Fake NACHA SPAM, ransomware kits...
FYI...
NACHA .ZIP file attachment spam
- http://threattrack.tumblr.com/post/5...ttachment-spam
June 1, 2013 - "Subjects Seen:
ACH Payment rejected: #<uniq_id>
Typical e-mail details:
Ach payment canceled Transaction ID: #[removed] The ACH transaction, recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.
Transaction Status: Rejected Transaction ID: [uniq number removed\
Amount : $
To view more details for this transaction , please check the attached file .
NACHA works to maintain the privacy of any personally identifiable information (name, mailing address, e-mail address, etc.) that may be collected though our Web site. This Web site has security measures in place; however, NACHA does not represent, warrant or guarantee that personal information will be protected against unauthorized access, loss, misuse or alterations. Similarly, NACHA disclaims liability for personal information submitted through this Web site. Users are hereby advised that they submit such personal information at their own risk.
Thank you,
13450 Sunrise Valley Drive
Suite 100 Herndon
VA 20171
© 2013 NACHA - The Electronic Payments Association
Malicious URLs
Spam contains a malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019...WMy1qz4rgp.png
___
iOS7 announcement prompts themed ransomware kits
- http://community.websense.com/blogs/...ware-kits.aspx
May 31, 2013 - "... phishing domain related to the imminent release of the Apple iOS7 Operating System. As gossips circulate news in the wild about iOS7 after the D11 conference... cybercriminals are setting up a foundation for phishing and malicious activities...
ios7news .net - 85.25.20.153 **
> http://community.websense.com/cfs-fi...0.sshto004.PNG
... As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:
> http://community.websense.com/cfs-fi...1.sshto003.PNG
... we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news .net). From what we discovered, it seems that this IP address is also used for other phishing domains... The domain "hxxp ://gamingdaily .us" is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife*... both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here. In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware."
* http://community.websense.com/blogs/...ploit-kit.aspx
"... The Bleeding Life exploit kit uses exploits which can bypass ASLR and DEP, which means this product could be used successfully against Windows 7 and Windows Vista operating systems..."
** https://www.google.com/safebrowsing/...c?site=AS:8972
