Page 4 of 132 FirstFirst 123456781454104 ... LastLast
Results 31 to 40 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #31
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Skype SPAM voicemail leads to Blackhole / Zeus attacks

    FYI...

    Skype SPAM voicemail leads to Blackhole / Zeus attacks
    - http://www.gfi.com/blog/skype-voicem...-zeus-attacks/
    Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
    > http://www.gfi.com/blog/wp-content/u...cemailscam.png
    It reads as follows:
    Hi there,
    You have a new voicemail
    Sign in to Skype to listen to the message.
    If you no longer want to receive email alerts about new voicemails, unsubscribe now.
    Talk soon,
    The people at Skype


    It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."

    - http://pandalabs.pandasecurity.com/i...and-messenger/
    10/10/12
    ___

    Skype Messages Spreading DORKBOT Variants
    - http://blog.trendmicro.com/trendlabs...kbot-variants/
    Oct 9, 2012

    - http://blog.trendmicro.com/trendlabs...dorkbot-rises/
    Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."

    - http://blog.spiderlabs.com/2012/10/w...-messages.html
    12 Oct 2012
    ___

    Rampaging Squirrel + Boyband = Twitter SPAM
    - http://www.gfi.com/blog/rampaging-sq...-twitter-spam/
    Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
    > http://www.gfi.com/blog/wp-content/u...0/1dirspam.jpg
    Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
    > http://www.gfi.com/blog/wp-content/u...0/2dirspam.jpg
    “Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
    ... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
    > http://www.gfi.com/blog/wp-content/u...0/3dirspam.jpg
    ... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
    * http://www.wandsworthguardian.co.uk/...Park_squirrel/
    ___

    Fake job offers - union-trans .com employment scam
    - http://blog.dynamoo.com/2012/10/unio...ment-scam.html
    10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."

    Sprint SPAM / 1.starkresidential .net
    - http://blog.dynamoo.com/2012/10/spri...entialnet.html
    9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
    The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."

    "Biweekly payroll" SPAM / editdvsyourself .net
    - http://blog.dynamoo.com/2012/10/biwe...urselfnet.html
    9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
    The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
    ___

    Facebook Scam SPAM
    - https://isc.sans.edu/diary.html?storyid=14281
    Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
    > https://isc.sans.edu/diaryimages/Dia...-Scam-Spam.png
    If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."

    Last edited by AplusWebMaster; 2012-10-16 at 20:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #32
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious Presidential SPAM campaign has started...

    FYI...

    Malicious Presidential SPAM campaign has started...
    - http://community.websense.com/blogs/...n-started.aspx
    10 Oct 2012 - "... Websense... has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
    > http://community.websense.com/cfs-fi...2D00_550x0.png
    ... we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
    > http://community.websense.com/cfs-fi...0.sshot002.png
    The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
    > http://community.websense.com/cfs-fi...6.sshot004.PNG
    The links found in the spam emails usually has this kind of content:
    > http://community.websense.com/cfs-fi...8.sshot005.PNG
    The purpose of this flow as usual is to install malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
    PDF - MD5: 69e51d3794250e3f1478404a72c7a309
    JAR file - MD5: 03373056bb050c65c41196d3f2d68077
    about.exe - MD5: 9223b428b28c7b8033edbb588968eaea ...
    Each URL... contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code..."

    - http://blog.trendmicro.com/trendlabs...nline-threats/
    Update as of Oct 11, 2012 - "... email is supposedly from CNN and contains news stories about the election:
    > http://blog.trendmicro.com/trendlabs...0/cnn-spam.png
    ... instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit..."

    - http://blog.trendmicro.com/trendlabs...nline-threats/
    Oct 10, 2012 - "... This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices."

    Last edited by AplusWebMaster; 2012-10-12 at 15:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #33
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down LinkedIn SPAM and more SPAM...

    FYI... Multiple entries:

    LinkedIn SPAM / inklingads .biz
    - http://blog.dynamoo.com/2012/10/link...ingadsbiz.html
    11 Oct 2012 - "The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
    From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
    Sent: 11 October 2012 15:59
    Subject: LinkedIn Reminder
    Importance: High
    LinkedIn
    REMINDERS
    Invite events:
    From Thaddeus Sosa ( Your servant)
    PENDING EVENTS
    There are a total of 3 messages awaiting your action. See your InBox immediately...


    The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)"
    ___

    ADP SPAM / 198.143.159.108
    - http://blog.dynamoo.com/2012/10/adp-...143159108.html
    12 Oct 2012 - "Yet -more- fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108 /links/rules_familiar-occurred.php (Singlehop, US).
    Avoid."
    ___

    ADP SPAM / 4.wapin .in and 173.224.209.165:
    - http://blog.dynamoo.com/2012/10/adp-spam-4wapinin.html
    11 Oct 2012 - "This fake ADP spam leads to malware on 4.wapin .in:
    From: ADP.Security [mailto:5BC4F06B@act4kids.net]
    Sent: 11 October 2012 14:22
    Subject: ADP: Urgent Notification
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
    If you have any questions, please contact your administrator for assistance.
    ----
    Digital Certificate About to Expire...


    The malicious payload is on [donotclick]4.wapin .in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
    Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)"
    ___

    ADP SPAM / 108.61.57.66
    - http://blog.dynamoo.com/2012/10/adp-spam-108615766.html
    11 Oct 2012 - "There's masses of ADP-themed spam today. Here is another one:
    Date: Thu, 11 Oct 2012 14:53:17 -0200
    From: "ADP.Message" [986E3877@dixys.com]
    Subject: ADP Generated Message
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
    If you have any questions, please contact your administrator for assistance.
    ---------------------------------------------------------------------
    Digital Certificate About to Expire
    ---------------------------------------------------------------------
    The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
    Days left before expiration: 3
    Expiration date: Oct 14 23:59:59 GMT-03:59 2012
    ---------------------------------------------------------------------
    Renewing Your Digital Certificate ...


    In this case the malicious payload is at [donotclick]108.61.57.66 /links/assure_numb_ engineers .php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side."
    ___

    Blackhole sites to block ...
    - http://blog.dynamoo.com/2012/10/blac...ck-111012.html
    11 Oct 2012 - "A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
    183.81.133.121
    198.136.53.39
    173.255.223.77
    64.247.188.141
    inklingads .biz

    The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
    ___

    "Copies of Policies" SPAM / windowsmobilever .ru
    - http://blog.dynamoo.com/2012/10/copi...cies-spam.html
    11 Oct 2012 - "This slightly odd spam leads to malware on windowsmobilever .ru:
    Date: Thu, 11 Oct 2012 10:55:37 -0500
    From: "Amazon.com" [account-update@amazon.com]
    Subject: RE: DONNIE - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    DONNIE LOCKWOOD,
    ==========
    Date: Thu, 11 Oct 2012 12:26:25 -0300
    From: accounting@[redacted]
    Subject: RE: MARGURITE - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    MARGURITE Moss


    Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever .ru:8080/forum/links/column.php - hosted on:
    68.67.42.41 (Fibrenoire , Canada)
    203.80.16.81 (MYREN, Malaysia)
    These two IPs are currently involved in several malicious spam runs and should be blocked if you can."
    ___

    eFax SPAM / 173.255.223.77 and chase .swf
    - http://blog.dynamoo.com/2012/10/efax...-chaseswf.html
    11 Oct 2012 - "Two different eFax spam runs seem to be going on at the same time:
    ' From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
    Sent: 11 October 2012 12:58
    Subject: eFax notification
    You have received a 50 page(-s) fax...'

    ' From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
    Sent: 11 October 2012 12:51
    Subject: eFax: You have received new fax
    You have received a 34 page(-s) fax...'


    One leads to a malicious landing page at [donotclick]173.255.223.77 /links/assure_numb_engineers.php hosted by Linode in the US.
    The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44* which is -not- good..."
    * https://www.virustotal.com/file/5db6...7784/analysis/
    File name: chase.swf-QrUTmm
    Detection ratio: 1/40
    Analysis date: 2012-10-11 13:04:39 UTC...

    Last edited by AplusWebMaster; 2012-10-12 at 15:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Vodafone SPAM - emails serve malware

    FYI...

    Vodafone SPAM - emails serve malware
    - http://blog.webroot.com/2012/10/15/v...serve-malware/
    Oct 15, 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Vodafone Europe, in an attempt to trick their customers into executing the malicious file attachment found in the email...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    Detection rate: Vodafone_Account_Balance.pdf.exe – MD5: 8601ece8b0c79ec3d4396f07319bbff1 * ... Trojan-Ransom.Win32.PornoAsset.xen; Worm:Win32/Gamarue.F..."
    * https://www.virustotal.com/file/2d62...is/1349008562/
    File name: Your_Friend_New_photos-updates.jpeg.exe
    Detection ratio: 36/43
    Analysis date: 2012-09-30 15:01:54 UTC
    ___

    Fake UPS emails - client-side exploits and malware
    - http://blog.webroot.com/2012/10/15/c...s-and-malware/
    Oct 15, 2012 - "... cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the BlackHole Exploit kit, which ultimately drops malware on the affected host.
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb * ... Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh
    * https://www.virustotal.com/file/37d8...a453/analysis/
    File name: java.jar
    Detection ratio: 26/43
    Analysis date: 2012-10-15
    ... currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98
    ... Related malicious domains part of the campaign’s infrastructure:
    rumyniaonline .ru – 84.22.100.108
    denegnashete .ru – 84.22.100.108
    dimabilanch .ru – 84.22.100.108
    ioponeslal .ru – 84.22.100.108
    moskowpulkavo .ru – 84.22.100.108
    omahabeachs .ru – 84.22.100.108
    uzoshkins .ru – 84.22.100.108
    sectantes-x .ru – 84.22.100.108
    ... Name servers part of the campaign’s infrastructure:
    ns1.denegnashete .ru – 62.76.190.50
    ns2.denegnashete .ru – 87.120.41.155
    ns3.denegnashete .ru – 132.248.49.112
    ns4.denegnashete .ru – 91.194.122.8
    ns5.denegnashete .ru – 62.76.188.246
    ns6.denegnashete .ru – 178.63.51.54 ..."
    ___

    Rogue Bad Piggies ...
    - http://blog.trendmicro.com/trendlabs...gies-versions/
    Oct 15, 2012 - "... Right after reports of malicious Bad Piggies on Google Chrome webstore circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app. On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are -not- affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges... During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d .ru, which appears as an app download page.
    > http://blog.trendmicro.com/trendlabs...es_website.jpg
    ... site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize... ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult... Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space... To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure. Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains... an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email. To prevent downloading a fake (or worse, a malware disguised as an app) users should stick to legitimate app stores like Google Play..."
    ___

    eBay phishers update branding...
    - http://www.gfi.com/blog/ebay-phisher...heir-branding/
    Oct 15, 2012 - "... be aware that not only have eBay updated their logo for the first time since 1995, some scammers have also been quick out of the blocks to rejig their phishing scams and paste in the new logo accordingly. Here’s a scammer who hasn’t quite grasped the concept of “You’re horribly outdated” yet:
    > http://www.gfi.com/blog/wp-content/u...kebay_new2.jpg
    ... here’s a scammer who clearly keeps up with the news and probably owns a gold plated yacht and maybe a Unicorn as a result:
    > http://www.gfi.com/blog/wp-content/u...kebay_new1.jpg
    ... It probably won’t be long before most (if not all) phishers start using the new logo, but for the time being at least some phish attempts will be a little easier to spot for the average end-user. Of course, avid eBay users can also visit their Security Center* and keep up to date with all the latest shenanigans."
    * http://pages.ebay.com/securitycenter/index.html ..."

    Last edited by AplusWebMaster; 2012-10-16 at 00:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #35
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM, SPAM, and more SPAM ...

    FYI...

    Wire Transfer SPAM / hotsecrete .net
    - http://blog.dynamoo.com/2012/10/wire...ecretenet.html
    16 Oct 2012 - "This fake wire transfer spam leads to malware on hotsecrete .net:
    From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
    Sent: 16 October 2012 15:59
    Subject: Wire Transfer accepted
    We have successfully done the following transfer:
    ________________________________________
    Item #: 35043728
    Amount: $16,861.99
    To: Anthony Glover
    Fee: 29.00
    Send on Date: 10/16/2012
    Service: Domestic Wire
    ________________________________________
    If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
    Federal Reserve Bank Automate Notify System
    *********************************************
    Email Preferences
    This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
    =============================================
    Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001 Federal Reserve Bank.


    The malicious payload is found at [donotclick]hotsecrete .net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block."
    ___

    LinkedIn SPAM / 74.91.112.86
    - http://blog.dynamoo.com/2012/10/link...749111286.html
    16 Oct 2012 - "This fake LinkedIn spam leads to malware on 74.91.112.86:
    From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
    Sent: 16 October 2012 13:50
    To: [redacted]
    Subject: New invitation is waiting for your response
    Hi [redacted],
    David sent you an invitation to connect 13 days ago. How would you like to respond?
    Accept Ignore Privately
    Hilton Suarez
    Precision Castparts (Distributor Sales Manager EMEA)
    You are receiving Invitation emails. Unsubscribe.
    This email was intended for [redacted].
    Learn why we included this.
    2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA


    The malicious payload is on [donotclick]74.91.112.86 /links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there)."
    ___

    Facebook SPAM / o.anygutterkings .com
    - http://blog.dynamoo.com/2012/10/face...rkingscom.html
    15 Oct 2012 - "This fake Facebook spam leads to malware on o.anygutterkings .com:
    Date: Mon, 15 Oct 2012 20:02:21 +0200
    From: "FB Account"
    Subject: Facebook account
    facebook
    Hi [redacted],
    You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
    Kind regards,
    The Facebook Team
    Sign in to Facebook and start connecting ...
    Please use the link below to resume your account ...
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
    Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


    Other subjects are: "Account blocked" and "Account activated"
    The payload is at [donotclick]o.anygutterkings .com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)..."

    - http://www.gfi.com/blog/this-spam-gi...second-chance/
    Oct 16, 2012 - "... another Blackhole-Zeus-related threat... ignore and delete this Facebook spam..."
    > http://www.gfi.com/blog/wp-content/u...10/FB_1015.png
    ___

    Intuit SPAM / navisiteseparation .net
    - http://blog.dynamoo.com/2012/10/intu...rationnet.html
    15 Oct 2012 - "This fake Intuit spam leads to malware on navisiteseparation .net:
    Date: Mon, 15 Oct 2012 15:20:13 -0300
    From: "Intuit GoPayment" [crouppywo4@deltamar.net]
    Subject: Welcome - you're accepted for Intuit GoPayment
    Congratulations!
    GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
    GoPayment
    Account Number: XXXXXXXXXXXXXX55
    Email Address: [redacted]
    PLEASE NOTE : Associated charges for this service may be applied now.
    Next step: View or confirm your Access ID
    This is {LET:User ID lets you:
    Review your payment service in the Merchant Center
    Review charges
    Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
    The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
    Verify Access ID
    Get started:
    Step 1: If you have not still, download the Intuit software.
    Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
    Easy Manage Your Intuit GoPayment Account
    The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
    For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
    Please don't reply to this message. auto informer system unable to accept incoming messages.
    System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.


    ... Sample subjects:
    Congrats - you're accepted for Intuit GoPayment Merchant
    Congratulations - you're approved for Intuit Merchant
    Congrats - you're approved for GoPayment Merchant
    Welcome - you're accepted for Intuit GoPayment
    The malicious payload is at [donotclick]navisiteseparation .net/detects/processing-details_requested.php hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can."
    ___

    Copies of Policies SPAM / linkrdin .ru
    - http://blog.dynamoo.com/2012/10/copi...inkrdinru.html
    15 Oct 2012 - "Another "Copies of Policies" spam, this time leading to malware on linkrdin .ru:
    From: [support@victimdomain.com]
    Date: 15 October 2012 07:15
    Subject: RE: SANTOS - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.


    The malicious payload is on [donotclick]linkrdin .ru:8080/forum/links/column.php ... hosted on the same IPs as this spam:
    68.67.42.41 (Fibrenoire, Canada)
    79.98.27.9 (UAB Interneto Vizija, Lithunia)
    203.80.16.81 (MYREN, Malaysia) ..."

    Last edited by AplusWebMaster; 2012-10-16 at 19:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #36
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AA, Amazon emails serve BlackHole Exploit kit

    FYI...

    Fake American Airlines emails serve BlackHole Exploit kit ...
    - http://blog.webroot.com/2012/10/17/a...e-exploit-kit/
    Oct 17, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating American Airlines in an attempt to trick its customers into clicking on a malicious link found in the mail. Upon clicking on the link, users are exposed to the client-side exploits served by the BlackHole Exploit Kit v2.0...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Spamvertised compromised URL: hxxp ://malorita-hotel .by/wp-config.htm
    Detection rate for a sample Java script redirection: American_Airlines.html – MD5: 7b23a4c26b031bef76acff28163a39c5* ...JS/Exploit-Blacole.gc; JS:Blacole-CF [Expl]
    Sample client-side exploits serving URL: hxxp ://omahabeachs .ru:8080/forum/links/column.php
    We’ve already seen the same malicious email used in the previously profiled “Cybercriminals impersonate -UPS-, serve client-side exploits and malware” campaign, clearly indicating that these campaigns are launched by the same cybercriminal/gang of cybercriminals..."
    * https://www.virustotal.com/file/68d4...is/1349016199/
    File name: American_Airlines.html
    Detection ratio: 9/42
    Analysis date: 2012-09-30
    ___

    Fake Amazon emails serve BlackHole Exploit kit ...
    - http://blog.webroot.com/2012/10/16/c...s-and-malware/
    Oct 16, 2012 - "... cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses. Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Second screenshot of the spamvertised email impersonating Amazon.com Inc:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
    > https://webrootblog.files.wordpress....oit_kit_02.png
    Sample subjects used in the spamvertised emails:
    Re: HD TV Waiting on delivery Few hours ago;
    Your HDTV Delivered Now;
    Re: HDTV Processed Yesterday;
    Re: Order Processed Today;
    Your Order Approved Few hours ago ...
    Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830* ... JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
    Once a successful client-side exploitation takes place, the BlackHole Exploit kit drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab* that’s exploiting the CVE-2010-0188 vulnerability."
    * https://www.virustotal.com/file/4747...is/1349014600/
    File name: Amazon.html
    Detection ratio: 20/43
    Analysis date: 2012-09-30
    ___

    Spoofed WebEx, PayPal Emails lead to Rogue Flash Update
    - http://blog.trendmicro.com/trendlabs...-flash-update/
    Oct 16, 2012 - "... Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
    The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are led to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use...
    > http://blog.trendmicro.com/trendlabs...ebex_email.jpg
    The second sample, on the other hand, is a spoofed PayPal email that features transaction details.
    > http://blog.trendmicro.com/trendlabs...shingemail.jpg
    Curious users who click these details are then directed to the webpage hosting the rogue Flash update file... Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price... The use of WebEx in these spoofed emails is also fishy (phishy?). WebEx is a popular business conference/meeting technology in the corporate world... We believe that the perpetrators of this threat are likely targeting businesses and employees...
    Update... We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants... expect that such spam runs won’t be fading soon... these attacks are continuing at full speed... users are advised to be continuously extra careful with clicking links on email messages."

    Last edited by AplusWebMaster; 2012-10-17 at 16:19.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #37
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Traffic Ticket SPAM - and more...

    FYI...

    NY Traffic Ticket SPAM / kennedyana .ru
    - http://blog.dynamoo.com/2012/10/ny-t...nedyanaru.html
    18 Oct 2012 - "This fake Traffic Ticket spam leads to malware on kennedyana .ru:
    Date: Wed, 17 Oct 2012 03:59:44 +0600
    From: sales1@[redacted]
    To: [redacted]
    Subject: Fwd: NY TRAFFIC TICKET
    New-York Department of Motor Vehicles
    TRAFFIC TICKET
    NEW-YORK POLICE DEPARTMENT
    THE PERSON CHARGED AS FOLLOWS
    Time: 5:16 AM
    Date of Offense: 21/01/2012
    SPEED OVER 50 ZONE
    TO PLEAD CLICK HERE AND FILL OUT THE FORM


    The malicious payload is on [donotclick]kennedyana .ru:8080/forum/links/column.php hosted on the following IPs:
    68.67.42.41 (Fibrenoire, Canada)
    72.18.203.140 (Las Vegas NV Datacenter, US)
    203.80.16.81 (MYREN, Malaysia) ..."
    ___

    Fake Intuit 'Payroll Confirmation inquiry’ emails lead to the BlackHole exploit kit
    - http://blog.webroot.com/2012/10/18/i...e-exploit-kit/
    Oct 18, 2012 - "...two consecutive massive email campaigns, impersonating Intuit Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails. Upon clicking on -any- of links found in the emails, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
    Sample screenshot of the first spamvertised campaign:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    Screenshots of the second spamvertised campaign:
    > https://webrootblog.files.wordpress....oit_kit_02.png
    ... Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs... Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f * ... Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c ** ... Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B..."
    * https://www.virustotal.com/file/64e1...4bb3/analysis/
    File name: contacts.exe
    Detection ratio: 17/43
    Analysis date: 2012-09-29
    ** https://www.virustotal.com/file/ee30...d907/analysis/
    File name: virussign.com_06c6544f554ea892e86b6c2cb6a1700c.exe
    Detection ratio: 33/43
    Analysis date: 2012-10-19
    ___

    Adbobe CS4 SPAM / leprasmotra .ru
    - http://blog.dynamoo.com/2012/10/adbo...asmotraru.html
    18 Oct 2012 - "This fake Adobe spam leads to malware on leprasmotra.ru:
    Date: Thu, 18 Oct 2012 10:00:26 -0300
    From: "service@paypal.com" [service@paypal.com]
    Subject: Order N04833
    Good morning,
    You can download your Adobe CS4 License here -
    We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
    Thank you for buying Adobe InDesign CS4 software.
    Adobe Systems Incorporated


    The malicious payload is at [donotclick]leprasmotra .ru:8080/forum/links/column.php hosted on:
    72.18.203.140 (Las Vegas NV Datacenter, US)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNET, US)
    Blocking access to those IPs is recommended."
    ___

    LinkedIn SPAM / 64.111.24.162
    - http://blog.dynamoo.com/2012/10/link...411124162.html
    17 Oct 2012 - "This fake LinkedIn spam leads to malware on 64.111.24.162:
    From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
    Sent: 17 October 2012 10:06
    Subject: New invitation is waiting for your response
    Hi [redacted],
    User sent you an invitation to connect 6 days ago. How would you like to respond?
    Accept Ignore Privately
    Alexis Padilla
    C.H. Robinson Worldwide (Sales Director)
    You are receiving Invitation emails. Unsubscribe.
    This email was intended for [redacted].
    Learn why we included this.
    2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA


    The malicious payload is at [donotclick]64.111.24.162 /links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
    network:Network-Name:Buzy Bee Hosting /27
    network:IP-Network:64.111.24.160/27
    network:IP-Network-Block:64.111.24.160 - 64.111.24.191
    network:Org-Name:Buzy Bee Hosting
    network:Street-Address:1451 North Challenger Dr
    network:City:Pueblo West
    network:State:CO
    network:Postal-Code:81007
    network:Country-Code:US
    ... Blocking the IP (and possibly the /27 block) is probably wise.
    ___

    Amazon.com SPAM / sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info
    - http://blog.dynamoo.com/2012/10/amaz...iddnsinfo.html
    17 Oct 2012 - "This fake Amazon.com spam leads to malware on sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info:
    From: Amazon.Com [mailto:pothooknw@tcsn.net]
    Sent: 17 October 2012 06:54
    Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
    Importance: High
    Gift Cards
    | Your Orders
    | Amazon.com
    Shipping Confirmation
    Order #272-3140048-4213404
    Hello,
    Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
    Your estimated delivery date is:
    Tuesday, October 9, 2012
    Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
    Shipment Details
    Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
    Sold by Amazon.com LLC (Amazon.com) $109.95
    Item Subtotal: $109.95
    Shipping & Handling: $0.00
    Total Before Tax: $109.95
    Shipment Total: $109.95
    Paid by Visa: $109.95
    Returns are easy. Visit our Online Return Center.
    If you need further assistance with your order, please visit Customer Service.
    We hope to see you again soon!
    Amazon.com
    This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.


    The malicious payload is at [donotclick]sdqhfckuri .ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh .ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
    Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
    Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either..."
    ___

    Take a critical look at DNS blocking...
    - http://h-online.com/-1731993
    18 Oct 2012

    Last edited by AplusWebMaster; 2012-10-19 at 10:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #38
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook direct messages - malware campaign

    FYI...

    Fake Facebook direct messages - malware campaign ...
    - http://blog.webroot.com/2012/10/19/m...d-in-the-wild/
    Oct 19, 2012 - "... one of my Facebook friends sent me a direct message indicating that his host has been compromised, and is currently being used to send links to a malicious .zip archive through direct messages to to all of his Facebook friends...
    Sample screenshot of the spamvertised direct download link:
    > https://webrootblog.files.wordpress....e_campaign.png
    ... All of these redirect to hxxp://74.208.231.61 :81/l.php – tomascloud .com – AS8560... user is exposed to a direct download link of Picture15 .JPG .zip.
    Detection rate: MD5: dfe23ad3d50c1cf45ff222842c7551ae * ... Trojan.Win32.Bublik.iez; Worm:Win32/Slenfbot..."
    * https://www.virustotal.com/file/a6ab...is/1349355521/
    File name: Picture15-JPG.scr
    Detection ratio: 20/43
    Analysis date: 2012-10-04 ..."
    ___

    LinkedIn SPAM / cowonhorse .co
    - http://blog.dynamoo.com/2012/10/link...onhorseco.html
    19 Oct 2012 - "This fake LinkedIn spam leads to malware on cowonhorse .co:
    From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
    Sent: Fri 19/10/2012 10:29
    Subject: Invitation
    Hi [redacted],
    User sent you an invitation to connect 6 days ago. How would you like to respond?
    Accept Ignore Privately
    Estelle Garrison
    Interpublic Group (Executive Director Marketing PPS)
    You are receiving Invitation emails. Unsubscribe.
    This email was intended for [redacted].
    Learn why we included this.
    2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
    ==========
    From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
    Sent: Fri 19/10/2012 11:39
    Subject: New invitation
    Hi [redacted],
    User sent you an invitation to connect 14 days ago. How would you like to respond?
    Accept Ignore Privately
    Carol Parks
    Automatic Data Processing (Divisional Finance Director)
    You are receiving Invitation emails. Unsubscribe.
    This email was intended for [redacted].
    Learn why we included this.
    2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
    ==========
    From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
    Sent: Fri 19/10/2012 12:28
    Subject: Invitation
    Hi [redacted],
    User sent you an invitation to connect 6 days ago. How would you like to respond?
    Accept Ignore Privately
    Rupert Nielsen
    O'Reilly Automotive (Head of Non-Processing Infrastructure)
    You are receiving Invitation emails. Unsubscribe.
    This email was intended for [redacted].
    Learn why we included this.
    2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA


    The malicious payload is on [donotclick]cowonhorse .co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before..."
    ___

    Fake Friendster emails lead to BlackHole exploit kit
    - http://blog.webroot.com/2012/10/19/r...e-exploit-kit/
    19 Oct 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... sonatanamore .ru used to respond to the following IPs – 70.38.31.71; 202.3.245.13; 203.80.16.81; 213.251.162.65 ... Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef * ... Exploit.JS.Blacole; Trojan.JS.Iframe.acn
    Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40** on the affected host... Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
    Upon execution, the sample phones back to 95.142.167.193 :8080/mx/5/A/in..."
    * https://www.virustotal.com/file/2d91...is/1349356588/
    File name: Friendster.html
    Detection ratio: 12/43
    Analysis date: 2012-10-04
    ** https://www.virustotal.com/file/94ff...690d/analysis/
    File name: 8fa93035ba01238dd7a55c378d1
    Detection ratio: 27/43
    Analysis date: 2012-10-05
    ___

    Cisco - Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake UPS Payment Document Attachment E-mail Messages - October 19, 2012
    Fake Shipment Notification E-mail Messages - October 19, 2012
    Fake Product Quote Request E-mail Messages - October 19, 2012
    Fake Changelog E-mail Messages- October 19, 2012
    Fake Xerox Scan Attachment E-mail Messages - October 19, 2012
    Fake Bill Statement E-mail Messages - October 19, 2012
    Fake Bank Transfer Receipt E-mail Messages - October 19, 2012
    Fake Payment Slip E-mail Messages - October 19, 2012
    Fake Money Transfer Receipt E-mail Messages - October 19, 2012
    Fake Purchase Order Confirmation E-mail Messages - October 19, 2012
    Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 19, 2012
    Fake Portuguese Health Alert Notification E-mail Messages - October 19, 2012
    Fake Payment Slip Confirmation E-mail Message - October 19, 2012 ...

    Last edited by AplusWebMaster; 2012-10-21 at 06:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #39
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SCAM-SPAM-and PHISH ...

    FYI... multiple entries - SCAM-SPAM-and PHISH:

    SCAM - worthless domain names: tsnetint .com and tsnetint .org
    - http://blog.dynamoo.com/2012/10/scam...netintorg.html
    22 Oct 2012 - "Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.
    The domains quoted are tsnetint .com and tsnetint .org and the originating IP is 117.27.141.168, all hosted in deepest China.
    From: bertram @tsnetint .com
    Date: 22 October 2012 06:02
    Subject: Confirmation of Registration
    (Letter to the President or Brand Owner, thanks)
    Dear President,
    We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October 19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.
    Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.
    Best Regards,
    Bertram Hong
    Registration Dept.
    Office:Tel: 86 2885915586 || Fax: +86 2885912116
    Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China
    ..."
    ___

    SPAM with .gov URLs
    - http://www.symantec.com/connect/blogs/spam-gov-urls
    22 Oct 2012 Updated - "Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
    > https://www.symantec.com/connect/sit...govURL%201.png
    Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.
    The answer is on this webpage:
    1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.
    ... While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers. By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.
    Using the above example:
    [http ://]1.usa .gov/[REMOVED]/Rxpfn9
    leads to
    [http ://]labor.vermont .gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo
    which leads to
    [http ://]workforprofit .net/[REMOVED]/?wwvxo
    The final spam page is a work-at-home scam website that has been designed to look like a financial news network website:
    https://www.symantec.com/connect/sit...govURL%202.png
    To add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles (not shown in the above picture), actually lead to the financial news website that it is spoofing. However, the links in the article all lead to a different website where the spammer tries to make the sale:
    > https://www.symantec.com/connect/sit...0thumbnail.png
    USA.gov provides data created any time anyone clicks on a 1.usa.gov URL (link available on this webpage). Analysis of data from the last seven days shows that this trend began on October 12. As of October 18, 43,049 clicks were made through 1.usa.gov shortened URLs to these spam domains:
    consumeroption .net
    consumerbiz .net
    workforprofit .net
    consumeroptions .net
    consumerlifenet .net
    consumerbailout .net
    consumerlifetoday .net
    consumerneeds .net
    consumerstoday .net
    consumerlivestoday .net
    > https://www.symantec.com/connect/sit...govURL%204.png
    ... This chart shows the number of spam clicks made on a daily basis:
    > https://www.symantec.com/connect/sit...govURL%205.png
    While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL."
    ___

    Phish for regular Webmail Accounts
    - https://isc.sans.edu/diary.html?storyid=14356
    Last Updated: 2012-10-22 - "I was looking through my spam folder today and saw an interesting phish. The phishing email is looking for email account information. Nothing new about that, except this one seemed to have a broad target range. Normally, these types of phishes are sent to .edu addresses not those outside of academia. From the email headers, this one was sent to the Handlers email which is a .org. A non-technical user, like many of my relatives, would probably respond to this. I could see this being successful against regular webmail users of Gmail, Hotmail, etc. especially if the verbiage was changed slightly. It could also be targeting those who may be enrolled in online universities... I have included the email below:

    From: University Webmaster <university.m @usa .com>
    Date: Fri, Oct 19, 2012 at 9:34 PM
    Subject: Webmail Account Owner
    To:
    Dear Webmail Account Owner,
    This message is from the University Webmail Messaging Center to all email account owners.
    We are currently carrying out scheduled maintenance,upgrade of our web mail service and we are changing our mail host server,as a result your original password will be reset.
    We are sorry for any inconvenience caused.
    To complete your webmail email account upgrade, you must reply to this email immediately and provide the information requested below.
    ---
    CONFIRM YOUR EMAIL IDENTITY NOW
    E-mail Address:
    User Name/ID:
    Password:
    Re-type Password:
    ---
    Failure to do this will immediately render your email address deactivated from the University Webmail
    ..."
    ___

    "Copies of Policies" SPAM / fidelocastroo .ru
    - http://blog.dynamoo.com/2012/10/copi...castrooru.html
    22 Oct 2012 - "This spam leads to malware on fidelocastroo .ru:
    Date: Mon, 22 Oct 2012 08:05:10 -0500
    From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
    Subject: RE: Charley - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    Charley HEALY,


    The malicious payload is on [donotclick]fidelocastroo .ru:8080/forum/links/column.php hosted on the following IPs:
    68.67.42.41 (Fibrenoire, Canada)
    79.98.27.9 (Interneto Vizija, Lithunia)
    190.10.14.196 (RACSA, Costa Rica)
    202.3.245.13 (MANA, French Polynesia)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNET, US)
    Plain list for copy and pasting:
    68.67.42.41
    79.98.27.9
    190.10.14.196
    202.3.245.13
    203.80.16.81
    209.51.221.247

    Blocking these IPs should prevent any other attacks on the same server."

    Last edited by AplusWebMaster; 2012-10-23 at 00:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #40
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake PayPal-NACHA-inTuit emails serve malware

    FYI...

    Fake PayPal emails serve malware
    - http://blog.webroot.com/2012/10/23/p...serve-malware/
    Oct 23, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick its users into downloading and executing the malicious attachment found in the legitimate looking email...
    Screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    Detection rate for the malicious archive: MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ... Backdoor.Win32.Androm.fm. Once executed, the sample opens a backdoor on the infected host, allowing cybercriminals to gain complete control over the infected host..."
    * https://www.virustotal.com/file/1f5f...is/1350578639/
    File name: Notification_payment_08_15_2012.exe
    Detection ratio: 39/43
    Analysis date: 2012-10-18
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake PayPal Account Verification E-mail Messages - October 22, 2012
    Fake Payment Confirmation E-mail Messages - October 22, 2012
    Fake Picture Link E-mail Messages- October 22, 2012
    Fake Portuguese Loan Approval E-mail Messages - October 22, 2012
    Malicious Personal Photograph Attachment E-mail Messages - October 22, 2012
    Fake UPS Payment Document Attachment E-mail Messages - October 22, 2012
    Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 22, 2012
    Fake Changelog E-mail Messages - Updated October 22, 2012
    Fake Purchase Order Confirmation E-mail Messages - October 22, 2012...
    ___

    NACHA SPAM / bwdlpjvehrka.ddns .info
    - http://blog.dynamoo.com/2012/10/nach...addnsinfo.html
    23 Oct 2012 - "This fake NACHA spam leads to malware on bwdlpjvehrka.ddns .info:
    Date: Tue, 23 Oct 2012 05:44:05 +0200
    From: "noreply@direct.nacha.org"
    Subject: Notification about the rejected Direct Deposit payment
    Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
    Please contact your financial institution to acquire the new version of the software.
    Sincerely yours
    ACH Network Rules Department
    NACHA | The Electronic Payments Association
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    Phone: 703-561-1100 Fax: 703-787-0996


    The malicious payload is at [donotclick]bwdlpjvehrka.ddns .info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move."
    ___

    Intuit SPAM / montrealhotpropertyguide .com
    - http://blog.dynamoo.com/2012/10/intu...yguidecom.html
    23 Oct 2012 - "This fake Intuit spam leads to malware on montrealhotpropertyguide .com:
    Date: Tue, 23 Oct 2012 14:45:14 +0200
    From: "Intuit QuickBooks Customer Service" [35378B458 @aubergedesbichonnieres .com]
    Subject: Intuit QuickBooks Order
    Dear [redacted],
    Thank you for placing an order with Intuit QuickBooks!
    We have received your payment information and it is currently being processed.
    ORDER INFORMATION
    Order #: 366948851674
    Order Date: Oct 22, 2012
    [ View order ]
    Qty Item Price
    1 Intuit QuickBooks Pro Download 2 2012 $183.96***
    Subtotal:
    Sales Tax:
    Total for this Order: $183.96 $0.00 $183.96
    *Appropriate credit will be applied to your account.
    Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
    NEED HELP?
    Questions about your order? Please visit Customer Service.
    Join Us On Facebook
    Close More Sales
    Save Time
    Privacy | Legal | Contact Us | About Intuit
    You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
    If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof @intuit .com. Please visit http ://security.intuit .com/ for additional security information.
    Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
    � 2012 Intuit Inc. or its affiliates. All rights reserved.


    The malicious payload is on [donotclick]montrealhotpropertyguide .com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US)."

    Last edited by AplusWebMaster; 2012-10-23 at 18:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •