Page 10 of 132 FirstFirst ... 678910111213142060110 ... LastLast
Results 91 to 100 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #91
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake "SecureMessage" SPAM ...

    FYI...

    Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net
    - http://blog.dynamoo.com/2012/12/secu...irektasia.html
    23 Dec 2012 - "Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:
    Date: Sun, 23 Dec 2012 14:26:32 +0530
    From: "Secure.Message"
    Subject: Alert: New message
    Click here to view the online version.
    Hello [redacted],
    You have 4 new messages.
    Read now
    Copyright 2012 SecureMessage. All rights reserved.
    If you would like to update your profile or unsubscribe, please click here.
    PLEASE DO NOT REPLY TO THIS MESSAGE.
    If you require Technical Support, please check Support Center for information.


    ... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."
    (Long list at the dynamoo URL above.)
    * http://blog.dynamoo.com/2012/12/new-...ived-spam.html

    ** https://www.google.com/safebrowsing/...?site=AS:50673

    Last edited by AplusWebMaster; 2012-12-24 at 06:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #92
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pharma/Eastern bloc SPAM...

    FYI...

    Eastern bloc SPAM...
    - http://blog.dynamoo.com/2012/12/godl...-athiests.html
    25 Dec 2012 - "... eastern bloc... spammers are sending out today.
    Date: Tue, 25 Dec 2012 22:56:51 -0700
    From: "Ticket Support"
    Subject: Password Assistance
    Thank you for your letter of Dec 25, your information arrived today.
    Alright, here's the link to the site:
    Proceed to Site
    If we can help in any way, please do not hesitate to contact us.
    Regards, Yuonne Ferro, Support Team manager.


    Some variants of the body text:
    - "Thank you for contacting us, your information arrived today."
    - "Thank you for your letter regarding our products and services, your information arrived today."
    - "Thank you for considering our products and services, your information arrived today."
    Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."
    (More detail at the dynamoo URL above.)
    * https://en.wikipedia.org/wiki/CyberB...siness_Network
    "... a host of the infamous Russian Business Network cyber-crime gang..."

    > https://www.google.com/safebrowsing/...?site=AS:34109
    ___

    Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...
    - http://blog.webroot.com/2012/12/25/p...terfeit-drugs/
    Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...
    Sample screenshot of the spamvertised email
    :
    > https://webrootblog.files.wordpress....ng?w=373&h=244
    Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
    > https://webrootblog.files.wordpress...._01.png?w=1009
    Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.html
    Landing URL: hxxp ://canadapharmcanadian .net – 109.120.138.155
    ... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...
    (More detail at the webroot URL above.)...

    This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."
    ___

    Fake E-billing SPAM / proxfied .net
    - http://blog.dynamoo.com/2012/12/e-bi...oxfiednet.html
    26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:
    Date: Wed, 26 Dec 2012 18:49:37 +0300
    From: alets-no-reply @customercenter .citibank .com
    Subject: Your Further eBill from Citibank Credit Card
    Member: [redacted]
    Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery.
    Your Account: Important Warning
    New eBill Available
    Account Number: **************8
    Due Date: 12/28/2012
    Amount Due: 175.36
    Minimum Amount Due: 175.36
    How do I view this bill?
    1. Sign on to Citibank Online using this link.
    2. Use the Payments Menu to find the bill mentioned in this message.
    3. Select View Bill to review your bill details. Select the icon to see your bill summary.
    Please don't reply to this message.
    If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.
    E-mail Security Zone
    At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.
    To set up alerts sign on by clicking this link and go to Account Profile.
    I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
    View Your Account Pay Your Bill Contact Us
    Privacy | Security
    Email Preferences
    If you want to communicate with us in writing concerning this email, please direct your correspondence to:
    Citibank Customer Care Service
    P. O. Box 6200
    Sioux Hills, SD 57870
    Help / Contact Us
    If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.
    2012 Citibank, N.A.
    All rights reserved.
    Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
    3843054050826645
    1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

    ====================
    (More sample FAKE emails shown at the dynamoo URL above.)

    The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:
    sessionid0147239047829578349578239077 .pl
    latticesoft .net
    proxfied .net
    ..."
    ___

    Fake NACHA SPAM / bunakaranka .ru:
    - http://blog.dynamoo.com/2012/12/nach...karankaru.html
    26 Dec 2012 - "This fake ACH / NACHA spam leads to malware on bunakaranka .ru:
    Date: Wed, 26 Dec 2012 06:48:11 +0100
    From: Tagged [Tagged @taggedmail .com]
    Subject: Re: Fwd: Banking security update.
    Dear Online Account Operator,
    Your ACH transactions have been
    temporarily disabled.
    View details
    Best regards,
    Security department


    The malicious payload is on [donotclick]bunakaranka .ru:8080/forum/links/column.php hosted on the following well-known IPs:
    91.224.135.20 (Proservis UAB, Lithuania)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    210.71.250.131 (Chunghwa Telecom, Taiwan)
    Plain list:
    91.224.135.20
    187.85.160.106
    210.71.250.131

    Associated domains..."

    Last edited by AplusWebMaster; 2012-12-26 at 23:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #93
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Twitter/UPS/E-ticket SPAM ...

    FYI...

    Fake Twitter DM emails leads to Canadian Pharma SPAM
    - http://www.gfi.com/blog/fake-twitter...n-pharma-spam/
    Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.
    > http://www.gfi.com/blog/wp-content/u...icpublish1.png
    "Hello, Can i publish link to your photo on my web page?" Another one says:
    "Hi. Can i publish link to your video on my home page?"
    In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:
    > http://www.gfi.com/blog/wp-content/u...icpublish2.jpg
    Festive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."
    ___

    Fake British Airways E-ticket receipts serve malware
    - http://blog.webroot.com/2012/12/26/c...serve-malware/
    Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ware.png?w=553
    Sample detection rate for the malicious attachment:
    MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.I
    Upon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEX
    It also initiates POST requests to the following IP: 87.255.51.229/ff/image.php
    As well as DNS requests to the following hosts:
    zzbb45nnagdpp43gn56 .com – 87.255.51.229
    a9h23nuian3owj12 .com – 87.255.51.229
    zzbg1zv329sbgn56 .com – 87.255.51.229
    http ://www.update .microsoft .com – 65.55.185.26
    ddbbzmjdkas .us
    ddbbzmjdkas .us
    The IPs are currently sinkholed by Abuse.ch..."
    * https://www.virustotal.com/file/fa3e...is/1356554124/
    File name: BritishAirways-eticket.exe
    Detection ratio: 39/46
    Analysis date: 2012-12-26
    ___

    Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/12/27/f...e-exploit-kit/
    Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress...._kit.png?w=603
    Sample spamvertised compromised URLs:
    hxxp ://www.aberdyn .fr/letter.htm
    hxxp ://www.aberdyn .fr/osc.htm
    Sample client-side exploits serving URLs:
    hxxp ://apendiksator .ru:8080/forum/links/column.php
    hxxp ://sectantes-x .ru:8080/forum/links/column.php
    Sample malicious payload dropping URL:
    hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002
    Client-side exploits served: CVE-2010-0188
    Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.
    Upon execution, the sample phones back to the following command and control servers:
    178.77.76.102 (AS20773)
    91.121.144.158 (AS16276)
    213.135.42.98 (AS15396)
    207.182.144.115 (AS10297)
    More MD5s are known to have phoned back to the same IPs..."
    * https://www.virustotal.com/file/56e0...9be3/analysis/
    File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489ee
    Detection ratio: 27/42
    Analysis date: 2012-09-30

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #94
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake IRS SPAM ... 2012.12.28

    FYI...

    Fake IRS SPAM / tv-usib .com
    - http://blog.dynamoo.com/2012/12/irs-...v-usibcom.html
    28 December 2012 - "This fake IRS spam leads to malware on tv-usib .com:
    Date: Thu, 27 Dec 2012 22:14:44 +0400
    From: Internal Revenue Service [information @irs .gov]
    Subject: Your transaction is not approved
    Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.
    Canceled Tax transfer
    Tax Transaction ID: 3870703170305
    Rejection ID See details in the report below
    Federal Tax Transaction Report tax_report_3870703170305.pdf (Adobe Acrobat Document)
    Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon


    The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:
    sessionid0147239047829578349578239077.pl
    tv-usib .com
    proxfied .net
    timesofnorth .net
    latticesoft .net ..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #95
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware sites to block - 2 Jan 2013

    FYI...

    Malware sites to block - 2 Jan 2013
    - http://blog.dynamoo.com/2013/01/malw...lock-2113.html
    2 Jan 2013 - "The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them...
    91.224.135.20
    187.85.160.106
    210.71.250.131
    afjdoospf .ru
    akionokao .ru
    bilainkos .ru
    bumarazhkaio .ru
    bunakaranka .ru
    ..."
    ___

    Malware sites to block - 2 Jan 2013 part II
    - http://blog.dynamoo.com/2013/01/malw...3-part-ii.html
    2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.
    * http://malwaremustdie.blogspot.com/2...m-up-with.html
    As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.
    IPs... Domains ..."
    (Long list at the dynamoo URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #96
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Twitter Phish DMs 2013.01.04

    FYI...

    Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”
    - http://www.gfi.com/blog/twitter-phis...und-about-you/
    Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:
    > http://www.gfi.com/blog/wp-content/u.../twitspam1.jpg
    There’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."
    * http://www.phishtank.com/phish_detai...ish_id=1643038
    ___

    Fake Ebay/Paypal emails lead to client-side exploits and malware
    - http://blog.webroot.com/2013/01/04/f...s-and-malware/
    Jan 4, 2013 - "Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain names reconnaissance:
    litefragmented .pro – 59.64.144.239 – Email: kee_mckibben0869 @macfreak .com
    Name Server: NS1.CHELSEAFUN .NET
    Name Server: NS2.CHELSEAFUN .NET...
    ... ibertomoralles .com – 59.57.247.185 – Email: rick.baxter @costcontrolsoftware .com
    Name Server: NS1.SOFTVIK .NET – 84.32.116.189 – Email: farbonite @hotmail .com
    Name Server: NS2.SOFTVIK .NET – 15.209.33.133 – Email: farbonite @hotmail .com ...
    ___

    Fake 'bank reports' emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/01/03/a...e-exploit-kit/
    Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
    Name server: ns1.apendiksator .ru – 62.76.186.24
    Name server: ns2.apendiksator .ru – 110.164.58.250
    Name server: ns3.apendiksator .ru – 42.121.116.38
    Name server: ns4.apendiksator .ru – 41.168.5.140
    Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
    afjdoospf .ru – 91.224.135.20
    angelaonfl .ru – 91.224.135.20
    akionokao .ru – 91.224.135.20 ...
    Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."
    * https://www.virustotal.com/file/6260...73da/analysis/
    File name: cs8v0k.exe
    Detection ratio: 34/42
    Analysis date: 2012-06-20
    ___

    Fake BBB (Better Business Bureau) emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/01/02/f...e-exploit-kit/
    Jan 2, 2013 - "Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau). Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    tv-usib.com – 59.57.247.185 – Email: twine.tour1 @yahoo .com
    Name Server: NS1.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com
    Name Server: NS2.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com...
    Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 * ... Worm:Win32/Cridex.E.
    Upon execution, the sample phones back to: 94.73.129.120 :8080/rxrt0CA/hIvhA/K66fEB/ ..."
    * https://www.virustotal.com/file/4dec...1bff/analysis/
    File name: KB00182962.exe
    Detection ratio: 30/45
    Analysis date: 2013-01-04
    ___

    Fake Verizon Wireless emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/01/02/s...s-and-malware/
    Jan 2, 2013 - "... yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless...
    Malicious domain name reconnaissance:
    proxfied .net – 59.57.247.185 – Email: colorsandforms @aol .com
    Name Server: NS1.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com
    Name Server: NS2.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com ..."

    Last edited by AplusWebMaster; 2013-01-05 at 04:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #97
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake O2 Shop emails - Phish ...

    FYI...

    Fake O2 Shop emails - Phish ...
    - http://www.gfi.com/blog/fake-o2-shop...e-phishy-bait/
    Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.
    > http://www.gfi.com/blog/wp-content/u.../01/fakeo2.jpg
    Dear User,
    You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions.
    Regards,
    O2 Customer Service


    As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace... treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #98
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware sites to block, Fake ACH and BBB SPAM - 8 Jan 2013

    FYI...

    Malware sites to block 8/1/13
    - http://blog.dynamoo.com/2013/01/malw...lock-8113.html
    8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:
    41.168.5.140
    42.121.116.38
    62.76.186.24
    82.165.193.26
    91.224.135.20
    110.164.58.250
    187.85.160.106
    210.71.250.131
    belnialamsik .ru

    Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

    Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik .ru:8080/forum/links/column.php:
    Date: Tue, 8 Jan 2013 10:05:55 +0100
    From: Shavonda Duke via LinkedIn [member@linkedin.com]
    Subject: Re: Fwd: Security update for banking accounts.
    Dear Online Account Operator,
    Your ACH transactions have been
    temporarily disabled.
    View details
    Best regards,
    Security department
    ===
    Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
    From: FilesTube [filestube @filestubecom]
    Subject: Fwd: Re: Banking security update.
    Dear Online Account Operator,
    Your ACH transactions have been
    temporarily disabled.
    View details
    Best regards,
    Security department

    ___

    Fake "Federal ACH Announcement" SPAM / cookingcarlog .net
    - http://blog.dynamoo.com/2013/01/fede...ment-spam.html
    8 Jan 2013 - This rather terse spam leads to malware on cookingcarlog .net:
    From: Federal Reserve Services @ sys.frb .org [ACHR_59273219 @fedmail .frb .org]
    Date: 8 January 2013 15:11
    Subject: FedMail (R): Federal ACH Announcement - End of Day - 12/27/12
    Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here.


    The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
    * http://wepawet.iseclab.org/view.php?...658280&type=js

    Added - a BBB spam is also doing the rounds with the same payload:
    Better Business Bureau ©
    Start With Trust �
    Mon, 7 Jan 2013
    RE: Case N. 54809787
    [redacted]
    The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.
    We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.
    We are looking forward to your prompt response.
    WBR
    Mason Turner
    Dispute Consultant
    Better Business Bureau
    Better Business Bureau
    3063 Wilson Blvd, Suite 600 Arlington, VA 22701
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

    ___

    Fake BBB SPAM / royalwinnipegballet .net
    - http://blog.dynamoo.com/2013/01/bbb-...balletnet.html
    8 Jan 2013 - "This fake BBB spam leads to malware on royalwinnipegballet .net:
    Date: Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
    From: Better Business Bureau <information @bbb .org>
    To: [redacted]Subject: BBB information regarding your customer's appeal ¹ 96682901
    Better Business Bureau ©
    Start With Trust ©
    Mon, 7 Jan 2013
    RE: Complaint # 96682901
    [redacted]
    The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
    We graciously ask you to open the CLAIM REPORT to answer on this reclamation.
    We are looking forward to your prompt answer.
    Faithfully yours
    Alex Green
    Dispute Counselor
    Better Business Bureau
    3063 Wilson Blvd, Suite 600 Arlington, VA 27201
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
    ===
    Date: Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
    From: Better Business Bureau <donotreply @bbb .org>
    Subject: Better Business Beareau Pretense ¹ C6273504
    Priority: High Priority 1
    Better Business Bureau ©
    Start With Trust ©
    Mon, 7 Jan 2013
    RE: Issue No. C6273504
    [redacted]
    The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.
    We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.
    We are looking forward to your prompt rebound.
    Yours respectfully
    Julian Morales
    Dispute Advisor
    Better Business Bureau
    3013 Wilson Blvd, Suite 600 Arlington, VA 20701
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


    The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #99
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AICPA emails, Phishing attacks - 2013.01.09

    FYI...

    Fake AICPA emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/01/09/s...s-and-malware/
    Jan 9, 2013 - "... recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Second screenshot of the spamvertised email from the same campaign:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    Sample subjects: Tax return assistance contrivance; Suspension of your CPA license; Revocation of your CPA license; Your accountant license can be end off; Your accountant CPA License Expiration...
    Upon successful client-side exploitation, the campaign drops MD5: 5b7aafd9ab99aa2ec0e879a24610844a * ... Worm:Win32/Cridex.E.
    Once executed, the sample performs the following actions:
    Creates a batch script
    Accesses Firefox’s Password Manager local database
    Creates a thread in a remote process
    Installs a program to run automatically at logon
    It also drops the following MD5 on the affected hosts: MD5: 3e2df81077283e5c9d457bf688779773 ** ... PWS:Win32/Fareit.
    It also phones back to the following C&C servers:
    hxxp:// 69.64.89.82 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
    132.248.49.112
    173.192.229.36
    64.120.193.112
    89.221.242.217
    174.143.174.136
    209.51.221.247

    We’ve also seen and profiled the same IP (132.248.49.112) in multiple previously analyzed malware campaigns..."
    * https://www.virustotal.com/file/5f99...2e12/analysis/
    File name: contacts.exe
    Detection ratio: 31/45
    Analysis date: 2012-12-18
    ** https://www.virustotal.com/file/2925...d67d/analysis/
    File name: exp3C6.tmp.exe
    Detection ratio: 27/45
    Analysis date: 2013-01-04
    ___

    New Year, New Old Threats
    - http://www.gfi.com/blog/new-year-new-old-threats/
    Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...
    (Screenshots available at the gfi URL above.)
    Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
    ___

    Something evil on 173.246.102.246
    - http://blog.dynamoo.com/2013/01/some...246102246.html
    9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:
    11.livinghistorytheatre .ca
    11.awarenesscreateschange .com
    11.livinghistorytheatre .com
    11.b2cviaggi .com
    11.13dayz .com
    11.lamarianella .info
    11.studiocitynorth .tv
    11.scntv .tv

    These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
    * http://wepawet.iseclab.org/view.php?...e4a3f1&type=js

    > https://www.google.com/safebrowsing/...?site=AS:29169
    "... in the past 90 days. We found 67 site(s)... that infected 262 other site(s)..."
    ___

    Fake ADP SPAM / demoralization .ru
    - http://blog.dynamoo.com/2013/01/adp-...izationru.html
    9 Jan 2013 - "This fake ADP spam leads to malware on demoralization .ru:
    Date: Wed, 9 Jan 2013 04:23:03 -0600
    From: Habbo Hotel [auto-contact @habbo .com]
    Subject: ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 948284271
    Wed, 9 Jan 2013 04:23:03 -0600
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www .flexdirect .adp.com/client/login.aspx
    Please see the following notes:
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 703814359
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    � 2013 ADP, Inc. All rights reserved.


    The malicious payload is at [donotclick]demoralization .ru:8080/forum/links/column.php hosted on the following IPs:
    82.165.193.26 (1&1, Germany)
    91.224.135.20 (Proservis UAB, Lithunia)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    The following IPs and domains are all related:
    82.165.193.26
    91.224.135.20
    187.85.160.106
    demoralization .ru
    belnialamsik .ru
    bananamamor .ru
    ..."
    ___

    Fake BBB SPAM / hotelrosaire .net
    - http://blog.dynamoo.com/2013/01/bbb-...osairenet.html
    9 Jan 2013 - "This fake BBB spam leads to malware on hotelrosaire .net:
    Date: Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
    From: Better Business Bureau <complaint @bbb .org>
    Subject: BBB notification regarding your cliente's pretense No. 62850348
    Better Business Bureau ©
    Start With Trust �
    Tue, 8 Jan 2013
    RE: Complaint N. 62850348
    [redacted]
    The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.
    We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.
    We awaits to your prompt reaction.
    Yours respectfully
    Liam Barnes
    Dispute Consultant
    Better Business Bureau
    3053 Wilson Blvd, Suite 600 Arlington, VA 25501
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
    ========
    Date: Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
    From: Better Business Bureau <donotreply @bbb .org>
    Subject: BBB Complaint No. C1343110
    Better Business Bureau ©
    Start With Trust ©
    Tue, 8 Jan 2013
    RE: Case No. C1343110
    [redacted]
    The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.
    We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.
    We are looking forward to your prompt reaction.
    Yours respectfully
    Hunter Gomez
    Dispute Counselor
    Better Business Bureau
    Better Business Bureau
    3053 Wilson Blvd, Suite 600 Arlington, VA 22801
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


    The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."

    >> https://www.google.com/safebrowsing/...?site=AS:21788
    "... in the past 90 days. We found 543 site(s).. that infected 5049 other site(s)..."

    Last edited by AplusWebMaster; 2013-01-09 at 19:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #100
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake U.S Air/ADP emails lead to malware...

    FYI...

    Fake U.S Airways emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/01/10/p...e-exploit-kit/
    Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....expoit_kit.png
    ... Malicious domain name reconnaissance:
    attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com
    ... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.E
    The executable creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
    As well as the following mutexes:
    Local\XMM000003F8
    Local\XMI000003F8
    Local\XMRFB119394
    Local\XMM000005E4
    Local\XMI000005E4
    Local\XMM0000009C
    Local\XMI0000009C
    Local\XMM000000C8
    Local\XMI000000C8
    Once executed, the sample phones back to the following C&C servers:
    180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
    174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/
    We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."
    * https://www.virustotal.com/file/d11f...d1fe/analysis/
    File name: 6f51e309530f8900be935716c3015f58
    Detection ratio: 24/46
    Analysis date: 2012-12-07
    ___

    Fake ADP SPAM / tetraboro .net and advertizing* .com
    - http://blog.dynamoo.com/2013/01/adp-...tizingcom.html
    10 Jan 2013 - "This fake ADP spam leads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly...
    Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
    From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
    Subject: adp_subj
    ADP Urgent Note
    Note No.: 33469
    Respected ADP Consumer January, 9 2013
    Your Processed Payroll Record(s) have been uploaded to the web site:
    Click here to Sign In
    Please take a look at the following details:
    • Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
    Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
    This notification was sent to current clients in your company that approach ADP Netsecure.
    As general, thank you for choosing ADP as your business butty!
    Ref: 33469


    The malicious payload is on [donotclick]tetraboro .net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1 .com through to advertizing9 .com. All of these should be blocked.
    5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
    91.227.220.121 (VooServers, UK)
    94.102.55.23 (Ecatel, Netherlands)
    119.78.243.16 (China Science & Technology Network, China)
    198.144.191.50 (New Wave Netconnect, US)
    199.233.233.232 (Quickpacket, US)
    203.1.6.211 (China Telecom, China)
    222.238.109.66 (Hanaro Telecom, Korea)
    Plain list:
    advertizing1 .com
    advertizing2 .com
    advertizing3 .com
    advertizing4 .com
    advertizing5 .com
    advertizing6 .com
    advertizing7 .com
    advertizing8 .com
    advertizing9 .com
    cookingcarlog .ne
    hotelrosaire .net
    richbergs .com
    royalwinnipegballet .net
    tetraboro .net
    5.135.90.19
    91.227.220.121
    94.102.55.23
    119.78.243.16
    198.144.191.50
    199.233.233.232
    203.1.6.211
    222.238.109.66
    ..."

    Last edited by AplusWebMaster; 2013-01-10 at 19:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •