Fake AMEX SPAM, Dropbox malware, Threat Outbreak Alerts ...
FYI...
Fake AMEX SPAM - Activity Report – PDF malware
- http://myonlinesecurity.co.uk/americ...e-pdf-malware/
28 May 2014 - "Recent Activity Report – Incident #TCC6CVXM02FYBAE pretending to come from American Express [Whitney.Clinton@ americanexpress .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
Please review the “Suspicious Activity Report” document attached to this email.
Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at http ://www.americanexpress .com/phishing
Thank you for your Cardmembership.
Sincerely,
Whitney.Clinton
Tier III Support
American Express Account Security
Fraud Prevention and Detection Network
Copyright 2014 American Express Company. All rights reserved.
28 May 2014: Incident_TCC6CVXM02FYBAE.zip (10 kb): Extracts to Incident_1BBWHVO9AR3E263.scr (25kb)
Current Virus total detections: 4/52*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...9d51/analysis/
___
Fake eFax message SPAM - downloads malware from Dropbox
- http://blog.dynamoo.com/2014/05/efax...nown-spam.html
28 May 2014 - "This -fake- eFax message downloads malicious content from a Dropbox link.
From: eFax [message@ inbound .efax .com]
Date: 28 May 2014 13:12
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643
Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.
* The reference number for this fax is atl_did1-1400166434-95058563842-154.
Click here to view this fax using your PDF reader...
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent .com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr. This binary has a VirusTotal detection rate of 6/53*. Automated reporting tools... show a download from landscaping-myrtle-beach .com/wp-content/uploads/2014/05/2805UKdw.dkt ... This last one makes a connection to innogate .co .kr for unknown reasons.
Recommended blocklist:
landscaping-myrtle-beach .com
innogate .co.kr "
* https://www.virustotal.com/en/file/2...is/1401279784/
- http://myonlinesecurity.co.uk/update...e-pdf-malware/
28 May 2014 - "... links to Dropbox in the spoofed Corporate eFax message email rather than the more usual attachment..."
- https://www.virustotal.com/en-gb/fil...c29b/analysis/
Screenshot: http://myonlinesecurity.co.uk/wp-con...3/12/efax2.png
___
"TPPCO" PPI SMS spam
- http://blog.dynamoo.com/2014/05/tppco-ppi-sms-spam.html
28 May 2014 - "Despite some high-profile recent cases* where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.
Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO
I have no idea who "TPPCO" are, but they are a common sender of these spam messages. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible. If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.
You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine."
* http://ico.org.uk/news/latest_news/2...sages-22052014
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Invoice Notice Email Messages - 2014 May 28
Fake Product Purchase Order Request Email Messages - 2014 May 28
Fake Invoice Notice Email Messages - 2014 May 28
Fake Court Appearance Request Email Messages - 2014 May 28
Fake Product Purchase Order Request Email Messages - 2014 May 28
Fake Shipping Documents Attachment Email Messages - 2014 May 28
Fake Product Purchase Order Request Email Messages - 2014 May 28
Fake Financial Transaction Notification Email Messages - 2014 May 28
Fake Scanned Image Notification Email Messages - 2014 May 28
Fake Financial Documents Email Messages - 2014 May 28
Fake Product Sample Order Email Messages - 2014 May 28
Fake Product Invoice Notification Email Messages - 2014 May 28
Fake Fax Delivery Email Messages - 2014 May 28
Fake Bank Account Statement Email Messages - 2014 May 28
Fake Shipping Order Information Email Messages - 2014 May 28
Fake Bank Payment Transfer Notification Email Messages - 2014 May 28
Fake Unpaid Debt Invoice Email Messages - 2014 May 28
Fake Product Order Email Messages - 2014 May 28
(More detail and links at the cisco URL above.)
