Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #31
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Skype SPAM voicemail leads to Blackhole / Zeus attacks

    FYI...

    Skype SPAM voicemail leads to Blackhole / Zeus attacks
    - http://www.gfi.com/blog/skype-voicem...-zeus-attacks/
    Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
    > http://www.gfi.com/blog/wp-content/u...cemailscam.png
    It reads as follows:
    Hi there,
    You have a new voicemail
    Sign in to Skype to listen to the message.
    If you no longer want to receive email alerts about new voicemails, unsubscribe now.
    Talk soon,
    The people at Skype


    It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."

    - http://pandalabs.pandasecurity.com/i...and-messenger/
    10/10/12
    ___

    Skype Messages Spreading DORKBOT Variants
    - http://blog.trendmicro.com/trendlabs...kbot-variants/
    Oct 9, 2012

    - http://blog.trendmicro.com/trendlabs...dorkbot-rises/
    Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."

    - http://blog.spiderlabs.com/2012/10/w...-messages.html
    12 Oct 2012
    ___

    Rampaging Squirrel + Boyband = Twitter SPAM
    - http://www.gfi.com/blog/rampaging-sq...-twitter-spam/
    Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
    > http://www.gfi.com/blog/wp-content/u...0/1dirspam.jpg
    Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
    > http://www.gfi.com/blog/wp-content/u...0/2dirspam.jpg
    “Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
    ... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
    > http://www.gfi.com/blog/wp-content/u...0/3dirspam.jpg
    ... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
    * http://www.wandsworthguardian.co.uk/...Park_squirrel/
    ___

    Fake job offers - union-trans .com employment scam
    - http://blog.dynamoo.com/2012/10/unio...ment-scam.html
    10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."

    Sprint SPAM / 1.starkresidential .net
    - http://blog.dynamoo.com/2012/10/spri...entialnet.html
    9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
    The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."

    "Biweekly payroll" SPAM / editdvsyourself .net
    - http://blog.dynamoo.com/2012/10/biwe...urselfnet.html
    9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
    The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
    ___

    Facebook Scam SPAM
    - https://isc.sans.edu/diary.html?storyid=14281
    Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
    > https://isc.sans.edu/diaryimages/Dia...-Scam-Spam.png
    If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."

    Last edited by AplusWebMaster; 2012-10-16 at 20:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •