank you for choosing NatWest...

The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk "
* https://www.virustotal.com/en-gb/fil...is/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustotal.com/en-gb/ip-...2/information/
188.165.204.210: https://www.virustotal.com/en-gb/ip-...0/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-...1/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 18 September 2014 11:45
Subject: Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

- http://myonlinesecurity.co.uk/nat-we...e-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-con...nt-invoice.png
___

Fake eFax SPAM - PDF malware
- http://myonlinesecurity.co.uk/efax-r...e-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
INCOMING FAX REPORT
Date/Time: Thursday, 18.09.2014
Speed: 353bps
Connection time: 08:02
Page: 4
Resolution: Normal
Remote ID: 611-748-177946
Line number: 3
DTMF/DID:
Description: Internal only ...

18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___

Line Voice Message Spam
- http://threattrack.tumblr.com/post/9...e-message-spam
18 Sep 2014 - "Subjects Seen:
You have a voice message
Typical e-mail details:
LINE Notification
You have a voice message, listen it now.
Time: 21:12:45 14.10.2014, Duration: 45sec

Malicious URLs:
iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...mds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustotal.com/en/ip-add...4/information/

[AplusWebMaster]

FYI...

Fake Police 'Suspect' SPAM
- http://blog.dynamoo.com/2014/10/homi...tant-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
From: ALERT@ police .uk [ALERT@ police-uk .com]
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version:
The bulletin is a pdf file. To download please follow the link below ...

Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustotal.com/en/file/5...is/1412150049/

** https://anubis.iseclab.org/?action=r...da&format=html
___

Something evil on 87.118.127.230
- http://blog.dynamoo.com/2014/10/some...118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."

87.118.127.230: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo.com/2014/10/ukts...cellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
From: email@ uktservices .com
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Hello.
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view...

All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."

37.235.56.121: https://www.virustotal.com/en/ip-add...1/information/
___

More Fake Invoice SPAM
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ital_email.png

There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1412153387/
___

Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cashbu...e-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

get copies of invoices. We will not be able to pay them. Please send clear invoices

1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1412156828/
___

GNU bash vulns...
- http://www.securitytracker.com/id/1030890
Updated: Oct 3 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___

DoubleClick abused - malvertising
- https://blog.malwarebytes.org/malver...ising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malwarebytes.org/wp-con...9/overview.png
... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malwarebytes.org/malver...lick-and-zedo/

** https://blog.malwarebytes.org/exploi...ael-newspaper/

*** https://www.virustotal.com/en/file/5...is/1412048718/

[AplusWebMaster]

FYI...

Fake delivery SPAM - word doc malware ...
- http://myonlinesecurity.co.uk/inform...d-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Thank you for buying at our store!
Date ordered: October 14 2014
This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
Please review the attached document.

15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1413361301/
___

Fake 'Shipping Info' SPAM
- http://blog.dynamoo.com/2014/10/ship...spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

Screenshot: https://3.bp.blogspot.com/-l3nlpqmPS...pping-info.png

The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspot.com/-86SXLSZk3...al-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustotal.com/en-gb/fil...is/1413383394/

** https://www.virustotal.com/en-gb/fil...is/1413384221/

*** https://www.virustotal.com/en-gb/fil...is/1413384174/
___

Fake Paypal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal...e-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Unable to complete your most recent Transaction.
Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please see attached payment receipt .

15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1413387437/

[AplusWebMaster]

FYI...

Fake KLM e-Ticket SPAM – PDF malware
- http://myonlinesecurity.co.uk/klm-e-...e-pdf-malware/
27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service @klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-con...air_ticket.png

27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to: e-Ticket_klm_Itinerary _pdf.exe
Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1414404573/
___

Fake 'invoice xxxxxx October' SPAM - malicious Word doc
- http://blog.dynamoo.com/2014/10/rand...ce-xxxxxx.html
27 Oct 2014 - "There have been a lot of these today:
From: Sandra Lynch
Date: 27 October 2014 12:29
Subject: invoice 0544422 October
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
Thanks very much
Kind Regards
Sandra Lynch

The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
* https://www.virustotal.com/en/file/7...is/1414436717/

83.96.174.219: https://www.virustotal.com/en/ip-add...9/information/
___

Phish... linked with “Dyre” Banking Malware
- https://www.us-cert.gov/ncas/alerts/TA14-300A
Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
___

FTC gets courts to shut down tech support scammers
- http://www.theinquirer.net/inquirer/...pport-scammers
Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
* http://www.ftc.gov/news-events/press...h-support-scam

> http://www.consumer.ftc.gov/blog

[AplusWebMaster]

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/kate-w...d-doc-malware/
10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:

Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
Thanks very much
Kate Williams

10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1415612495/

- http://blog.dynamoo.com/2014/11/kate...-november.html
10 Nov 2014 - "... the malware connecting to 84.40.9.34 (Hostway, UK)..."

1] https://www.virustotal.com/en/file/8...is/1415613432/

2] https://www.virustotal.com/en/file/6...is/1415613431/

84.40.9.34: https://www.virustotal.com/en/ip-add...4/information/
___

Fake Amazon SPAM - malware-macros
- http://net-security.org/malware_news.php?id=2912
Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an order confirmation from Amazon .com:
> http://www.net-security.org/images/a...112014-big.jpg
... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed 'invoice file attached' is actually a Trojan dropper that will download additional malware once the host is infected..."
* http://blog.appriver.com/2014/11/mal...liday-shoppers
"... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
___

'Darkhotel malware' is targeting travelling execs via hotel WiFi
- http://www.theinquirer.net/inquirer/...via-hotel-wifi
Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
* https://securelist.com/blog/research...darkhotel-apt/
Nov 10, 2014
___

Home Depot drops Windows for Mac ...
- http://www.theinquirer.net/inquirer/...fter-data-hack
Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
* http://online.wsj.com/articles/home-...dor-1415309282
"... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
___

'All Your iOS Apps Belong to Us' - FireEye
- http://www.fireeye.com/blog/technica...ong-to-us.html
Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
> https://www.youtube.com/watch?featur...&v=3VEQ-bJUhPw
We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
> http://www.fireeye.com/blog/wp-conte.../Untitled1.jpg
... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
-- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
Figure 3:
> http://www.fireeye.com/blog/wp-conte...1/IMG_0001.jpg