Page 1 of 132 123451151101 ... LastLast
Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SPAM frauds, fakes, and other MALWARE deliveries...

    FYI...

    Fake MS email phish delivers Zeus via Java vuln ...
    - https://isc.sans.edu/diary.html?storyid=14020
    Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
    We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
    The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
    Received: from [101.5.162.236] ([101.5.162.236]) by
    inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
    A legitimate header snippet:
    Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
    101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-98503...15.C.KK.DlNkNK , which points to the above mentioned services agreement.
    (Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
    Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
    047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
    034:034:02:065:071:034"/></applet>
    The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
    Contemplate disabling Java(5) until the -next- update(6) is released..."

    * http://windows.microsoft.com/en-US/w...ices-agreement

    ** http://community.websense.com/blogs/...ploit-kit.aspx

    3) https://www.virustotal.com/file/2510...8bc9/analysis/
    File name: Leh.jar
    Detection ratio: 8/42
    Analysis date: 2012-09-01 05:28:51 UTC

    4) https://www.virustotal.com/file/98bb...is/1346461231/
    File name: updateflashplayer.exe
    Detection ratio: 6/42
    Analysis date: 2012-09-01 01:00:31 UTC

    5) http://krebsonsecurity.com/how-to-un...m-the-browser/

    6) https://isc.sans.edu/diary.html?storyid=14017
    ___

    101.5.162.236
    101.5.0-255.*
    inetnum: 101.5.0.0 - 101.5.255.255
    netname: TSINGHUA-CN
    country: CN
    origin: AS4538
    http://www.google.com/safebrowsing/d...c?site=AS:4538
    ... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
    ___

    - https://krebsonsecurity.com/2012/08/...ged-two-flaws/
    "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

    Last edited by AplusWebMaster; 2012-09-02 at 15:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon email exploits recent Java vuln ...

    FYI...

    Fake ‘Amazon order’ email exploits recent Java vuln ...
    - http://community.websense.com/blogs/...erability.aspx
    03 Sep 2012 - "... Websense... has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit. If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data. Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681*)... On 1st September, Websense... intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
    > http://community.websense.com/cfs-fi...2D00_550x0.jpg
    Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit... an analysis of this file can also be found on VirusTotal**..."

    * http://community.websense.com/blogs/...2012-4681.aspx

    ** https://www.virustotal.com/file/2510...8bc9/analysis/
    File name: 9c5abf8889c34b3a36c6699b40ef6717c95ac6e1
    Detection ratio: 12/42
    Analysis date: 2012-09-03

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Google email contains a trojan ...

    FYI...

    Another round of "Spot the Exploit E-Mail"
    - https://isc.sans.edu/diary.html?storyid=14029
    Last Updated: 2012-09-04 - "We have come to expect quality phishing/fake email work these days...
    > https://isc.sans.edu/diaryimages/amexemail1.png
    > https://isc.sans.edu/diaryimages/amexemail2.png
    > https://isc.sans.edu/diaryimages/amexemail3.png
    ... javascript will then -redirect- the user to one of these two IP addresses:
    96.47.0.163, 108.178.59.26
    both IP addresses yield heavily obfuscated javascript. The wepawet analysis can be found here:
    - http://wepawet.iseclab.org/view.php?...69729c&type=js
    It appears to be the usual "what vulnerable plugin are you running today?" javascript."
    ___

    Fake Google email contains a trojan ...
    - http://h-online.com/-1698349
    04 Sep 2012 - "Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply @google .com" with the subject "Suspicious sign in prevented" is being sent en masse -claiming- that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion. However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they -never- contain attachments; users that receive such an email are advised to delete them. According to VirusTotal*, the trojan is currently only detected by just half of 42 anti-virus programs..."
    * https://www.virustotal.com/file/df0b...c23a/analysis/
    File name: Google_Accounts_Alert-3944-J5I-4169.zip
    Detection ratio: 21/42
    Analysis date: 2012-09-04 09:25:32 UTC
    ___

    Fake ‘Wire Transfer Confirmation’ emails lead to Black Hole exploit kit ...
    - http://blog.webroot.com/2012/09/04/s...e-exploit-kit/
    Sep 4, 2012 - "Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Sample exploits served: CVE-2010-0188; CVE-2010-1885
    Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e * ..."
    * https://www.virustotal.com/file/932f...fd00/analysis/
    File name: 7fe4d2e52b6f3f22b2f168e8384a757e
    Detection ratio: 32/42
    Analysis date: 2012-08-28
    ___

    Fake LinkedIn spam leads to malware ...
    - http://blog.dynamoo.com/2012/09/link...85926-and.html
    4 Sep 2012 - "This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop .com:

    Date: Tue, 04 Sep 2012 10:43:03 +0100
    From: "noreply" [noreply@linkedin.com]
    Subject: Link LinkedIn Mail
    LinkedIn
    REMINDERS
    Invitation reminders:
    • From Charlie Alexander (Mexico Key Account Director at Quanta)
    PENDING MESSAGES
    • There are a total of 5 messages awaiting your response. Visit your InBox now.
    Don't want to receive email notifications? Adjust your message settings.
    LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.


    The malicious payload (report here*)..."
    * http://wepawet.iseclab.org/view.php?...746065&type=js
    Detection results
    Detector Result
    Jsand 2.3.4 malicious
    In particular, the following URL was found to contain malicious content:
    hxxp :// 108.178.59.26 /bv6rcs3v1ithi.php?w=6de4412e62fd13be
    Exploits
    Name Description Reference
    HPC URL Help Center URL Validation Vulnerability CVE-2010-1885 ...

    ... My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff."

    Last edited by AplusWebMaster; 2012-09-04 at 19:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'QuickBooks Update: Urgent’ emails lead to BlackHole exploit kit

    FYI...

    Fake 'QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
    - http://blog.webroot.com/2012/09/05/i...e-exploit-kit/
    Sep 5, 2012 - "... cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails. The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts...
    Screenshot of a sample spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Client-side exploits serving URL: hxxp ://roadmateremove .org /main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27
    ... Name servers part of the campaign’s infrastructure:
    ns1.chemrox .net – 208.91.197.27; 173.234.9.17
    ns2.chemrox .net – 7.25.179.23
    Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 * ...
    * https://www.virustotal.com/file/eee0...8137/analysis/
    File name: f621be555dc94a8a370940c92317d575
    Detection ratio: 33/42
    Analysis date: 2012-09-01
    ...Once executed, the sample phones back to 87.120.41.155 :8080/mx5/B /in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus greeeting card emails serve exploits and malware

    FYI...

    Bogus greeeting card emails serve exploits and malware
    - http://blog.webroot.com/2012/09/06/c...s-and-malware/
    Sep 6, 2012 - "Remember the recently profiled 123greetings .com themed malicious campaign? It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URLs in a clear attempt to improve their click-through rates...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd* – ... Trojan.JS.Iframe.aby; Trojan.Webkit!html
    Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597** – ... W32/Yakes.AP!tr
    Once executed, the malware phones back to 216.38.12.158 :8080/mx/5/B/in... Another domain is known to have been responding to the same IP in the past..."
    * https://www.virustotal.com/file/dcb5...is/1346492654/
    File name: greetings.html
    Detection ratio: 5/42
    Analysis date: 2012-09-01
    ** https://www.virustotal.com/file/df92...1ffc/analysis/
    File name: 97273d9507c8d78679c8cdf591715760aef0c59c
    Detection ratio: 24/42
    Analysis date: 2012-09-03

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down $100 billion in losses to cybercrime

    FYI...

    $100 billion in losses to cybercrime ...
    - http://h-online.com/-1701983
    6 Sep 2012 - "According to Symantec's 2012 Norton Cybercrime Report*, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim. A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report... Around 40% of people don't use complex passwords or don't change their passwords regularly. There appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services. Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries."
    * http://www.symantec.com/about/news/r...id=20120905_02
    Sept. 5, 2012
    ___

    - http://yro.slashdot.org/story/12/09/...ut-just-as-bad
    Sep 6, 2012
    > http://blogs.cio.com/security/17375/...ages-disappear

    Last edited by AplusWebMaster; 2012-09-07 at 21:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FedEx spam 2012.09.07 ...

    FYI...

    FedEx spam ...
    - http://blog.dynamoo.com/2012/09/fede...allerynet.html
    7 Sep 2012 - "Two fake FedEx campaigns... with different payload sites of dushare .net and gsigallery .net. In the first case, the malicious payload is... (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is... (report here**) also hosted on 203.91.113.6..." (More detail at the URL above.)
    * http://wepawet.iseclab.org/view.php?...043407&type=js
    Detector Result
    Jsand 2.3.4 malicious
    ** http://wepawet.iseclab.org/view.php?...038935&type=js
    Detector Result
    Jsand 2.3.4 malicious

    - http://google.com/safebrowsing/diagn...sigallery.net/
    "Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 9 trojan(s), 1 scripting exploit(s)..."
    - http://google.com/safebrowsing/diagn...e=dushare.net/
    "Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 2 trojan(s), 1 scripting exploit(s)..."
    ___

    - http://blog.dynamoo.com/2012/09/fede...onahannet.html
    7 Sep 2012 - "... fake FedEx spam leads to malware on studiomonahan .net... The malicious payload is... (report here*) hosted on 206.253.164.43 (Hostigation, US)...
    (More detail at the URL above.)
    * http://wepawet.iseclab.org/view.php?...947943&type=js
    Detector Result
    Jsand 2.3.4 malicious

    Last edited by AplusWebMaster; 2012-09-08 at 19:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBB email phish/Spam leads to malware

    FYI...

    Fake BBB email phish/Spam leads to malware
    - https://isc.sans.edu/diary.html?storyid=14053
    Last Updated: 2012-09-09 - "We received another piece of spam... pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog .it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a C&C server... List of domains/IP to watch for and block:
    ajaxworkspace .com, prog .it, la-liga .ro, ejbsa .com .ar, technerds .ca, 108.178.59.12
    The email looks like this:

    Better Business Bureau©
    Start With Trust©
    Sat, 08 Sep 2012 01:54:02 +0700
    RE: Case # 78321602 <hxxp [:]//prog .it/EH564Bf/index.html>
    Dear Sirs,
    The Better Business Bureau has got the above mentioned complaint from one of your customers concerning their business relations with you. The details of the consumer's concern are contained in attached document. Please give attention to this case and advise us of your opinion as soon as possible. We encourage you to open the COMPLAINT REPORT to answer on this complaint.
    We look forward to your prompt response.
    Faithfully yours,
    Ann Hegley
    Dispute Counselor
    Better Business Bureau


    [1] http://anubis.iseclab.org/?action=re...a4&format=html
    [2] http://wepawet.iseclab.org/view.php?...109082&type=js
    [3] http://wepawet.iseclab.org/view.php?...109182&type=js
    [4] http://wepawet.iseclab.org/view.php?...109422&type=js
    [5] https://www.virustotal.com/file/126e...9187/analysis/
    File name: vt_20541851.@
    Detection ratio: 3/42
    Analysis date: 2012-09-08
    [6] http://www.microsoft.com/security/po...Win32%2fCridex

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake US Airways email spam...

    FYI...

    Fake US Airways email spam ...
    - http://blog.dynamoo.com/2012/09/us-a...sgrovenet.html
    11 Sep 2012 - "A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove .net:

    Date: Tue, 11 Sep 2012 15:32:42 -0300
    From: "US Airways - Reservations" [reservations @myusairways .com]
    Subject: Please confirm your US Airways online registration...

    Date: Tue, 11 Sep 2012 23:29:14 +0700
    From: "US Airways - Reservations" [intuitpayroll @e.payroll.intuit .com]
    Subject: US Airways online check-in...


    The malicious payload is at [donotclick]blue-lotusgrove .net/main.php?page=559e008e5ed98bf7 (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack**... domains on the same server... can all be considered to be malicious...
    (More detail/URL list at the dynamoo URL above.)
    * http://wepawet.iseclab.org/view.php?...388149&type=js
    Detector Result
    Jsand 2.3.4 malicious

    ** http://blog.dynamoo.com/2012/09/fede...allerynet.html
    ___

    - http://security.intuit.com/alert.php?a=57
    Last updated 9/13/2012

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit

    FYI...

    Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
    - http://community.websense.com/blogs/...ploit-kit.aspx
    13 Sep 2012 - "Since Blackhole Exploit Kit 2.0* was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. Websense... has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit... One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com... A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters... The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version. ADP is one the largest names in payroll services... Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":
    > http://community.websense.com/cfs-fi..._5F00_blur.jpg
    ... one of the possible redirection paths:
    hxxp ://allbarswireless .com/HXwcDdQ/index.html
    hxxp ://ash-polynesie .com/AjVSXvus/js.js
    hxxp ://108.60.141.7 /tfvsfios6kebvras .php?r=dwtd6xxjpq8tkatb
    hxxp ://108.60.141.7 /links/ differently-trace.php ...
    Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message." Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":
    >
    http://community.websense.com/cfs-fi...5F00_blur1.jpg
    ... redirection chain here is similar:
    hxxp ://www.tryakbar .com/tLbM3r/index.html
    hxxp ://sportmania .so/JP3q2538/js.js
    hxxp ://173.255.221.74 /tfvsfios6kebvras .php?r=rs3mwhukafbiamcm ...
    Another scheme thanks the user for signing up for a premium service. Subject lines include "Thank you for activating paid services":
    > http://community.websense.com/cfs-fi..._5F00_blur.jpg
    Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:
    hxxp ://www.svstk. ru/templates/beez/check.php
    hxxp ://bode-sales .net/main.php?page=3c23940fb7350489
    And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended. Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"
    > http://community.websense.com/cfs-fi..._5F00_blur.jpg
    Here again, simple redirection leads to typical "/main.php?page=" type URLs.
    hxxp ://kahvikuppi .org/achsec.html
    hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7
    Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability."
    * http://community.websense.com/blogs/...es-to-2-0.aspx

    - https://isc.sans.edu/diary.html?storyid=14098
    2012-09-14

    ADP spam ...
    - http://blog.dynamoo.com/2012/09/adp-...624937122.html
    13 Sep 2012 - "... fake ADP spam tries to load malware from 46.249.37.122... After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122 /links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case."

    - http://www.bbb.org/blog/wp-content/u...scamalert1.jpg
    Sep 12, 2012
    ___

    - http://blog.commtouch.com/cafe/data-...re-campaign-2/
    Sep 13, 2012

    Last edited by AplusWebMaster; 2012-09-17 at 15:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •