FYI...
Rogue Chrome extension - tech support scam
- https://blog.malwarebytes.com/threat...-support-scam/
Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
> https://blog.malwarebytes.com/wp-con...17/02/TSS1.png
... We detect and remove this one as Rogue.ForcedExtension.
IOCs:
Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-add...7/information/
104.27.184.37: https://www.virustotal.com/en/ip-add...7/information/
lfbmleejnobidmafhlihokngmlpbjfgo
Backend server (ad fraud/malvertising):
amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-add...8/information/
104.31.71.128: https://www.virustotal.com/en/ip-add...8/information/
qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-add...3/information/
Tech support scam:
microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-...r-java-adwind/
21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
1] https://myonlinesecurity.co.uk/?s=java+adwind
The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
2] https://myonlinesecurity.co.uk/spoof...s-java-adwind/
Screenshot: https://myonlinesecurity.co.uk/wp-co...rtra-rules.png
DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58*
Payload Security**
WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1487577130/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/6...is/1487577144/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
83.243.41.200
___
BoA 'Access Locked' - phish
- https://myonlinesecurity.co.uk/bank-...phishing-scam/
21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ily-Locked.png
The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
where you see a site looking like:
> https://myonlinesecurity.co.uk/wp-co...FTP_signon.png "
121.170.178.35: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/31...2497/analysis/
___
'TurboTax' - phish
- https://myonlinesecurity.co.uk/turbo...date-phishing/
21 Feb 2017 - "Another phishing scam, this time TurboTax:
Screenshot: https://myonlinesecurity.co.uk/wp-co...unt-Update.png
The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
> https://myonlinesecurity.co.uk/wp-co...shing-page.png "
whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/29...26d6/analysis/