Page 3 of 132 FirstFirst 12345671353103 ... LastLast
Results 21 to 30 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Spear Phishing Emails increase 56% ...

    FYI...

    Spear Phishing Emails increase 56% ...
    - http://blog.fireeye.com/research/201...ng-emails.html
    2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
    • File names relating to shipping grew from 19.20% to 26.35%.
    • Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
    • Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
    In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."

    * http://www.fireeye.com/resources/pdf...hing-words.pdf

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down IRS SPAM - 3 different versions ...

    FYI...

    IRS SPAM - 3 different versions ...
    - http://blog.dynamoo.com/2012/09/irs-...ancom-and.html
    26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
    Date: Wed, 26 Sep 2012 20:44:47 +0530
    From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
    To: [redacted]
    Subject: Internal Revenue Service: For the attention of enterpreneurs
    Internal Revenue Service (IRS)
    Hello,
    Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
    For detail information, please refer to:
    https ://www.irs .gov/Login.aspx?u=E8710D9E9
    Email address: [redacted]
    Sincerely yours,
    Barry Griffin
    IRS Customer Service representative
    Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
    You will need to use your email address to log in.
    This service is provided to you at no charge by the Internal Revenue Service (IRS).
    This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
    ==========
    Date: Wed, 26 Sep 2012 11:09:45 -0400
    From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
    To: [redacted]
    Subject: Internal Revenue Service: For the attention of enterpreneurs
    Internal Revenue Service (IRS)
    Dear business owners,
    Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
    For the details please refer to:
    https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
    Email address: [redacted]
    Sincerely yours,
    Damon Abbott
    Internal Revenue Service Representative
    Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
    You will need to use your email address to log in.
    This service is provided to you at no charge by the Internal Revenue Service (IRS).
    This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
    ==========
    Date: Wed, 26 Sep 2012 19:53:28 +0400
    From: Internal Revenue Service [weirdpr6@polysto.com]
    To: [[redacted]]
    Subject: IRS report of not approved tax bank transfer
    Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
    Rejected Tax transaction
    Tax Transaction ID: 52007291963155
    Reason ID See details in the report below
    State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
    Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV


    Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake iPhone emails/sales sites ...

    FYI...

    Fake iPhone sales emails/sites ...
    - http://blog.webroot.com/2012/09/27/f...iate-networks/
    Sep 27, 2012 - "... cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns... a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants... It all starts with a spam campaign offering brand new iPhones for a decent price in an attempt by one of the network participants to acquire traffic which will ultimately convert into sales.
    Sample spamvertised email offering cheap and easy-to-obtain iPhones"
    > https://webrootblog.files.wordpress....te_network.png
    ... an example of an affiliate network participant targeting English-speaking users, even though the actual web site is targeting Russian-speaking users...
    Sample screenshot of the entry page for the iPhone selling affiliate network:
    > https://webrootblog.files.wordpress....te_network.png
    (More samples available at the blog.webroot URL above)...
    We advise bargain hunters to avoid clicking on links found in spam emails, avoid entering their credit card details on sites found in spam emails, and to avoid purchasing -any- kind of item promoted in these emails."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM leads to malware - 2012.10.01...

    FYI... multiple entries:

    Intuit SPAM - Shipment / art-london .net
    - http://blog.dynamoo.com/2012/10/intu...londonnet.html
    1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware...
    Date: Mon, 1 Oct 2012 21:31:57 +0430
    From: "Intuit Customer Service" [battingiy760@clickz.com]
    To: [redacted]
    Subject: Intuit Shipment Confirmation
    Dear [redacted],
    Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
    Thank you for your interest.
    ORDER DETAILS
    Order #: ID859560
    Order Date: Sep 25, 2012
    Item(s) In Your Order
    Shipping Date: October, 1 2012
    Shipping Method: USPS Express Mail
    Estimated Delivery Date: October, 3 2012 - October 05, 2012
    Tracking No.: 5182072894288348304217
    Quantity Item
    1 Intuit Card Reader Device - Gray
    Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
    Shipment Information:
    We sent your item(s) to the next address:
    065 S Paolo Ave, App. 5A
    S Maria, FL
    Email: [redacted]
    Questions about your order? Please visit Customer Service.
    Return Policy and Instructions
    Privacy | Legal Disclaimer | Contact Us | About
    You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...


    The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless."
    ___

    Fake Intuit order confirmation
    - http://security.intuit.com/alert.php?a=59
    10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
    Below is a copy of the email people are receiving:
    > http://security.intuit.com/images/yourintuitorder.jpg
    ... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
    ___

    Sendspace SPAM / onlinebayunator .ru
    - http://blog.dynamoo.com/2012/10/send...yunatorru.html
    1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator .ru:
    Date: Mon, 1 Oct 2012 10:40:29 +0300
    From: Twitter
    To: [redacted]
    Subject: You have been sent a file (Filename: [redacted]-9038870.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
    sendspace - The best free file sharing service...


    The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 84.22.96.0/19 ) as this attack* earlier today.
    * http://blog.dynamoo.com/2012/10/nach...yunatorru.html
    ___

    Evolution1 SPAM / 69.194.194.221
    - http://blog.dynamoo.com/2012/10/evol...194194221.html
    1 Oct 2012 - "I haven't seen this spam before, it leads to malware on 69.194.194.221:
    Date: Mon, 01 Oct 2012 15:44:59 +0200
    From: "INTUIT" [D6531193@familyhealthplans.com]
    Subject: Information regarding Employer Contribution
    INTUIT
    Attn: Account Holder
    You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
    http ://intuithealthemployer .lh1ondemand .com
    Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
    Intuit Health Debit Card Powered by Evolution1 Employer Services..."


    The malicious payload is on 69.194.194.221 (Solar VPS, US) ..."
    ___

    NACHA SPAM / onlinebayunator .ru
    - http://blog.dynamoo.com/2012/10/nach...yunatorru.html
    1 Oct 2012 - "This fake NACHA spam leads to malware on onlinebayunator.ru:
    Date: Mon, 1 Oct 2012 04:16:46 -0500
    From: Bebo Service [service@noreply.bebo.com]
    Subject: Fwd: ACH Transfer rejected
    The ACH debit transfer, initiated from your bank account, was canceled.
    Canceled transaction:
    Transfer ID: FE-764029897226US
    Transaction Report: View
    Valentino Dickey
    NACHA - The Electronic Payment Association
    f0c34915-3e624bbb...


    The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:
    84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
    190.10.14.196 (RACSA, Costa Rica)
    203.80.16.81 (Myren, Malaysia)
    Of note, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection."

    Last edited by AplusWebMaster; 2012-10-02 at 15:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM fakes 4 U ... 2012.10.02

    FYI... multiple entries:

    Fake ecard - unsolicited secret admirers via Email
    - http://community.websense.com/blogs/...via-email.aspx
    02 Oct 2012 - "... an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer... The messages, sent from various Yahoo .com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard":
    > http://community.websense.com/cfs-fi...2D00_550x0.png
    ... a valid short Facebook URL is used which, in this case, -redirects- ... a basic JavaScript is delivered... The victim's browser is then directed to a fake ecard site hxxp ://readyourecard .com/viewmessage/?a=vip36
    > http://community.websense.com/cfs-fi...2D00_550x0.png
    ... At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder .com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative... This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites..."
    ___

    Fake Fax Email notifications ...
    - http://www.gfi.com/blog/beware-fake-...n-circulation/
    Oct 2, 2012 - "In the last few days we’ve seen this fake fax email doing the rounds, offering up a “2013 recruitment plan”:
    > http://www.gfi.com/blog/wp-content/u...axmalware1.jpg
    ... INCOMING FAX REPORT
    *********************************************************
    Date/Time: 09/28/2012 07:01:41 AM
    Speed: 14400 bps
    Connection time: 01:02
    Pages: 2
    Resolution: Normal
    Remote ID: 0420950504
    Line number: 2
    DTMF/DID:
    Description: 2013 Recruitment plan
    Click here to view the file online ..."

    ... Clicking the link would take the user from a (dot)de domain to an IP associated with a Malware run currently taking place... currently leads to a "page not found":
    > http://www.gfi.com/blog/wp-content/u...axnotfound.jpg
    ... varied subject lines in this particular spam campaign – everything from recruitment plans to employment contributions and transaction reports – indicate a definite lean towards business targets rather than home users. Of course, whether at home or in the workplace you’re still potentially at risk should you click any of the links going out in this spamrun..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM leading to malware ...

    FYI...

    Fake Quickbooks emails lead to malware
    - http://www.gfi.com/blog/fake-quickbo...-shenanigans/?
    Oct 3, 2012 - "We have some more rogue emails following the familiar pattern of the last few days – this time around, a fake Quickbooks themed email which promises “free shipping for Quickbooks customers”:
    > http://www.gfi.com/blog/wp-content/u...kbooksspam.jpg
    It points to a website that shows the end-user a “connecting to server” message, eventually redirecting to an IP address that has been / is still associated with Blackhole Exploit Kit and Java exploits.
    > http://www.gfi.com/blog/wp-content/u...booksspam2.jpg
    ... it’s a bad time to be randomly opening dubious emails..."

    Fake QB/IRS order forms emails
    - http://security.intuit.com/alert.php?a=62
    10/03/2012
    > http://security.intuit.com/images/phish63.jpg
    ___

    Something evil on 66.45.251.224/29 and 199.71.233.226
    - http://blog.dynamoo.com/2012/10/some...22429-and.html
    3 Oct 2012 - "The IP address 199.71.233.226 (Netrouting, US) and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted... The domains listed below are on those IP addresses, all appear to be disributing malware (see example*) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat..."
    Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here**).
    (More info at the blog.dynamoo URL above.)

    * http://www.google.com/safebrowsing/d...juniorppv.info
    "Site is listed as suspicious... Malicious software includes 8 trojan(s)..."

    ** http://wepawet.iseclab.org/view.php?...259972&type=js
    ___

    Friendster SPAM / sonatanamore .ru
    - http://blog.dynamoo.com/2012/10/frie...anamoreru.html
    2 Oct 2012 - "Friendster.. remember that? Before Facebook.. before Myspace.. there was Friendster. This spam email is -not- from Friendster though and leads to malware on sonatanamore .ru:
    Date: Tue, 2 Oct 2012 05:39:54 -0500
    From: Friendster Games [friendstergames@friendster.com]
    Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
    Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
    Copyright ? 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
    To manage your notification preferences, go here
    To stop receiving emails from us, you can unsubscribe here


    The malicious payload is at [donotclick]sonatanamore .ru:8080/forum/links/column.php hosted on:
    70.38.31.71 (iWeb, Canada)
    202.3.245.13 (MANA, Tahiti)
    203.80.16.81 (Myren, Malaysia)
    Plain list of IPs and domains on those IPs for copy-and-pasting.
    70.38.31.71, 202.3.245.13, 203.80.16.81 ..."
    (More listed at the blog.dynamoo URL above.)

    Last edited by AplusWebMaster; 2012-10-04 at 16:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM leads to malware - 'just keeps coming 2012.10.04

    FYI...

    Fake "Corporate eFax message" SPAM / 184.164.136.147
    - http://blog.dynamoo.com/2012/10/corp...164136147.html
    4 Oct 2012 - "These fake fax messages lead to malware on 184.164.136.147:
    Date: Thu, 04 Oct 2012 19:00:16 +0200
    From: "eFax.Alert" [E988D6C @vida .org.pt]
    Subject: Corporate eFax message - 09 pages
    Fax Message [Caller-ID: 341-498-5688]
    You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
    * The reference number for this fax is min1_20121004190016.8673161.
    View this fax using your PDF reader.
    Click here to view this message
    Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
    Thank you for using the eFax service!
    Home | Contact | Login
    � 2011 j2 Global Communications, Inc. All rights reserved.
    eFax� is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax� Customer Agreement.


    ... The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
    autharea=184.164.128.0/19
    xautharea=184.164.128.0/19
    network:City:Manilla ...
    It might be worth blocking 184.164.136.128/27 to be on the safe side."

    - http://www.google.com/safebrowsing/d...?site=AS:20454
    "... over the past 90 days, 244 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2012-10-04..."
    - http://www.google.com/safebrowsing/d...?site=AS:32164
    "... the last time suspicious content was found was on 2012-10-03... we found 1 site(s) on this network... that appeared to function as intermediaries for the infection of 14 other site(s)..."
    ___

    Verizon Wireless SPAM / strangernaturallanguage .net
    - http://blog.dynamoo.com/2012/10/veri...less-spam.html
    4 Oct 2012 - "This fake Verizon wireless spam leads to malware on strangernaturallanguage .net:
    From: AccountNotify whitheringj @spcollege .edu
    Date: 4 October 2012 18:52
    Subject: Recent Notification in My Verizon
    SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
    Your informational letter is available.
    Your account # ending: XXX8 XXXX4
    Our Valued Client
    For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
    Please check your acknowledgment letter for all the information relating to your new transaction.
    View Approval Message
    In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
    Thank you for joining us .
    My Verizon is also accessible 24 hours 7 days a week to assist you with:
    Usage details
    Updating your tariff
    Add Account Users
    Pay your invoice
    And much, much more...
    © 2012 Verizon Wireless
    Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
    We respect your privacy. Please review our privacy policy for more details


    The malicious payload is at [donotclick]strangernaturallanguage .net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji)..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake inTuit / UPS SPAM leads to malware...

    FYI...

    Intuit "GoPayment" SPAM / simplerkwiks .net
    - http://blog.dynamoo.com/2012/10/intu...rkwiksnet.html
    5 Oct 2012 - "This fake "Intuit GoPayment" spam leads to malware on simplerkwiks .net:
    Date: Fri, 5 Oct 2012 15:54:26 +0100
    From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
    Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
    Greetings & Congrats!
    Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
    Intuit Payment
    Account No.: XXXXXXXXXXXXXX16
    Email Address: [redacted]
    NOTE : Additional charges for this service may now apply.
    Next step: Confirm your User ID
    This is Very Important lets you:
    Manage your payment service in the Merchant Center
    Review charges
    Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
    The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
    Verify UserID
    Get started:
    Step 1: If you have not still, download the Intuit application.
    Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
    Easy Manage Your GoPayment System
    The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
    For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
    Please do not reply to this message. automative notification system not configured to accept incoming email.
    System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.


    The malicious payload is at [donotclick]simplerkwiks .net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
    addsmozy .net
    officerscouldexecute .org
    simplerkwiks .net
    strangernaturallanguage .net
    buzziskin .net
    art-london .net "
    ___

    UPS SPAM / minus.preciseenginewarehouse .com
    - http://blog.dynamoo.com/2012/10/ups-...ehousecom.html
    5 Oct 2012 - "This fake UPS spam leads to malware on minus.preciseenginewarehouse .com:
    From: "UPSBillingCenter" [512A03797@songburi.com]
    Subject: Your UPS Invoice is Ready
    This is an automatically generated email. Please do not reply to this email address.
    Dear UPS Customer,
    New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
    Please visit the UPS Billing Center to view and pay your invoice.
    Discover more about UPS:
    Visit ups .com
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online
    (c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.
    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS


    The malicious payload is at [donotclick]minus.preciseenginewarehouse .com/links/assure_numb_engineers.php hosted on 174.140.165.112 ... To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Injection attacks from 5.9.188.54 ...

    FYI...

    Something evil on 5.9.188.54
    - http://blog.dynamoo.com/2012/10/some...n-5918854.html
    7 Oct 2012 - "Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
    nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw .pl
    nqvzrpyoossmr.qlvyeviexqzrukyo.waw .pl
    xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw .pl
    lgrfuqfwz.qlvyeviexqzrukyo.waw .pl
    zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw .pl
    qxggipnnfmnihkic .ru
    mvuvchtcxxibeubd .ru
    5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
    inetnum: 5.9.188.32 - 5.9.188.63
    netname: LLC-CYBERTECH
    descr: LLC "CyberTech"
    country: DE ...
    address: 125252 Moscow
    address: RUSSIAN FEDERATION
    ... You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can."

    - http://centralops.net/co/DomainDossier.aspx
    5.9.188.54
    address: 125252 Moscow
    address: RUSSIAN FEDERATION...
    origin: AS24940

    - http://google.com/safebrowsing/diagnostic?site=AS:24940
    "... over the past 90 days, 5865 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2012-10-07... we found 998 site(s)... that appeared to function as intermediaries for the infection of 12809 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1752 site(s)... that infected 18780 other site(s)."

    Last edited by AplusWebMaster; 2012-10-08 at 05:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Skype users targeted with Ransomware and Click Fraud

    FYI...

    Skype users targeted with Ransomware and Click Fraud
    - http://www.gfi.com/blog/skype-users-...d-click-fraud/
    Oct 8, 2012 - "The infection* that’s still spreading across users of Skype has taken an interesting twist: ransomware and click fraud. Skype users tempted to follow the latest set of infection links will end up with a zipfile on their PC. Here’s an example of the rogue links still being pinged around:
    > http://www.gfi.com/blog/wp-content/u...ypevirus41.jpg
    Clicking the link will download a zipfile, and running the executable inside will see the infected PC making waves with network traffic that wasn’t present when we tested the last executable...
    > http://www.gfi.com/blog/wp-content/u...e4-300x152.jpg
    After a while, a Java exploit will call down some fire from the sky (in the form of BlackHole 2.0) and the end-user will be horrified to see this:
    > http://www.gfi.com/blog/wp-content/u...tionScare1.jpg
    ... a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides. Ransomware is currently a big deal and not something an end-user really wants to have on their computer. Meanwhile, behind the scenes we have what looks like attempts at click fraud taking place behind the locked computer screen... in the space of 10 minutes, we recorded 2,259 transmissions(!)... to infect the computer, you’ll need to manually click the download link, open the zip and run the executable. On top of that, anybody trying to open the file who hasn’t switched off file security warnings will be told that “The publisher could not be verified, are you sure you want to run this software” so there’s plenty of chances to dodge this bullet..."
    * http://www.gfi.com/blog/infection-sp...o-skype-users/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •