Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice','RE:' SPAM, Locky

    FYI...

    Fake 'Invoice' SPAM - malicious attachment
    - https://myonlinesecurity.co.uk/fw-invoice_515002/
    21 June 2016 - "An email pretending to be a sage invoice with the subject of 'FW: Invoice_515002' coming from “postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@footballplayers19 .gq> with a zip attachment... We have been seeing a few emails over the last couple of weeks from the footballplayers*.g* domains. Some pure spam, some phishing and some malware. It looks like a mailing list that must have some vulnerability to allow external users to be sent emails via them. One of the emails looks like:
    From:”postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@ footballplayers19 .gq>
    Date: Tue 21/06/2016 10:05
    Subject: FW: Invoice_515002
    Attachment:
    Please see attached copy of the original invoice (sage_invoice_131340_711410101502668.pdf).


    21 June 2016: sage_invoice_515002_3841674267107.zip: Extracts to: sage_invoice_225224_4233.exe
    Current Virus total detections 6/56*.. Payload Security** shows it posts some information to a Ukrainian IP 217.12.199.87... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1466500334/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.12.199.87: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'RE:' SPAM - Locky .js attachment
    - https://myonlinesecurity.co.uk/it-lo...locky-is-back/
    21 June 2016 - "It looks like Locky ransomware is back tonight with a series of generic emails pretending to be invoices with the subject of 'RE:' pretending to come from random senders with a zip attachment which downloads what looks suspiciously like Locky Ransomware... None of the auto analysers can effectively decode these encrypted javascripts inside the zips... One of the emails looks like:
    From: Titus Sampson <Sampson.FAC43DD@ melhonretail .com>
    Date: Tue 21/06/2016 18:16
    Subject: RE:
    Attachment: wilbarger_invoice_181696.zip
    Dear wilbarger:
    Please find attached our invoice for services rendered and additional disbursements in the above-
    mentioned matter.
    Hoping the above to your satisfaction, we remain.
    Sincerely,
    Titus Sampson
    General Manager


    21 June 2016: wilbarger_invoice_181696.zip: Extracts to: addition-546.js - Current Virus total detections 2/56*
    .. I am being told one of sites containing an encrypted Locky binary is easysupport .us/fl85xie ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1466529396/

    easysupport .us: 198.58.93.28: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/08...d3b2/analysis/

    Last edited by AplusWebMaster; 2016-06-22 at 06:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •