Page 131 of 132 FirstFirst ... 3181121127128129130131132 LastLast
Results 1,301 to 1,310 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1301
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Secure email' SPAM, Fake 'Bank login' - Phish

    FYI...

    Fake 'Secure email' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/trick...ments-malspam/
    14 Nov 2017 - "An email with the subject of 'Secure email message' pretending to come from Lloyds Bank but actually coming from... look-a-like or typo-squatting domains and email addresses <secure@ lloydsconfidential .com>
    or <secure@ lloydsbankdocs .com> or <secure@ lloydsbankconfidential .com> with a malicious word doc attachment is today’s latest -spoof- of a well-known company, bank or public authority delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...loyds-Bank.png

    Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to enable Macros and content to infect you & steal your Money, Passwords and Bank details.
    They tell you ”Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.”
    Do -NOT- enable Macros or Content under any circumstances. That will infect you...

    Today’s example of the -spoofed- domains are, as usual, registered via Godaddy as registrar.
    lloydsconfidential .com hosted on and sending emails via 185.106.121.78
    free.hostsailor .com AS60117 Host Sailor Ltd.
    lloydsbankconfidential .com hosted on and sending emails via 95.211.104.108 hosted-by.swiftslots .com
    AS60781 LeaseWeb Netherlands B.V.
    lloydsbankdocs .com hosted on and sending emails via 134.19.180.151 134191801511.onlinemarketmix .com AS49453 Global Layer B.V.

    doc1_46.doc - Current Virus total detections 3/59*. Payload Security**...
    This malware file downloads from
    http ://simplicitybystrasser .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to a .exe file. (VirusTotal 9/68***).
    An alternative download location is
    http ://lhelectrique .com/logo.png
    This email attachment contains a genuine word doc with a macro script that when run will infect you.

    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...oc1_46_doc.png

    DO NOT follow the advice they give to enable macros or enable editing to see the content..."
    * https://www.virustotal.com/en/file/d...is/1510661006/
    doc1_46.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    216.239.36.21
    23.235.209.96

    Contacted Hosts
    23.235.209.96
    216.239.36.21
    92.63.107.222
    91.211.247.94


    *** https://www.virustotal.com/en/file/4...e952/analysis/
    logo.png

    simplicitybystrasser .com: 23.235.209.96: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/f4...5de7/analysis/

    lhelectrique .com: 173.209.38.131: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/3a...7a81/analysis/
    ___

    Fake 'Bank login' - Phish...
    - https://myonlinesecurity.co.uk/fake-...ount-phishing/
    14 Nov 2017 - "... phishing attempts for Bank login details. This one is actually quite effective when you get to the site. As you can see from the screenshots, it is very easy to be fooled by the
    http ://www.halifax-online .co.uk.personal.logon.login.jsp at the start on the URL in the browser address bar
    (Highlighted in Yellow) where the real web address you are sent to is lifextension .ro (Highlighted in Green)...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...4_nov_2017.png

    ... If you follow the-link-inside-the-email you first get sent to
    https ://superjasa .com/wp-admin/js/widgets/x86x.php which immediately redirects you to
    http ://www.halifax-online .co.uk.personal.logon.login.jsp.1510638768542.lifextension .ro/RT28JASHHDAS02/Login.php?sslchannel=true&sessionid=WR3WM0KHcrFBC45ugtRa7iFomyQGXFz5fraRrou3vd4QceX3svWxy82f4JzNRFdeGOjHnwfj5iI0UJ2T

    where you see a webpage looking like this:
    > https://myonlinesecurity.co.uk/wp-co...ension.ro_.png

    ... Both sites involved in this phish are likely to be -compromised- sites, being used without the website owners knowledge
    http ://lifextension .ro - 76.72.173.69: https://www.virustotal.com/en/ip-add...9/information/

    There is a message on the home page for lifextension .ro warning that the hosting agreement for this page has expired! but the hosts/resellers have only put that on the home page -not- on any subdomains so the phish stays active... the DCM software “company” is a webdesigner and hosting reseller, who aren’t taking security of their client’s sites seriously enough. By the layout and design of their own website they must think of style over substance and mistakes and errors don’t matter (various missing & broken links, including social media buttons going nowhere):
    - https://myonlinesecurity.co.uk/wp-co...tension_ro.png

    > https://www.virustotal.com/en/url/31...ca0b/analysis/

    Has a malware prompt on its home page, luckily the file is hosted-on-Dropbox & no longer available for download.

    superjasa .com: 202.52.146.30: https://www.virustotal.com/en/ip-add...0/information/

    Last edited by AplusWebMaster; 2017-11-14 at 17:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1302
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Bankline' SPAM, Android Trojan in Google Play

    FYI...

    Fake 'Bankline' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    15 Nov 2017 - "An email with the subject of 'You have a new secure message' pretending to come from Bankline but actually coming from a look-a-like or typo-squatting domain <message@ banklinemail .com> with a link-in-the-email body to download a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
    Today The Trickbot delivery method has changed somewhat. First, they have a link-in-the-email body to download a word doc. Next they have gone with a generic Bankline sender and domain. There are several banks using the Bankline name, including RBS (Royal Bank of Scotland), NatWest, Ulster Bank and a Bitcoin-Bank-Account called Bankline... no idea which one they trying to imitate today but it cleverly covers all of them & spreads the net wider than usual. There is also only 1 download location for the Trickbot payload today, they normally have 2. It looks like they have messed up the PowerShell script that gets created by the macro and the 2nd url isn’t being formed correctly...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...re-message.png

    Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    banklinemail .com hosted on 160.153.129.238 Godaddy AS26496 but also sending emails via 185.106.121.234 | 95.211.104.113 | 46.21.144.11 | 134.19.180.163 | all of which pass authentication and have correct records set.
    Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to 'enable Macros' and content to infect you & steal your Money, Passwords and Bank details.
    They tell you Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.
    Do NOT enable Macros or Content under any circumstances. That will infect you.

    8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 2/59*. Payload Security**..
    This malware file downloads from
    http ://aperhu .com/ser111517.png which of course is -not- an image file but a renamed .exe file that gets renamed to tdhq.exe (VirusTotal 11/59***).
    This email attachment contains a genuine word doc with a macro script that when run will infect you.
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...460259_doc.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
    * https://www.virustotal.com/en/file/5...is/1510740562/
    Secure Message.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    127.0.0.2
    127.0.0.4
    78.47.139.102
    143.95.252.46

    Contacted Hosts
    143.95.252.46
    78.47.139.102
    92.63.97.68
    194.87.110.139


    *** https://virustotal.com/en/file/efa4f...7e8d/analysis/
    ser111517.png

    aperhu .com: 143.95.252.46: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/92...7e8c/analysis/
    ___

    Android Trojan malware discovered in Google Play
    - https://blog.malwarebytes.com/cyberc...d-google-play/
    Nov 14, 2017 - "A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017. These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1). We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs...
    this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it... there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails..."
    (More detail at the malwarebytes URL above.)

    > https://www.helpnetsecurity.com/2017...r-google-play/
    Nov 16, 2017 - "Google has removed from Google Play eight apps that have served as downloaders for Android banking malware..."

    Last edited by AplusWebMaster; 2017-11-16 at 15:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1303
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb Suspicious Domains, Fake 'Re:payment', 'Confidential account documents' SPAM

    FYI...

    Suspicious Domains Tracking ...
    - https://isc.sans.edu/diary/rss/23046
    2017-11-16 - "Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network...
    Happy hunting!
    [1] https://isc.sans.edu/suspicious_domains.html
    [2] https://en.wikipedia.org/wiki/Domain...tion_algorithm
    [3] http://securityaffairs.co/wordpress/...ll-switch.html
    [4] http://misp-project.org/
    [5] https://blog.rootshell.be/2017/10/31...ing-misp-iocs/ "

    (MUCH more detail at the isc URL above.)


    ___

    Fake 'Re:payment' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    16 Nov 2017 - "An email with the subject of 'Re:payment' coming from [redacted]@ cs .com with a zip attachment which contains some sort of malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ent_cs_com.png

    Bank receipt pdf.zip: Extracts to: Bank receipt pdf.exe - Current Virus total detections 15.68*. Hybrid Analysis**...
    This malware file attempts to download from these -3- sites:
    http ://www.plasticbags .info/na/?id=ct7EX847F+fIn3VkER7xV/XU/exdWHV6LvmrngXmar4Pbag2la+n0AnpQnxVHV21Mp6i4Q==&Lv18=bLUdWtwp4bJhJP -or-
    http ://www.nettopolis .email/na/?id=DetlfAibiVhB/jSD5CdGOk3sftJHeNpzwT01DHDpstch9neoK+a+bAVv0IXcSJ5QPSyr6g==&Lv18=bLUdWtwp4bJhJP
    -both- of which fail to respond. Both sites are hosted on Godaddy (184.168.221.53) and have a temporary holding / domain parking page with the usual adverts. Both sites were registered in early September 2017. Either Godaddy has exploitable vulnerabilities on their Domain Parking pages or they were registered by criminals who haven’t set up the domains properly yet.
    http ://www.marlow-and-co .com/na/?id=mLSZLOZGg8XOoWhtThKSW1hFX7QHeHYwxlPs7+FwgoIusw3OZOrPJE6119RFPiuJf6vG8Q==&Lv18=bLUdWtwp4bJhJP&sql=1
    which is hosted in Japan (183.90.253.3) and gives a 404...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1510806654/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    File Details
    Bank receipt pdf.exe
    DNS Requests
    No relevant DNS requests were made.
    Contacted Hosts
    No relevant hosts were contacted...

    plasticbags .info: 50.63.202.62: https://www.virustotal.com/en/ip-add...2/information/

    nettopolis .email: 184.168.221.53: https://www.virustotal.com/en/ip-add...3/information/

    marlow-and-co .com: 183.90.253.3: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake 'Confidential account documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    16 Nov 2017 - "An email with the subject of 'Confidential account documents' pretending to come from Barclays Bank but actually coming from a look-a-like or typo-squatted domain <secure@ barclaysdocuments .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The attachment has random numbers protected**.doc ...
    Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    barclaysdocuments .com hosted on and emails sent via 134.19.180.171 | 94.100.21.212 | 185.117.74.216 | 94.75.219.142 |

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-documents.png

    Protected80.doc - Current Virus total detections 5/55*. Payload Security**...
    This malware file downloads from
    http ://simplicitybystrasser .com/images/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aqv6.exe (VirusTotal 10/68***).
    This email attachment contains a genuine word doc with a macro script that when run will infect you.
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...cted80_doc.png
    ... You -cannot- enter the password because that is an-image of a password-entry-box and they hope you will enable the macros (DON'T) ... and get infected...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1493724795/
    SecureMessage.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    216.138.226.110
    50.19.97.12
    3
    Contacted Hosts
    216.138.226.110
    50.19.97.123
    186.208.111.188
    82.146.94.86


    *** https://www.virustotal.com/en/file/a...is/1510840036/
    Aqv6.exe

    simplicitybystrasser .com: 23.235.209.96: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/86...b00f/analysis/

    Last edited by AplusWebMaster; 2017-11-16 at 19:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1304
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Product Enquiry' SPAM

    FYI...

    Fake 'Product Enquiry' SPAM - delivers Nanocore RAT
    - https://myonlinesecurity.co.uk/fake-...-nanocore-rat/
    17 Nov 2017 - "An email with the subject of 'Product Enquiry' pretending to come from Robert Osuna Sales <roberto. osuna76@mail .com> with a malicious Excel XLS spreadsheet attachment delivers NanoCore Remote Access Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ct_enquiry.png

    These are actually coming via an automated mailing service based in Russia, who despite sending malware are complying with the various anti-spam laws worldwide by having an unsubscribe link in the email body. I do not recommend to use the -unsubscribe- link. That is an almost guaranteed way to get your email address added to a load more spam and malware lists. The blurry image in the XLS spreadsheet is a Social Engineering trick to persuade you to enable editing & content (macros) so they can infect you.
    DO NOT enable Editing or Content (macros) under any circumstances:
    > https://myonlinesecurity.co.uk/wp-co...nquiry_xls.png

    Product Enquiry.xls - Current Virus total detections 14/61*. Hybrid Analysis**...
    This malware downloads from
    http ://cryptovoip .in/awedfs/DDF_outputCEAA78F.exe (VirusTotal 18/68[3]) (Hybrid Analysis[4])...
    Email Headers and malware sites details:
    191.96.249.92 - smtp4.digitalsearchengine .in - Moscow...
    balajipacker .com registered 27/09/2017 using Godaddy as registrar hosted on 191.96.249.92
    cryptovoip .in 103.21.58.122 Probably a hacked compromised server not knowingly involved in hosting the malware payload...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1510851227/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    181.215.247.234
    103.21.58.122

    Contacted Hosts
    103.21.58.122
    201.174.233.241
    181.215.247.234


    3] https://www.virustotal.com/en/file/c...is/1510899976/
    DDF_outputCEAA78F[1].exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    181.215.247.234
    Contacted Hosts
    201.174.233.241
    181.215.247.234


    digitalsearchengine .in: A temporary error occurred during the lookup...

    cryptovoip .in: 103.21.58.122: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/23...702a/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1305
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'scanned from' SPAM

    FYI...

    Fake 'scanned from' SPAM - delivers Ransomware
    - https://myonlinesecurity.co.uk/necur...pier-messages/
    23 Nov 2017 - "... It is almost as if they have timed the new version to spam out on Thanksgiving day in USA, where the AV companies and security teams are off on their long weekend holiday... downloaders from the Necurs botnet... an email with the subject of 'scanned from (printer or scanner name)' pretending to come from copier@ your own email address or company domain... definitely ransomware but doesn’t look like Locky. The ransom note is very different. These all have -blank- email bodies with just an attachment and the subject...
    Update I am being told it is Scarab Ransomware... The new ransom note is called 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT'... The subjects in this vary but are all copier or scanner related:
    Scanned from Lexmark
    Scanned from HP
    Scanned from Canon
    Scanned from Epson


    P_rek.zip: Extracts to: image2017-11-22-5864621.vbs - Current Virus total detections 4/57*. Hybrid Analysis**
    | Anyrun Beta[3] | Joesecurity[/4] |
    This downloads from (in this example, there will be -dozens- of other download sites)
    http ://pamplonarecados .com/JHgd476? (VirusTotal 8/66[5])
    One of the emails looks like:
    From: copier@ victimsdomain .com
    Date: Thu 23/11/2017 06:28
    Subject: Scanned from HP
    Attachment: image2017-11-23-4360760.7z
    Body content:

    EMPTY


    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1511423196/
    image2017-11-22-5864621.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    5.2.88.79
    88.99.66.31

    Contacted Hosts
    5.2.88.79
    88.99.66.31


    3] https://app.any.run/tasks/839d4f49-1...6-8aead1ea33a8

    4] https://jbxcloud.joesecurity.org/analysis/445266/1/html

    5] https://www.virustotal.com/en/file/4...is/1511422910/
    JHgd476

    pamplonarecados .com: 5.2.88.79: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/23...655f/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1306
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice' SPAM, Persistent drive-by cryptomining

    FYI...

    Fake 'Invoice' SPAM - delivers ransomware
    - https://myonlinesecurity.co.uk/necur...fake-invoices/
    30 Nov 2017 - "... from the Necurs botnet... an email with an -empty- body with the subject of 'FL-610025 11.30.2017' (random numbers) pretending to come from 'Invoicing' @ random email addresses. Today it is Globeimposter -not- Locky ransomware being delivered via this malspam campaign from the Necurs botnet...
    One of the emails looks like:
    From: Invoicing <Invoicing@random company >
    Date: Thu 30/11/2017 09:18
    Subject: FL-610025 11.30.2017
    Attachment: FL-610025 11.30.2017.7z

    Body content: Completely empty


    FL-610025 11.30.2017.7z: Extracts to: FL-432927.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...
    Downloads from
    http ://datenhaus .info/JHGcd476334? (as usual there will be dozens of different download sites - (VirusTotal 10/66[3])... Other download sites that I have been notified about:
    mh-service .ru/JHGcd476334?
    awholeblueworld .com/JHGcd476334?
    ... The ransom payment link is to
    http ://n224ezvhg4sgyamb .onion/sup .php where you see a pretty bland page giving this link to make enquiries... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1512033616/
    FL-432927.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    85.214.205.231
    Contacted Hosts
    85.214.205.231

    3] https://www.virustotal.com/en/file/7...is/1512033503/
    d4ddf8bf.exe

    datenhaus .info: 85.214.205.231: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/1b...abcf/analysis/

    mh-service .ru: 89.253.235.118: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/fa...725b/analysis/

    awholeblueworld .com: 66.36.173.215: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/76...30eb/analysis/
    ___

    Persistent drive-by cryptomining...
    - https://blog.malwarebytes.com/cyberc...wser-near-you/
    Nov 29, 2017 - "... we are witnessing more and more cases of abuse involving the infamous 'Coinhive' service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once... we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:
    A user visits a website, which silently loads cryptomining code.
    CPU activity rises but is not maxed out.
    The user leaves the site and closes the Chrome window.
    CPU activity remains higher than normal as cryptomining continues:
    > https://blog.malwarebytes.com/wp-con...den_mining.gif
    The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a 'pop-under' which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution... If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:
    > https://blog.malwarebytes.com/wp-con...os_compare.png
    ... Mitigation: This type of 'pop-under' is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager* to ensure there is no remnant running browser processes and terminate them.
    * https://www.howtogeek.com/66622/stup...-task-manager/
    Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running:
    > https://blog.malwarebytes.com/wp-con...mitigation.png

    > https://blog.malwarebytes.com/wp-con...mitigation.png
    ... Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different.
    Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers."
    Indicators of compromise:
    145.239.64.86,yourporn[.]sexy,Adult site
    54.239.168.149,elthamely[.]com,Ad Maven popunder
    52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
    54.209.216.237,hatevery[.]info,Cryptomining site

    - https://centralops.net/co/DomainDossier.aspx
    hatevery .info
    52.72.157.243
    54.156.6.169
    52.200.89.230
    52.54.161.204
    54.84.183.12
    34.237.128.64 ...
    'Fast Flux' network: https://www.welivesecurity.com/2017/...networks-work/

    - https://www.helpnetsecurity.com/2017...-close-window/
    Nov 30, 2017

    Last edited by AplusWebMaster; 2017-12-01 at 14:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1307
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Visa notification', 'invoice' SPAM

    FYI...

    Fake 'Visa notification' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    1 Dec 2017 - "An email with the subject of Fwd:... (recipient’s name) pretending to come from Pamela <logo@ mensperl .edu> (probably random senders) with a malicious word doc attachment...
    Update: I am reliably informed that it is Sigma ransomware[1] which appears to only run on a real computer, not a VM or Sandbox...
    1] https://twitter.com/pcrisk/status/936534360148402176

    Screenshot: https://myonlinesecurity.co.uk/wp-co...a_scan_doc.png

    derek_scan.doc - Current Virus total detections 0/60*... Hybrid Analysis** (I forgot to try to insert password in the settings)
    Word doc with password removed (VirusTotal 23/61***) (Hybrid Analysis[4]). This malware downloads from
    http ://ypg7rfjvfywj7jhp .onion.link/icon.jpg -renamed- to svchost.exe by-the-macro on download
    (VirusTotal 24/67[5]) (Hybrid Analysis[6])...
    Word doc when first opened looks like this and you need to insert the password from the email body:
    > https://myonlinesecurity.co.uk/wp-co..._pw_needed.png
    Word doc after inserting password, telling you to enable editing & content:
    > https://myonlinesecurity.co.uk/wp-co...doc_enable.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... Do NOT enable Macros or editing under any circumstances... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1512109411/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/e...is/1512110582/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    94.130.28.200
    185.194.141.58

    Contacted Hosts
    185.194.141.58
    94.130.28.200
    163.172.176.167
    199.254.238.52
    5.39.92.199
    159.203.15.100
    87.118.112.63
    165.227.135.224
    93.115.95.38


    5] https://www.virustotal.com/en/file/6...a24c/analysis/
    icon.jpg

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    94.130.28.200
    185.194.141.58

    Contacted Hosts
    185.194.141.58
    94.130.28.200
    163.172.176.167
    199.254.238.52
    5.39.92.199
    159.203.15.100
    87.118.112.63
    165.227.135.224
    93.115.95.38

    ___

    Fake 'invoice' SPAM - delivers Globeimposter ransomware
    - https://myonlinesecurity.co.uk/necur...n-attachments/
    1 Dec 2017 - "... from the Necurs botnet... an email with the subject of '12_Invoice_6856' (random numbers) coming from random email addresses... The bland email has what pretends to be a word doc attachment. It is NOT a word doc but a wrongly named .7z (zip) file. If you rename the 001_0343.doc to 001_0343.doc.7z it can be easily extracted to give a working vbs file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...6856_email.png

    001_0343.doc.7z: Extracts to: I912798654581.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...

    This particular example downloads from (there will be several others)
    http ://pdj .co .id/UYTd46732? (VirusTotal 7/68[3])...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1512125181/
    I912798654581.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    202.169.44.166
    Contacted Hosts
    202.169.44.166
    88.99.66.31


    3] https://www.virustotal.com/en/file/e...is/1512125396/
    UYTd46732.exe

    pdj .co .id: 202.169.44.166: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/78...4742/analysis/

    Last edited by AplusWebMaster; 2017-12-01 at 15:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1308
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'Avalanche/Andromeda' takedown, PayPal phish

    FYI...

    'Avalanche' takedown - with 'Andromeda'
    - http://blog.shadowserver.org/2017/12...ith-andromeda/
    Dec 4, 2017 - "On December 1st last year, the successful takedown* of the long-running criminal Avalanche double fast-flux-platform was announced by a consortium of international public and private partners, including The Shadowserver Foundation. This unprecedentedly complex operation was the culmination of over four-years of law enforcement and technical work, and impacted over twenty different malware families that utilized over 832,000 different DNS domains for Domain Generation Algorithms (DGAs) in -60- top level domains. Sinkhole data from the Avalanche platform is available each day in Shadowserver’s free of charge daily reports to national CERTs and network owners... with many victim computers still to be disinfected (you can find tools for disinfection here[1])...
    * http://blog.shadowserver.org/2016/12/01/avalanche/
    ...
    1] https://avalanche.shadowserver.org/
    ... On 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners The Shadowserver Foundation, Microsoft, The Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI), as well as law enforcement representatives from Australia, Austria, Belarus, Belgium, Canada, Finland, France, Italy, the Montenegro, Netherlands, Poland, Singapore, Spain, the United Kingdom and Taiwan, announced** that they had dismantled one of the longest running malware families in existence – Andromeda (also known as Gamarue). At the same time, they also continued their existing legal and technical actions against over 848,000 Avalanche related command and control (C2) domains, to continue to protect existing victims and provide more time for any remaining victims to be identified and remediated...
    ** https://www.europol.europa.eu/newsro...yber-operation
    ... They successfully extended and expanded sinkholing of the -21- malware families that made use of the Avalanche platform, and the associated takedown of the -Andromeda-botnet- is another great example of how complex international operations can successfully be jointly executed by a combination of cross-disciplinary public and private partners in the ongoing fight against cyber criminals globally."
    (More detail at the URL at the top.)

    > https://avalanche.shadowserver.org/stats/

    > http://blog.shadowserver.org/wp-cont...romeda-map.png

    > https://www.justice.gov/opa/pr/joint...nown-avalanche
    Dec 1, 2017 - "... The operation involves arrests and searches in five countries. More than -50- Avalanche servers worldwide were taken offline..."
    Press Release Number: 16-1409
    ___

    PayPal phish - 'verify transactions'
    - https://blog.malwarebytes.com/cyberc...ns-dont-do-it/
    Dec 1, 2017 - "There’s a number of -fake- PayPal emails going around right now claiming that a 'recent transaction can’t be verified'... Here’s two examples of how these mails are being named from one of our mailboxes:
    > https://blog.malwarebytes.com/wp-con...hish-mails.jpg
    Here’s the most recent email in question:
    > https://blog.malwarebytes.com/wp-con...phish-mail.jpg
    Clicking the button takes potential victims to a -fake- PayPal landing page, which tries very hard to direct them to a “resolution center”:
    > https://blog.malwarebytes.com/wp-con...nding-page.jpg
    The URL is:
    myaccounts-webapps-verify-updated-informations(dot)epauypal(dot)com/myaccount/e6abe

    epauypal(dot)com: A temporary error occurred during the lookup...

    From here, it’s a quick jump to two pages that ask for the following slices of personal information and payment data:
    1. Name, street address, city, state, zip, country, phone number, mother’s maiden name, and date of birth
    2. Credit card information (name, number, expiration code, security code)
    > https://blog.malwarebytes.com/wp-con...fo-request.jpg
    ... Whatever your particular spending circumstance, wean yourself away from clicking on -any- email-link where claims of payment or requests for personal information are concerned. Take a few seconds to manually navigate to the website in question. and log in directly instead. If there are any payment hiccups happening behind the scenes, you can sort things out from there. Scammers are banking on the holiday rush combined with the convenience of “click link, do thing” to steal cash out from under your nose..."

    - https://www.helpnetsecurity.com/2017...iday-phishing/
    Dec 4, 2017
    ___

    > https://www.databreaches.net/paypal-...-major-breach/
    Dec 4, 2017

    > https://www.theregister.co.uk/2017/1...o_data_breach/
    Dec 4, 2017

    > http://www.tio.com/
    Dec 1, 2017

    Last edited by AplusWebMaster; 2017-12-04 at 23:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1309
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Message' SPAM

    FYI...

    Fake 'Message' SPAM - delivers Globeimposter ransomware
    - https://myonlinesecurity.co.uk/globe...nter-messages/
    5 Dec 2017 - "... downloaders from the Necurs botnet... an email with the subject of 'Message from G10PR0378651 .victimsdomain .com' pretending to come from random names at your own email address or company domain... The attachment says it is a zip file but is actually a 7z file renamed to zip...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...0PR0378651.png

    201712054051.zip: Extracts to: MSC000000981631.vbs - Current Virus total detections 2/59*. Hybrid Analysis**...
    This particular version downloads from
    http ://rorymartin8 .info/hudgy356? (there will be dozens of others) (VirusTotal 4/56[3])...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1512468367/
    MSC000000981631.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    192.185.193.214
    Contacted Hosts
    192.185.193.214

    3] https://www.virustotal.com/en/file/c...is/1512468259/

    rorymartin8 .info: 192.185.193.214: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/7f...6399/analysis/

    Last edited by AplusWebMaster; 2017-12-05 at 14:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1310
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'documents' SPAM, Google update 'glitch'

    FYI...

    Fake 'documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/trick...ments-malspam/
    6 Dec 2017 - "... an email containing the subject of 'Confidential account documents' pretending to come from Lloyds Bank but actually coming from a look-a-like or typo-squatted domain <secure@ lloyds-commercial .com > with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...l_trickbot.png

    Protected32.doc - Current Virus total detections 3/59*. Hybrid Analysis**...
    This malware docx file downloads from
    http ://undergroundis .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to Wkob.exe (VirusTotal 13/67***)... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
    * https://www.virustotal.com/en/file/3...is/1512558154/
    Protected32.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    216.239.36.21
    192.254.225.208

    Contacted Hosts
    192.254.225.208
    216.239.36.21
    185.158.114.106
    92.53.66.115


    *** https://www.virustotal.com/en/file/2...is/1512558724/

    undergroundis .com: 192.254.225.208: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/bf...f625/analysis/
    ___

    Google update 'glitch' disconnects student Chromebooks in schools across the U.S.
    - https://www.geekwire.com/2017/report...ls-across-u-s/
    Dec 5, 2017 at 4:59 pm - "... Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly -botched- WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected.
    Google first gave schools a heads-up via Twitter after the fact, indicating there was a fix.
    'We're aware of a wifi connectivity outage that affected some Chromebooks today. The issue is resolved. To get your Chromebooks online: reboot & manually join a WiFi network or connect via ethernet to receive a policy update. Sorry for the disruption & thank you for your patience.
    — Google For Education (@GoogleForEdu) December 5, 2017'
    - https://twitter.com/GoogleForEdu/sta...rc=twsrc%5Etfw
    That disclosure led to dismayed reaction by educators, some of whom had Chromebook installations in the thousands... GeekWire reached out to Google for more information about the cause and scope of the Chromebook issue, and will update this post if more details become available."

    > https://cdn.geekwire.com/wp-content/...ogle120517.png

    Current Status: http://downdetector.com/status/google
    'Google problems last 24 hours'

    >> https://support.google.com/chrome/a/answer/7583402
    Article last updated on Dec 6, 2017

    Last edited by AplusWebMaster; 2017-12-06 at 22:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •