Page 104 of 132 FirstFirst ... 45494100101102103104105106107108114 ... LastLast
Results 1,031 to 1,040 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1031
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Cerber ransomware, Twitter SCAM

    FYI...

    Cerber ransomware ...
    - https://www.helpnetsecurity.com/2016...ware-campaign/
    Aug 17, 2016 - "Check Point’s research team has analysed the inner workings of Cerber, the world’s biggest ransomware-as-a-service scheme:
    > https://www.helpnetsecurity.com/imag...nt-cerber2.jpg
    ... Cerber is set up to enable non-technical criminals to take part in the highly profitable business and run independent campaigns, using a set of command and control servers and an easy-to-use control interface available in 12 different languages... The Bitcoin is transferred to the malware developer and affiliates by flowing through thousands of Bitcoin wallets, making it almost impossible to trace individual payments... The overall profit made by Cerber in July was $195,000. The malware developer received approximately $78,000 and the rest was split between the affiliates, based on successful infections and ransom payments for each campaign. On a yearly basis, the estimated monthly profit for the ransomware author would be $946,000. 'This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry' said Maya Horowitz, group manager, Research & Development, Check Point*. 'Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections'.”
    * http://blog.checkpoint.com/2016/08/16/cerberring/
    "... researchers have managed to break the encryption of Cerber and provide a free decryption tool**..."
    ** https://www.cerberdecrypt.com/RansomwareDecryptionTool/

    Exploit Kit Country Distribution Map: https://blog.checkpoint.com/wp-conte...08/Figure9.jpg
    ___

    'Bogus blue verified checkmark' SCAM - on Twitter
    - https://www.hotforsecurity.com/blog/...ter-16373.html
    Aug 17, 2016 - "... Take, for instance, this -scam- which was being played out on Twitter last week:
    > https://www.hotforsecurity.com/wp-co...cam-tweet.jpeg
    If you saw it in your Twitter timeline, you might very well click on the link without thinking – imagining that the account is run by Twitter. After all, it is displaying the same avatar as the one used by the legitimate @verified account. And clicking on the link *does* take you to a website which – at first glance – might look like a genuine Twitter property to those -lacking- in caution:
    > https://www.hotforsecurity.com/wp-co...scam-site.jpeg
    Clicking further, however, takes you to a form which should instantly set your alarm bells ringing. It asks you to enter information such as your email address and your number of followers (both pieces of information that Twitter should -already- know) as well as your username and password:
    > https://www.hotforsecurity.com/wp-co...am-site-2.jpeg
    Once you fill your details in this form, they are instantly transmitted to the hackers – who can then use your credentials to hijack your account for the purposes of spam or spreading malicious links. Furthermore, if you have made the mistake of reusing your Twitter password elsewhere on the net there is a good chance that you may have other online accounts compromised by the hackers in follow-up attacks. I reported the phishing URL to Google, and I’m pleased to report that it is now being blocked by most browsers:
    > https://www.hotforsecurity.com/wp-co...ome-block.jpeg
    The offending Twitter account has also been suspended. There are a few lessons here...
    Firstly, always be careful about where you enter your login credentials. Make sure that you are on the proper website by examining-the-URL-closely, and consider that one of the benefits of running a good password manager is that it will not let you easily fill in your password unless it recognises it.
    Secondly, never-reuse-passwords on multiple websites. If one site gets hacked, online criminals will often try to use the same credentials to unlock your other online accounts.
    Thirdly, harden your defences. Where available (as it is on Twitter) enable two-step verification or two-factor authentication to provide an additional layer of defence for your accounts. With 2SV or 2FA in place, hackers will need more than your password to break into your accounts making it – in most cases – something that they’ll simply not bother with, as they move to find softer targets."

    Last edited by AplusWebMaster; 2016-08-17 at 16:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1032
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'UPS' SPAM, Locky Ransomware via DOCM attachments

    FYI...

    Fake 'UPS' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...is-having.html
    18 Aug 2016 - "This -fake- UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.
    From "Laurence lumb" [Laurence.lumb25@ ups .de]
    Date Thu, 18 Aug 2016 17:35:21 +0530
    Subject Emailing: Label
    Good afternoon
    The office printer is having problems so I've had to email the UPS label,
    sorry for the inconvenience.
    Cheers
    Laurence lumb


    Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware... (according to my trusted source)... This dropped binary has a detection rate of 6/54*. It phones home to the following locations:
    185.129.148.19/php/upload.php (MWTV, Latvia)
    51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
    194.67.210.183/php/upload.php (Marosnet, Russia)
    Recommended blocklist:
    185.129.148.0/24
    51.255.107.8
    194.67.210.183
    "
    * https://www.virustotal.com/en/file/d...e84e/analysis/
    ___

    Locky Ransomware via DOCM attachments - latest Email campaigns
    - https://www.fireeye.com/blog/threat-...omwaredis.html
    Aug 17, 2016 - "Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry:
    Top 10 affected industries
    > https://www.fireeye.com/content/dam/...chong/Fig1.png
    Numerous countries are affected, with the United States, Japan, and Republic of Korea topping the list:
    Top affected countries
    > https://www.fireeye.com/content/dam/...chong/Fig2.png
    ... Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems. These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick:
    Massive DOCM related campaigns on Aug. 9, Aug. 11 and Aug. 15, 2016
    > https://www.fireeye.com/content/dam/...chong/Fig3.png
    Our analysis showed high similarity in the macro code that was used in the Aug. 9, Aug. 11 and Aug. 15 campaigns... The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative. These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations."

    Last edited by AplusWebMaster; 2016-08-18 at 18:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1033
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment Receipt', 'Report' SPAM

    FYI...

    Fake 'Payment Receipt' SPAM - leads to locky
    - https://myonlinesecurity.co.uk/attac...ky-ransomware/
    19 Aug 2016 - "... a long line of generic emails delivering Locky ransomware is an email with the subject of 'Payment Receipt' pretending to come from random companies and email addresses with a malicious word doc attachment... One of the emails looks like:
    From: Payment Receipt
    Date: Fri 19/08/2016 10:43
    Subject: Payment Receipt
    Attachment: PaymentReceipt.docm
    Attached is the copy of your payment receipt.


    19 August 2016: PaymentReceipt.docm - Current Virus total detections 7/55*.. MALWR shows a download of an encrypted file from http ://wzukoees.homepage.t-online .de/897fyDnv which is converted by the malicious macro in the word doc to C:\DOCUME~1\User\LOCALS~1\Temp\sys48.tmp (VirusTotal 4/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1471600737/

    ** https://www.virustotal.com/en/file/2...is/1471600926/

    t-online .de: 2003:2:4:164:217:6:164:162
    2003:2:2:40:62:153:159:92

    217.6.164.162: https://www.virustotal.com/en/ip-add...2/information/
    62.153.159.92: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake 'Report' SPAM - leads to Java Adwind Trojan
    - https://myonlinesecurity.co.uk/uncla...s-java-adwind/
    19 Aug 2016 - "We continue to see Java Adwind Trojans daily. Today’s example is a slight change to the delivery method from previous Malspam emails that have been using Moneyexpress .com or MoneyGram or other middle eastern money exchange bodies. This one is an email with the subject of 'Unclaimed Commission Report-WUBS' pretending to come from Shiella F. Doria <shiella.doria@ westernunion .com> with a zip attachment which contains a Java.jar file & an image to make it look “respectable” and genuine. We have seen various -spoofed- Western Union malspam...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...S-1024x646.png

    The image from inside the zip is:
    - https://myonlinesecurity.co.uk/wp-co...ent-Sheet.jpeg

    19 August 2016: Unclaimed Commission Report.zip - Extracts to: UN-PROCESSED COMMISSION.jar
    Current Virus total detections 30/56*. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1471508188/
    ___

    Ransomware round up
    - https://atlas.arbor.net/briefs/index#-198932443
    Aug 18, 2016 - "... Analysis: ... ransomware developers and infrastructure providers who deliver the packages are continuing to refine their crafts. The addition of a RAT used to target potential banking elements instead of going forward with ransomware -extortion- is a smart addition. Most threat actors behind ransomware tend to utilize one flat ransom across their victim pool. However, some, notably those behind Locky, have paid attention to some of their victims and were able to extort larger sums than the original request once they identified the overall value of the victimized systems. A RAT could allow a smart threat actor to better access their target and move forward with requesting larger sums of money. However, it could simply allow threat actors to leverage more traditional capabilities by capturing banking credentials which in turn could allow them to perform fraudulent withdrawals with potentially larger payouts than had they attempted simple extortion efforts. Nemucod and Locky continue to change their overall operating procedures. The addition of ad-click and backdoor functionality to a ransomware operation can lead to additional revenue streams for threat actors, especially if the ransomware does not impact the -additional- malicious packages, allowing for them to operate unencumbered while the victim decides what course of action to take in response to the ransomware. Most ransomware is best defended against by -never- enabling-macros unless you implicitly trust the source... and maintaining up-to-date backups that are stored offline..."

    Last edited by AplusWebMaster; 2016-08-19 at 23:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1034
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'fax', 'Hello' SPAM

    FYI...

    Fake 'fax' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/today...ky-ransomware/
    22 Aug 2016 - "... first example of malspam word docs with macros delivering Locky ransomware is an email with the subject of 'Today’s fax' pretending to come from random names at your own email domain... The email looks like:
    From: name/number at your own email domain
    Date: Mon 22/08/2016 10:37
    Subject: Today’s fax
    Attachment: FAX_5542.DOCM


    Body content: Totally blank/empty

    22 August 2016: FAX_5542.DOCM - Current Virus total detections 4/55*.. MALWR** shows a download of an encrypted file from http ://seiwa1202.web. fc2.com/HfgfvhTR5 that is converted by the malicious macro in the word doc to axilans.exe (VirusTotal 4/55***). Payload Security[4] shows this has anti-analysis protection... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1471858624/

    ** https://malwr.com/analysis/MGQ0YjVmO...RjMTY1N2ZlOGQ/
    Hosts
    208.71.106.61: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/05...2839/analysis/

    *** https://www.virustotal.com/en/file/6...is/1471859596/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'Hello' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/hi-hi...ky-ransomware/
    22 Aug 2016 - "... next batch of malspam emails delivering locky ransomware is a series of emails with subjects like “Hi”, “Hi There” or “Hello” coming from random names, companies and email addresses with a zip attachment containing a WSF (Windows Scripting File)... The body has various generic phrases as the contents along the lines of:
    “Please see the attached report about the monthly progress of our department”
    “I am sending you the bills of the goods we delivered to you in the attachment"


    22 August 2016: 5772ac1553.zip: Extracts to: export_pdf_ 2c23a43a~.js - Current Virus total detections 2/56*
    .. MALWR was unable to get any content from the heavily encoded WSF file (waiting for other analysis but almost certain to be the same locations as Today’s Word version Malware delivery[1]). Payload Security** shows a load of connections to various sites... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1471860907/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    213.217.149.4
    213.229.74.92
    185.129.148.19
    185.51.247.211
    194.67.210.183
    51.254.55.171
    91.201.202.125


    1] https://myonlinesecurity.co.uk/today...ky-ransomware/

    Last edited by AplusWebMaster; 2016-08-22 at 16:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1035
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Voice Message Notifications' SPAM, Browser hijackers, Email battleground

    FYI...

    Fake 'Voice Message Notifications' deliver Ransomware
    - https://isc.sans.edu/diary.html?storyid=21397
    2016-08-23 - "... a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a 'voice mail notification'. Even residential systems can deliver voice message notifications. Here is an example displayed in Microsoft Outlook:
    > https://isc.sans.edu/diaryimages/ima...-voice-msg.gif
    Today, I received a wave of emails like the following:
    From: voicemail@ rootshell .be
    To: [redacted]
    Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25
    Dear [redacted]:
    There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
    You might want to check it when you get a chance. Thanks!


    The sender is spoofed with the victim domain name.... file was attached to the message... '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]. Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers. Here are the C2 servers (for your IDS):
    89.42.39.81
    213.205.40.169
    51.254.55.171
    194.67.210.183
    185.51.247.211
    185.129.148.19
    91.201.202.125
    "

    [1] https://www.virustotal.com/en/file/9...is/1471949327/
    File name: 614007286106.wsf
    Detection ratio: 6/55

    [2] http://www.draytek.co.uk/products/legacy/vigor-2820
    ___

    More Fake 'voice mail messages' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/vigor...to-ransomware/
    23 Aug 2016 - "Today’s Locky/Zepto ransomware malspam emails have come steadily in waves all day long. There have been 2 distinct different subjects and themes, one pretending to be a voice message from your own email domain or company, with the second pretending to be an audit report from a random company. The first is an email with the subject of '[Vigor2820 Series] New voice mail message' from 01443281097 on 2016/08/23 21:01:59 [random telephone number and date/time] pretending to come from voicemail @ your own email address with a zip attachment named something like 'Message_from_01443281097.wav.zip' where the attachment number matches the telephone number in the subject line. The Vigor 2820 Series is an older ADSL Router Firewall aimed at small business users, so we can quite easily see that this campaign of malware spreading is directly aimed at the small business user...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...7-1024x426.png

    The second campaign has a subject of 'Audit Report' coming from random senders with a content looking like the below. The name in the body of the email matches the spoofed sender. One of the emails looks like:
    From: Omer Scott <Scott.58115@ bambit .de>
    Date: Tue 23/08/2016 15:3
    Subject: Audit Report
    Attachment: 83543cd11db.zip
    Dear lie
    The audit report you inquired is attached in the mail. Please review and transfer it to the related department.
    King regards,
    Omer Scott


    23 August 2016: Message_from_01443281097.wav.zip: Extracts to: 44077640409.wsf
    Current Virus total detections 23/56*.. MALWR** shows a download of an encrypted file from either
    http ://danzig.vtrbandaancha .net/HJghjb54?PqzwogvtP=xYWWDkr -or-
    http ://backyard004.web. fc2.com/HJghjb54?PqzwogvtP=xYWWDkr (in this example) which gets converted by the script to wKoYWwOtQ.exe (VirusTotal 6/56***)

    23 August 2016: 83543cd11db.zip: Extracts to: audit report 316dd5a1.js
    Current Virus total detections 23/56[4].. MALWR[5] shows a download of an encrypted file from either
    http ://sb-11856.fastdl-server .biz/688dak3, http ://newt150.tripod .com/idyeb9 -or-
    http ://dl.sevenseals .ru/ehaq1zw (in this example) which gets converted by the script to NCPcpOkuUfr5AA0.dll (VirusTotal 18/56[6])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1441173827/

    ** https://malwr.com/analysis/NjhlMjZkY...VhZmE2NTcxZGM/
    Hosts
    200.83.4.62
    185.129.148.19
    208.71.106.40


    *** https://www.virustotal.com/en/file/e...is/1471961322/

    4] https://www.virustotal.com/en/file/1...is/1441173827/

    5] https://malwr.com/analysis/YjFiYzVkM...NkNzA3MjA4NzM/
    Hosts
    109.230.252.172
    52.52.39.236
    77.221.140.226


    6] https://www.virustotal.com/en/file/b...is/1471962605/
    ___

    Fake 'Cancellation' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/attac...ky-ransomware/
    23 Aug 2016 - "The next in the series of today’s Locky downloaders is an email with the subject of 'Cancellation' pretending to come from random senders with a zip attachment containing a JavaScript file that pretends to be a pdf... One of the emails looks like:
    From: Zachary Flynn <Flynn.94@ football-stats .org>
    Date: Tue 23/08/2016 19:00
    Subject: Cancellation
    Attachment: 2c122b8fa354.zip
    Dear rob,
    Attached is the paper concerning with the cancellation of your current credit card.
    Confirm to us for receiving.
    King regards,
    Zachary Flynn
    Account Manager ...


    23 August 2016: 2c122b8fa354.zip: Extracts to: card_cancellation_pdf 5a59aad3.js
    Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations
    http ://sopranolady7 .wang/1cntwk5 | http ://www.leuchten-modelle .de/ink36
    http ://download.apf .asso .fr/87aktsv | http ://gromasgboleslawiec .cba .pl/09n7n
    ... that is decrypted and transformed into P6dtp6pov8qB.dll (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1471975535/

    ** https://malwr.com/analysis/NDkyZGYyN...U0YTkzZTYyMTU/
    Hosts
    95.211.144.65
    212.18.0.4
    91.223.89.200
    195.154.81.86


    *** https://www.virustotal.com/en/file/1...is/1471977294/
    ___

    File-in-the-middle Browser hijackers
    - https://blog.malwarebytes.com/cyberc...dle-hijackers/
    Aug 23, 2016 - "We are not sure if this is going to be a new trend among browser-hijackers, but it seems more than a coincidence that we found -two- browser hijackers using a very similar approach to reach their goal of taking victims to the sites of their choice. Both are using one of their own files to act as a file-in-the-middle between the user and the browser... Dotdo Audio: Dotdo is a strain of hijackers that we have discussed before for using different and more “out of bounds” methods to get the job done. I named this variant “audio” because it uses audio advertisements. But that is not our focus here. It’s the replacement of browser executables with their own that raised our interest. The installer -renames- the files firefox.exe and chrome.exe, if present, and adds a number to the filename. It then hides these renamed files and replaces them with its own files:
    > https://blog.malwarebytes.com/wp-con.../hiddenexe.png
    The screenshot above shows you the hidden and renamed Chrome file, in the same folder as the replacement. I changed the settings for hidden files so that we can see them. In a similar screenshot below we can see that the same was done for Firefox:
    > https://blog.malwarebytes.com/wp-con...hiddenexe2.png
    The browsers are -hijacked- to open with traffic-media[dot]co by altering the browser shortcuts for:
    Chrome
    Firefox
    Internet Explorer
    Opera
    Yandex
    ... Summary: We discussed two hijackers from very different families and using different methods, but they also had a few things in common. They want the victims to hear/see their advertisements and they used a file-in-the-middle between the browser shortcuts and the actual browser in order to alter the browsers behavior to meet their goals..."

    traffic-media[dot]co: 195.154.46.150: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/dc...8854/analysis/
    ___

    Email - Security battleground
    - http://blog.trendmicro.com/trendlabs...ine-extortion/
    Aug 23, 2016 - "Emails have become the battleground for the first half of the year in terms of security. It is the number one infection vector that have ushered in 2016’s biggest threats so far — ransomware and business email compromise (BEC). Ransomware infections normally start via email. Based on our findings, -71%- of the known ransomware families’ delivery method is through spam. Looking at the threat trends so far, both ransomware and BEC have proved profitable across the world:
    Regional breakdown by volume of ransomware threats:
    > https://blog.trendmicro.com/trendlab...1h-roundup.jpg
    Regional breakdown by volume of organizations affected by BEC scams:
    > https://blog.trendmicro.com/trendlab...1h-roundup.jpg
    Our telemetry shows that ransomware’s scope is more widespread than BEC as it targets countries in Europe, Middle East, and Africa. The prevalence of BEC scams are higher in the North American region, with fewer countries but more targeted — attackers behind BEC scams most often impersonate and target C-level executives... 58% of the nearly 80 million ransomware threats Trend Micro blocked from January to June 2016 are email-borne ransomware. BEC scams, on the other hand, -all- arrive via email. These factors make the two threats quite formidable, as email remains a firm staple in everyday business. They both also utilize social engineering. In ransomware’s case, it’s for the user to click and run the ransomware attached to their opening email. For BECs, it’s to trick the targeted officer into thinking that their request for a money transfer is legitimate, without the usual malware payload... Knowing that these threats use email as an attack vector, companies should strengthen employee education and invest smartly in email protection. With these, the threat of ransomware and BEC attacks can be greatly reduced..."

    Last edited by AplusWebMaster; 2016-08-24 at 00:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1036
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Statement', 'Emailing: Image' SPAM

    FYI...

    Fake 'Statement' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/the-m...ky-ransomware/
    24 Aug 2016 - "This morning’s first Locky ransomware delivering malspam is an email with the subject of 'Statement' coming from random senders, companies and email addresses with a random named zip attachment containing a JavaScript file that pretends to be a financial statement... One of the emails looks like:
    From: Ella Gonzales <Gonzales.169@ airtelbroadband .in>
    Date: Wed 24/08/2016 10:34
    Subject: Statement
    Attachment: 25b8ae3a4d.zip
    Hi,
    The monthly financial statement is attached within the email.
    Please review it before processing.
    King regards,
    Ella Gonzales ...


    24 August 2016: 25b8ae3a4d.zip: Extracts to: monthly_financial_scan aa9140e0.js
    Current Virus total detections 2/56*.. MALWR** shows a download of an encrypted file from one of these locations:
    http ://rejoincomp2 .in/117uuf5h | http ://dokcool.atspace .org/jltqouz
    http ://smilehomeutsumi504.web. fc2.com/by11k6r ... that is converted by the JavaScript to o2OoILn8OHU.dll and autorun (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1472031010/

    ** https://malwr.com/analysis/YmNjYjUxN...FkNDQxNDgwYmE/
    Hosts
    82.197.131.109
    208.71.106.49
    213.229.74.92


    *** https://www.virustotal.com/en/file/8...is/1472033919/
    ___

    Fake 'Emailing: Image' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/email...ky-ransomware/
    24 Aug 2016 - "A blank email with the subject of 'Emailing: Image15.jpg' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... This set of emails has a zip attachment that extracts to a HTA file... One of the emails looks like:
    From: Raymon <Raymon237@ Your email domain >
    Date: Wed 24/08/2016 12:04
    Subject: Emailing: Image15.jpg
    Attachment: Image15.zip


    Body content: Totally blank/Empty

    24 August 2016: Image15.zip: Extracts to: 100966743304.hta - Current Virus total detections 2/56*
    .. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to xUztoLUte.exe by the instructions inside the HTA/JavaScript (VirusTotal 2/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/9...is/1472036751/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    112.140.42.29
    213.205.40.169
    200.83.4.62
    185.129.148.19
    51.254.55.171
    185.51.247.211
    194.67.210.183
    91.226.92.208


    *** https://www.virustotal.com/en/file/f...is/1472037488/

    Last edited by AplusWebMaster; 2016-08-24 at 16:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1037
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Fraud Notice' SPAM, BEC scams and ransomware

    FYI...

    Fake 'Fraud Notice' SPAM - Java Adwind Trojans
    - https://myonlinesecurity.co.uk/java-...-xpress-money/
    25 Aug 2016 - "... Java Adwind Trojans being delivered by various financial themed emails, we are seeing a new method of distribution of the Java Adwind Trojan using these financial themed emails with the subject of 'Request for Amendment'-XPIN- 2401200221508974 & 2401240241500561 (11) pretending to come from xm.support@ xpressmoney .com <XM SUPPORT> with a word doc attachment that contains the Java Adwind Trojan as an embedded OLE object... One of the emails looks like:
    From: xm.support@ xpressmoney .com <XM SUPPORT>
    Date: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
    Subject: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
    Attachment: Fraud Notice XM.doc
    Dear Sir/Madam,
    We would like to inform you that the transaction mentioned have been flagged from our system although the Xpress Money account is still under review. Please cancel and amend these transactions from your system at the earliest. Details of Transactions is been attached
    Thanks & Warm Regards,
    Prasanth Vasanth Pai
    Specialist Customer Support
    Xpress Money Services Ltd.
    PO Box 170, Abu Dhabi, UAE ...


    Screenshot of attached word doc: https://myonlinesecurity.co.uk/wp-co...c-1024x419.png

    25 August 2016: Fraud Notice XM.doc - Current Virus total detections 23/56*. MALWR**
    If you are unwise enough to double click the alleged pdf files that are -embedded- inside the word doc, then a JAVA.jar – Jacob.jar file will open & run (VirusTotal 23/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1472103111/

    ** https://malwr.com/analysis/ODIwOWYzY...VkMjc1YzJlYTQ/

    *** https://www.virustotal.com/en/file/6...is/1472103307/

    Earlier 'Java Adwind' posts: https://myonlinesecurity.co.uk/?s=Java+Adwind
    ___

    BEC scams and ransomware
    - https://www.helpnetsecurity.com/2016...are-bec-scams/
    Aug 25, 2016 - "Trend Micro analyzed the trends in attacks and vulnerabilities seen throughout the first half of this year*, and found a rise and impact of attacks, such as a -172- percent increase in ransomware and $3 billion in losses due to business email compromise (BEC) scams so far in 2016..."
    (More detail at the URL above.)
    Charted: https://www.helpnetsecurity.com/imag...ansomware1.jpg
    * http://blog.trendmicro.com/trendlabs...ine-extortion/
    Aug 23, 2016 - "... Based on our findings, 71% of the known ransomware families’ delivery method is through spam..."
    * https://www.trendmicro.com/vinfo/us/...eports/roundup
    Aug 23, 2016 - "... The number of new ransomware families we saw in the first half of 2016 alone has already eclipsed the total 2015 volume by 172%. With ransomware attacks becoming more and more sophisticated and prevalent, we believe that the threat will potentially cause more damage going into the second half of the year..."
    ___

    Tech support scams and Google Chrome tricks
    - https://blog.malwarebytes.com/cyberc...chrome-tricks/
    Aug 25, 2016 - "Tech support scams coming as phishing pages that contain -fake- alerts urging you to call for immediate assistance are common place these days. We collect -hundreds- of such URLs each day and have observed countless tricks to fool users... for years we have been telling people to double check the URL in the address bar to know if a website is really what it claims to be. When this scam page loads it runs in full-screen mode and prevents the user from easily closing it with an infinite loop of alerts.
    Now take a look at the address bar. For all intents and purposes it does look like the legitimate Microsoft website, although the ‘ru-ru’ (Russia) portion of the URL is a fail in an otherwise clever design. (There are other bits of Russian here and there in the source code, which perhaps link to the original author?):
    > https://blog.malwarebytes.com/wp-con...16/08/scam.png
    ... Tech support -scams- have similar alert windows except we found some that are completely made up. Putting a checkmark and clicking OK actually produces the opposite result of what you’d expect, to keep you more frustrated and ready to throw your computer out the window... It’s safe to say that browser-based tech support scams are not going anywhere any time soon. Sadly, most browsers are brought to their knees with simple bits of JavaScript and non savvy users will simply give up and call the toll free number for assistance (we forgot to mention that all this while a very annoying audio track plays in the background). Call centres located in India (for the most part) are receiving thousands of calls each day from desperate victims prime to be -defrauded- of hundreds of dollars by rogue operators playing the Microsoft technician game. Spotting those scams isn’t always easy though and that is why it’s important to expose them to show their inner workings. To learn more about tech support scams and consult our blacklist of known offenders, please check out our resource page here*."
    * https://blog.malwarebytes.com/threat...support-scams/

    Last edited by AplusWebMaster; 2016-08-25 at 22:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1038
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Voice Message', 'P.O.', 'monthly report' SPAM

    FYI...

    Fake 'Voice Message' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/voice...s-locky-zepto/
    26 Aug 2016 - "An email with the subject of 'Voice Message from Outside Caller (3m 54s) [random length]' pretending to come from Peach Telecom <peach_necsv06@ hotmail .com> (random number after peach_necsv) with a zip attachment which downloads Locky/Zepto ransomware... One of the emails looks like:
    From: Peach Telecom <peach_necsv06@ hotmail .com>
    Date: Fri 26/08/2016 12:21
    Subject: Voice Message from Outside Caller (3m 54s)
    Attachment: Outside Caller 08-26-2016 9aaf18b.zip
    Voice Message Arrived on Friday, Aug 26 @ 6:26 AM
    Name: Outside Caller
    Number: Unavailable
    Duration: 3m 54s ...


    26 August 2016: Outside Caller 08-26-2016 9aaf18b.zip: Extracts to: 08-26-2016 36ptor06.wsf
    Current Virus total detections 9/56*.. MALWR** shows a download of an encrypted file from one of these locations:
    http ://sewarte.homepage. t-online .de/nb20gjBV?xJNXYWEr=xnGdqHz |
    http ://theramom.web. fc2 .com/nb20gjBV?xJNXYWEr=xnGdqHz |
    http ://seishinkaikenpo .com/nb20gjBV?xJNXYWEr=xnGdqHz
    which is transformed by the script to LHOyUOaiiss1.dll (VirusTotal ***). All versions send info back to the control centre at http ://51.254.55.171/data/info.php ...
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1472210401/

    ** https://malwr.com/analysis/OTY5MGRiM...QwYjdlOGNhMTI/
    Hosts
    210.157.30.70
    208.71.106.46
    80.150.6.138
    51.254.55.171


    *** https://www.virustotal.com/en/file/b...is/1472214673/
    ___

    Fake 'P.O.' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/pleas...ky-ransomware/
    26 Aug 2016 - "The second batch of today’s Locky ransomware malspam emails is an email with the subject of
    'office equipment' coming from random senders with a zip attachment... One of the emails looks like:
    From: Jillian Kirby <Kirby.84@ phantomes .com>
    Date: Fri 26/08/2016 11:41
    Subject: office equipment
    Attachment: 609c171b94a.zip
    Dear wh,
    Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.
    Best regards,
    Jillian Kirby
    Sales Manager


    26 August 2016: 609c171b94a.zip: Extracts to: office_equipment ~bced3628.js
    Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations,
    http ://onlybest76 .xyz/1rkyye | http ://all-rides .com/i0gih |
    http :// provincialpw .com/crgrapy | http ://www.mediawareonline .it/yvg6cw |
    http ://www.jansen-consultancy-machines .be/nvbd7rme that is transformed by the script to deliver AzWzM3LegeEcV6.dll (VirusTotal 14/58***). Payload Security[4].. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1472209948/

    ** https://malwr.com/analysis/NmUwMTAxY...E3MDhiYmZjODA/
    Hosts
    195.130.132.84
    104.232.35.136
    160.153.54.35
    173.255.129.128
    212.104.43.3


    *** https://www.virustotal.com/en/file/2...is/1472217004/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    160.153.54.35
    212.104.43.3
    188.127.249.203
    138.201.191.196
    51.254.55.171
    91.226.92.208

    ___

    Fake 'monthly report' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/there...ky-ransomware/
    26 Aug 2016 - "The third of today’s Locky ransomware malspam deliveries is an email with the subject of 'monthly report' coming from random senders, companies and email addresses with a zip attachment... One of the emails looks like:
    From: Tasha Ray <Ray.05187@ flamingjewellery .co.uk>
    Date: Fri 26/08/2016 18:16
    Subject: monthly report
    Attachment: c1195a3663e.zip
    Good evening hyperbolasmappera,
    There were some errors in the monthly report you submitted last week.
    See the highlights in the attachment and please fix as soon as possible.
    Best regards,
    Tasha Ray
    Account Manager ...


    28 August 2016: c1195a3663e.zip: Extracts to: monthly_report_pdf (~41e8df8a).js
    Current Virus total detections 6/56*.. MALWR** shows a download of an encrypted file from one of these locations:
    http ://berndburgdorf .de/5x6vdaw | http ://www.valmon .it/ndxec | http ://rejoincomp2 .in/3dv7n |
    http ://abufarha .net/80d4a1j which is transformed by the script to lh7pIFrXtoRVDe.dll (VirusTotal 19/58***)...
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1472235308/

    ** https://malwr.com/analysis/OGQ2NmJmM...g2NmJjMGE0ZmU/
    Hosts
    212.40.179.94
    104.232.35.136
    213.205.40.169
    66.147.240.193


    *** https://www.virustotal.com/en/file/b...is/1472237184/

    Last edited by AplusWebMaster; 2016-08-26 at 23:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1039
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Commission', 'invoice', 'mortgage documents' SPAM

    FYI...

    Fake 'Commission' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/here-...elivers-locky/
    29 Aug 2016 - ".. the -Locky- onslaught continues its daily attacks with an email with the subject of 'Commission' coming from random companies and senders with a zip attachment that despite the message in the email body saying it is an Excel file actually contains a JavaScript file, although they have half tried to disguise it as an excel file commission_xls (~2a4bfa91).js ... One of the emails looks like:
    From: Minerva Bridges <Bridges.033@ aprilwilkins .com>
    Date: Mon 29/08/2016 10:20
    Subject: Commission
    Attachment: 9dc078a8d54e.zip
    Good morning rob,
    Here is the excel file of the commission you earned last month. Please analyze
    the attachment to confirm the amount.
    Regards,
    Minerva Bridges


    29 August 2016: 9dc078a8d54e.zip: Extracts to: commission_xls (~2a4bfa91).js - Current Virus total detections 4/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://xelagon.50webs .org/8rxv3 | http ://209.237.142.197/~p27j55uk/von90s
    http ://ach-dziennik.cba .pl/kag7pe6 | http ://wangmewang .name/5tr5xeey which is transformed into a working Locky Ransomware file by the JavaScript file yzASo9ubY.dll (VirusTotal 9/58***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1472462471/

    ** https://malwr.com/analysis/YjBiMWMwM...MwMzNlMTk3OWI/
    Hosts
    192.151.153.26
    213.229.74.92
    95.211.144.65
    209.237.142.197


    *** https://www.virustotal.com/en/file/9...is/1472464805/
    ___

    Fake 'invoice' SPAM - leads to ransomware
    - https://myonlinesecurity.co.uk/pleas...to-ransomware/
    39 Aug 2016 - "... series of Locky/Zepto ransomware malspams... an email with the subject of 'Please find attached invoice no: 9087773449' [random numbered] pretending to come from document@ your own email domain with a zip attachment containing a WSF file... One of the emails looks like:
    From: document@ your own email domain
    Date: Mon 29/08/2016 10:21
    Subject: Please find attached invoice no: 9087773449
    Attachment: 03A137a21.zip
    Attached is a Print Manager form.
    Format = Portable Document Format File (PDF) ...


    29 August 2016: 03A137a21.zip: Extracts to: sedFki.wsf - Current Virus total detections 7/56*
    .. MALWR** shows a download of an encrypted file from one of these locations
    http ://www.imaginarium .home.ro/78yhuinFYs?AUURTj=HtKvHtW
    http ://abcbureautique.abc.perso. neuf .fr/78yhuinFYs?AUURTj=HtKvHtW
    http ://dussartconsulting .com/78yhuinFYs?AUURTj=HtKvHtW ... which is transformed by the script file to atuBFcBCz1.dll and automatically run (VirusTotal 4/58***). All the versions post home to the control centre at http ://51.255.107.30 /data/info.php to get & store the encryption key used to encrypt your files... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1472462824/

    ** https://malwr.com/analysis/YzE2ZGI0M...UzZGRkYWIwYmE/
    Hosts
    86.65.123.70
    81.196.20.133
    91.216.107.228
    51.255.107.30


    *** https://www.virustotal.com/en/file/b...is/1472465136/
    ___

    Fake 'mortgage documents' SPAM - lead to Locky
    - https://myonlinesecurity.co.uk/i-am-...elivers-locky/
    29 Aug 2016 - "... Locky ransomware malspams... email with the subject of 'mortgage documents' with a zip attachment containing a WSF file... One of the emails looks like:
    From: Edison Montgomery <Montgomery.25@ cable .net .co>
    Date: Mon 29/08/2016 20:16
    Subject: mortgage documents
    Attachment:
    Dear cazzo, I am attaching the mortgage documents relating to your department.
    They need to be signed in urgent manner.
    Regards,
    Edison Montgomery


    29 August 2016: 9aaea06c022a.zip: Extracts to: mortgage_documents.c40bf5a3.wsf
    Current Virus total detections 5/56*.. MALWR** seems unable to analyse these and Payload Security has 150+ files in the queue...
    Edit: Payload security*** eventually gave me www .qualityacoustic.comcastbiz .net/53ky07h2 which is an encrypted flle which gets transformed by the script to a Locky/Zepto file. Unfortunately Payload security does not give me that file... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1472498468/

    ** https://malwr.com/analysis/YWQ5NGUzM...JhNjMxOGY2ODQ/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.87.186.101
    51.255.107.30
    188.127.249.203
    195.64.154.114
    138.201.191.196
    69.195.129.70
    91.226.92.208

    ___

    Locky downloaded as encrypted DLLs
    - http://blog.trendmicro.com/trendlabs...ncrypted-dlls/
    Aug 29, 2016 - "... Locky has, over time, become known for using a wide variety of tactics to spread – including macros, VBScript, WSF files, and now DLLs... we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign:
    > https://blog.trendmicro.com/trendlab...ocky-dll-1.png
    ... Using a DLL file in this way represents an attempt to try and -evade- behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new. The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected)..."

    Last edited by AplusWebMaster; 2016-08-30 at 03:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1040
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Body Blank/empty', 'Final pmnt', 'paycheck', 'Svr Update' SPAM, Opera breach

    FYI...

    Fake 'Body content Blank/empty' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/blank...s-locky-zepto/
    30 Aug 2016 - "The latest of Today’s Locky/Zepto malspams is a -blank- empty email pretending to come from random names at your own email domain with the -subject- similar to 'document, File, Picture, Photo, Image' etc. with a zip attachment containing a WSF file... One of the emails looks like:
    From: random name @ your own email domain
    Date:
    Subject: Photo
    Attachment: PC_20160830_05_84_67_Pro.zip


    Body content: Blank/empty

    11 May 2016: PC_20160830_05_84_67_Pro.zip: Extracts to: XfTxmMOc.wsf - Current Virus total detections 8/56*
    .. MALWR** shows a download of an encrypted file from
    http ://gerochan.web. fc2 .com/987nkjh8?RlUTbYrVI=TMGiBgFtfwB amongst others which eventually gets transformed by the script file to XWYLtzfQg1.dll (VirusTotal 5/58***). C2 control which determines the encryption key is
    http ://188.127.249.32 /data/info.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1472566396/

    ** https://malwr.com/analysis/YTE0NDY2O...RlZTk2MTcwYjU/
    Hosts
    85.12.197.61
    208.71.106.49
    208.71.106.45
    51.255.107.30
    188.127.249.32


    *** https://www.virustotal.com/en/file/2...is/1472562174/
    ___

    Fake 'Final payment' SPAM - leads to malware
    - https://myonlinesecurity.co.uk/final...ds-to-malware/
    30 Aug 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky or numerous Cryptolocker versions... The email looks like:
    From: angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw>
    Date: Tue 30/08/2016 15:08
    Subject: Final payment request
    Attachment: hmrc_doc_083016_848347734.docm
    Date of issue 30 august 2016
    Reference K 2058964946
    Sir/Madam
    Final payment request GBP 5,961.34.
    Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
    We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
    As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
    For more information and how to pay us please see attached statement.
    We’ll continue to add interest to the original debt until you pay in full.
    Debt Management
    G McLean
    HMRC ...


    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x562.png

    30 August 2016: hmrc_doc_083016_848347734.docm - Current Virus total detections 4/55*
    .. MALWR** shows a download from http ://ivanovimportexportltd. co.uk/4.exe (VirusTotal 4/57***) MALWR[4]
    ... likely to be a password stealer of some sort. Payload Security[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1472565604/

    ** https://malwr.com/analysis/ZmE3YWRkY...JjMzNlYzBhMGM/
    Hosts
    137.74.172.30

    *** https://www.virustotal.com/en/file/1...is/1472566995/

    4] https://malwr.com/analysis/NjhkNTkxM...Y3NWRlNTk5NGE/

    5] https://www.reverse.it/sample/fabf49...ironmentId=100
    Contacted Hosts
    137.74.172.30
    ___

    Fake 'paycheck' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/attac...elivers-locky/
    30 Aug 2016 - "... series of Malspam delivering -Locky- ransomware is an email with the subject of 'paycheck' coming from random senders, companies and email addresses with a zip attachment... One of the emails looks like:
    From: Isabella Holman <Holman.114@ profilerhs .com>
    Date: Tue 30/08/2016 18:38
    Subject: paycheck
    Attachment:
    Hey gold, as you requested, attached is the paycheck for your next month�s salary in advance.
    Sincerely yours,
    Isabella Holman


    30 August 2016: e3fa12b0575f.zip: Extracts to: paycheck_pdf_de64ad80.js - Current Virus total detections 6/54*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://malwinstall .wang/1xiolv6 | http ://specialist.homepage. t-online .de/pgtv2
    http ://kikital.web. fc2 .com/amqq7aq6 | http ://solesdearequito. tripod .com/f1bii
    http ://vinciunion. co.th/gfp87 that is converted by the script to a working Locky ransomware 6e8kHAmEE5.dll
    that gets run automatically (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1472578893/

    ** https://malwr.com/analysis/NmY4ZTFmY...RjZGVjNzMyZjA/
    Hosts
    80.150.6.138
    52.52.40.206
    208.71.106.48
    45.59.114.100
    103.246.18.22


    *** https://www.virustotal.com/en/file/0...is/1472579254/
    ___

    Fake 'Server Update' SPAM - drops Java Adwind or Jacksbot
    - https://myonlinesecurity.co.uk/unity...d-or-jacksbot/
    30 Aug 2016 - "An email with the subject of 'Unity Link New Server Update' pretending to come from xm.nl@ unitylink .com <abelen@ unitylink .com> with a zip attachment which contains an executable file 'Updated Unityink Server..exe' and an image, which drop/create various Java.jar files. This is likely to be a Java Adwind or Java Jacksbot version... One of the emails looks like:
    From: xm.nl@ unitylink .com <abelen@ unitylink .com>
    Date: Tue 30/08/2016 07:13
    Subject: Unity Link New Server Update
    Attachment: Unity Link New Server Update.zip
    Dear Agent,
    Find attach New update details with password, kindly sign and branch seal on the attach authorization for security updates.
    Best regards,
    ALAA ELDIN BEBARS
    | Unity Link Operations
    Unity Link services Ltd| P.O. Box 170 ...


    Screenshot of image file inside zip: https://myonlinesecurity.co.uk/wp-co...ver-Update.png

    30 August 2016: Unity Link New Server Update.zip: Extracts to: Updated Unityink Server..exe
    Current Virus total detections 15/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1472556607/

    ** https://malwr.com/analysis/NmQ0YTIwO...I1NzYwNjI3OGI/
    ___

    Opera server breach ...
    > https://www.opera.com/blogs/security...each-incident/
    Aug 26, 2016 - "Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised. Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution. We have also sent emails to all Opera sync users to inform them about the incident and ask them to change-the-password for their Opera-sync-accounts. In an abundance of caution, we have encouraged users to also reset-any-passwords to third-party-sites they may have synchronized with the service. To obtain a new password for Opera sync, use the password resetting page:
    - https://auth.opera.com/account/lost-password "

    Last edited by AplusWebMaster; 2016-08-30 at 21:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •