Something evil on 85.214.64.153
FYI...
Something evil on 85.214.64.153
- http://blog.dynamoo.com/2013/06/some...521464153.html
17 June 2013 - "85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example*) which is being injected into -hacked- websites (specifically, malicious code is being appended to legitimate .js files on those sites)... Dynamic DNS domains are being abused in this attack... These sites are mostly flagged as malicious by Google, you can see some indicators of badness here** and here***..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=3112582
** https://www.virustotal.com/en/ip-add...3/information/
*** http://urlquery.net/search.php?q=85....3-06-17&max=50
Diagnostic page for AS6724 (STRATO)
- https://www.google.com/safebrowsing/...c?site=AS:6724
"... over the past 90 days, 7173 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-17, and the last time suspicious content was found was on 2013-06-17... we found 909 site(s) on this network... that appeared to function as intermediaries for the infection of 7496 other site(s)... We found 1434 site(s)... that infected 14549 other site(s)..."
___
Account takeover attempts nearly double ...
- https://net-security.org/secworld.php?id=15077
17 June 2013 - "ThreatMetrix* announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events. In a recent six-month snapshot ending March 31, ThreatMetrix determined that attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud...
> http://www.threatmetrix.com/wp-conte...me-Index1.jpeg
Based on data taken from October 2012 through March 2013, they saw account takeover attempts nearly double (168%). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and SaaS companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites..."
* http://www.threatmetrix.com/threatme...over-6-months/
___
Rogue ads target EU users - Win32/Toolbar.SearchSuite through the KingTranslate PUA
- http://blog.webroot.com/2013/06/17/r...translate-pua/
June 17, 2013 - "... Tens of thousands of socially engineered European ads, who continue getting exposed to the rogue ads served through Yieldmanager’s network, are promoting more Potentially Unwanted Applications (PUAs) courtesy of Bandoo Media Inc and their subsidiary Koyote-Lab Inc...
Sample screenshots of the rogue KingTranslate PUA landing/download page:
1) https://webrootblog.files.wordpress....ng?w=659&h=496
2) https://webrootblog.files.wordpress....ng?w=592&h=550
... Rogue URL: kingtranslate .com – 109.201.151.95
Detection rate for the PUA: KingTranslateSetup-r133-n-bc.exe – MD5: 51d98879782d176ababcd8d47050f89f * ... Win32/Toolbar.SearchSuite...
We advise users to avoid using this application and to consider other free, legitimate translation services such as, for instance, Google Translate or Bing’s Translator."
* https://www.virustotal.com/en/file/3...7d00/analysis/
File name: KingTranslateSetup-r120-n-bu.exe
Detection ratio: 3/46
Analysis date: 2013-06-16
___
Dun & Bradstreet Complaint Spam
- http://threattrack.tumblr.com/post/5...complaint-spam
June 17, 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Malicious URLs
iguttersupply .com/ponyb/gate.php
micromeshleafguard .com/ponyb/gate.php
ornamentalgutters .com/ponyb/gate.php
radiantcarbonheat .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
backup.hellaswebnews .com/8P6j4.exe
elenaseller .net/jKK1NMDt.exe
Malicious File Name and MD5:
Case_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
Case_<random>.exe (9c862af9a540563488cdc1c61b9ef5f8)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...osN1qz4rgp.png
___
Fake NewEgg .com SPAM / profurnituree .com
- http://blog.dynamoo.com/2013/06/newe...itureecom.html
17 June 2013 - "This fake NewEgg .com spam leads to malware on profurnituree .com:
Date: Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
From: Newegg Auto-Notification [indeedskahu02 @services.neweg .com]
Subject: Newegg.com - Payment Charged ...
Screenshot: https://lh3.ggpht.com/-aC2D_mxMnTE/U...00/newegg3.png
The link goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]profurnituree .com/news/posts_applied_deem.php (report here*) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:
124.232.165.112 (China Telecom, China)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
The domain registration details are fake... Below is a partial blocklist which I recommend you use in conjunction with this list.
124.232.165.112
186.215.126.52
190.93.23.10
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3180371
