Page 11 of 132 FirstFirst ... 7891011121314152161111 ... LastLast
Results 101 to 110 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #101
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Chrome updates / Changelog / inTuit SPAM...

    FYI...

    Fake Chrome updates return ...
    - http://www.gfi.com/blog/fake-google-...pdates-return/
    Jan 11, 2013 - "... fake Chrome update websites leading to Malware – has returned...
    > http://www.gfi.com/blog/wp-content/u...hromefake1.jpg
    The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”. If you attempt to download the file while using Chrome, the following prompt appears...
    > http://www.gfi.com/blog/wp-content/u...hromefake2.jpg
    The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal* as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog** (scroll down to the “data it tries to collect and steal”)... users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page***".
    * https://www.virustotal.com/file/19d0...2439/analysis/

    ** http://blog.shadowserver.org/2012/08...your-trackers/

    *** https://support.google.com/chrome/bi...n&answer=95414
    ___

    Fake Changelog SPAM / dimanakasono .ru
    - http://blog.dynamoo.com/2013/01/chan...akasonoru.html
    11 Jan 2013 - "This fake "Changelog" spam leads to malware on dimanakasono .ru:
    From: Ashley Madison [mailto:donotreply @ashleymadison .com]
    Sent: 10 January 2013 08:25
    Subject: Re: Fwd: Changelog as promised(updated)
    Hi,
    changelog update - View
    L. Cook


    The malicious payload is at [donotclick]dimanakasono .ru:8080/forum/links/column.php hosted on the following IPs:
    91.224.135.20 (Proservis UAB, Lithunia)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    212.112.207.15 (ip4 GmbH, Germany)
    The following IPs and domains are related and should be blocked:
    91.224.135.20
    187.85.160.106
    212.112.207.15
    belnialamsik .ru
    demoralization .ru
    dimanakasono .ru
    bananamamor .ru

    ___

    Fake Intuit SPAM / dmeiweilik .ru
    - http://blog.dynamoo.com/2013/01/payr...tuit-spam.html
    11 Jan 2013 - "This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik .ru:
    Date: Fri, 11 Jan 2013 06:23:41 +0100
    From: LinkedIn Password [password @linkedin .com]
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.
    Finances would be gone away from below account# ending in 0198 on Fri, 11 Jan 2013 06:23:41+0100
    amount to be seceded: 8057 USD
    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
    Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services
    =====
    From: messages-noreply @bounce .linkedin.com [mailto:messages-noreply @bounce .linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
    Sent: 10 January 2013 21:04
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
    • Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
    • amount to be seceded: 9567 USD
    • Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
    • Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    The malicious payload is at [donotclick]dmeiweilik .ru:8080/forum/links/column.php hosted on the same IPs as in this attack*:
    91.224.135.20 (Proservis UAB, Lithunia)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    212.112.207.15 (ip4 GmbH, Germany)
    The following IPs and domains are related and should be blocked:
    91.224.135.20
    187.85.160.106
    212.112.207.15
    belnialamsik .ru
    demoralization .ru
    dimanakasono .ru
    bananamamor .ru
    dmeiweilik .ru
    ..."
    * http://blog.dynamoo.com/2013/01/chan...akasonoru.html
    ___

    Blackhole SPAM runs...
    - http://blog.trendmicro.com/trendlabs...holiday-break/
    Jan 11, 2013 - "... now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank*, and Better Business Bureau**. In particular, the Better Business Bureau BHEK spam** claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit... we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware..."
    * http://blog.trendmicro.com/trendlabs...H_bhekspam.jpg

    ** http://blog.trendmicro.com/trendlabs...B_BHEKspam.jpg

    Last edited by AplusWebMaster; 2013-01-11 at 22:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #102
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP/BBB SPAM/Malware sites to block

    FYI...

    Malware sites to block 14/1/13
    - http://blog.dynamoo.com/2013/01/malw...ock-14113.html
    14 Jan 2013 - "A couple of interesting* posts** over at Malware Must Die!*
    * http://malwaremustdie.blogspot.co.uk...ploit-kit.html
    ** http://malwaremustdie.blogspot.co.uk...fuscation.html
    ... showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:
    1.243.115.140 (Aztek Ltd, Russia)
    46.166.169.238 (Santrex, Netherlands)
    62.76.184.93 (IT House / Clodo-Cloud, Russia)
    I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.
    91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.
    46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.
    62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.
    These following domains are all connected to these two attacks..."
    (Also a long list available at the dynamoo uRL above.)
    ___

    Fake ADP emails lead to client-side exploits and malware
    - http://blog.webroot.com/2013/01/14/f...s-and-malware/
    14 Jan 2013 - "... cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    tetraboro .net – 222.238.109.66 – Email: bannerpick45 @yahoo .com
    Name Server: NS1.HOSTCLAM .NET – 50.115.163.10
    Name Server: NS2.HOSTCLAM .NET – 90.167.194.23
    Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
    royalwinnipegballet .net
    advertizing9 .com
    eartworld .net
    hotelrosaire .net

    Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d * ... Worm:Win32/Cridex.E.
    The sample drops the following MD5 on the affected hosts:
    MD5: 472d6e748b9f5b02700c55cfa3f7be1f ** ...PWS:Win32/Fareit
    Once executed, it also phones back to the following command and control servers:
    173.201.177.77
    132.248.49.112
    95.142.167.193
    81.93.250.157
    ..."
    * https://www.virustotal.com/file/69d9...3b3b/analysis/
    File name: test29567554014546.bin
    Detection ratio: 24/46
    Analysis date: 2013-01-14
    ** https://www.virustotal.com/file/baab...e596/analysis/
    File name: file-5000060_exe
    Detection ratio: 15/46
    Analysis date: 2013-01-11
    ___

    Fake ADP SPAM / dekamerionka .ru
    - http://blog.dynamoo.com/2013/01/adp-...erionkaru.html
    14 Jan 2013 - "This fake ADP spam leads to malware on dekamerionka .ru:
    Date: Mon, 14 Jan 2013 10:49:06 +0300
    From: Friendster Games [friendstergames @friendster .com]
    Subject: ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 540328394
    Mon, 14 Jan 2013 10:49:06 +0300
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www.flexdirect .adp.com/client/login.aspx
    Please see the following notes:
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 984259785
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    © 2013 ADP, Inc. All rights reserved.


    The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
    81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
    91.224.135.20 (Proservis UAB, Luthunia)
    212.112.207.15 (ip4 GmbH, Germany)
    Plain list of IPs and domains involved:
    81.31.47.124
    91.224.135.20
    212.112.207.15
    dmeiweilik .ru
    belnialamsik .ru
    demoralization .ru
    dumarianoko .ru
    dimanakasono .ru
    bananamamor .ru
    dekamerionka .ru

    ___

    Fake BBB SPAM / terkamerenbos .net
    - http://blog.dynamoo.com/2013/01/bbb-...renbosnet.html
    14 Jan 2013 - "This fake BBB spam leads to malware on terkamerenbos .net:
    Date: Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
    From: Better Business Bureau [notify @bbb .org]
    Subject: BBB Pretense ID 68C474U93
    Better Business Bureau ©
    Start With Trust ©
    Mon, 14 Jan 2013
    RE: Issue # 68C474U93
    [redacted]
    The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.
    We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.
    We are looking forward to your prompt reaction.
    Best regards
    Alexis Nguyen
    Dispute Councilor
    Better Business Bureau
    Better Business Bureau
    3033 Wilson Blvd, Suite 600 Arlington, VA 22701
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


    The malicious payload is at [donotclick]terkamerenbos .net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:
    advertizing9 .com
    alphabeticalwin .com
    splatwetts .com
    bestwesttest .com
    eartworld .net
    foxpoolfrance .net
    hotelrosaire .net
    linuxreal .net
    tetraboro .net
    royalwinnipegballet .net


    Last edited by AplusWebMaster; 2013-01-14 at 18:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #103
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake SW Air / pharma SPAM

    FYI...

    Fake Southwest Airlines Giveaway...
    - http://www.gfi.com/blog/fake-southwe...igh-once-more/
    Jan 15, 2013 - "A fresh campaign fake Southwest Airlines free ticket scam has made its way onto Facebook again, this time as an event invite spammed within the network.
    Southwest Airlines is giving two tickets to any destination within the United States! To grab yours, just visit [URL here]
    Based on the bit.ly data of the URL, it is highly likely that this scam has been going around since the 14th of this month. Once users click the shortened URL, they are redirected to a page where, purportedly, they can claim their free two tickets to the US. The page claims that the offer is only available for a certain period, suggesting that interested parties must act now or else miss this opportunity... Users are advised to ignore this Facebook event invite if you receive them and notify the creator of the invite that their post must be deleted."
    (Screenshots available at the gfi URL above.)
    ___

    xree .ru and the persistent pharma SPAM
    - http://blog.dynamoo.com/2013/01/xree...arma-spam.html
    15 Jan 2013 - "No doubt sent out by the same crew who are pushing malware, this pharma spam seems to have hit new highs.
    Date: Tue, 15 Jan 2013 05:35:04 -0500 (EST)
    From: Account Mail Sender [invoice @erlas .hu]
    Subject: Invoice confirmation
    Hello. Thank you for your order.
    We greatly appreciate your time and look forward to a mutually rewarding business relationship with our company well into the future.
    At present, our records indicate that we have an order or several orders outstanding that we have not received confirmation from you. If you have any questions regarding your account, please contact us.
    We will be happy to answer any questions that you may have.
    Your Customer Login Page
    Customer login: [redacted]
    Thanking you in advance for your attention to this matter.
    Sincerely, Justa Dayton


    The link in the email goes through a legitimate hacked site to [donotclick]xree .ru/?contactus but then it redirects to a seemingly random fake pharma site. However, the redirect only works if you have the referrer set correctly.
    The landing sites are on:
    199.59.56.59 (Hostwinds, Australia)
    209.236.67.220 (WestHost Inc, US)
    I can't find any malware on these sites, but you may as well block them if you can as they seem to have a lot of domains on them..."
    (Long list of domains available at the dynamoo URL above.)
    __

    Verizon Wireless SPAM / dmssmgf .ru
    - http://blog.dynamoo.com/2013/01/veri...dmssmgfru.html
    15 Jan - "This fake Verizon Wireless spam leads to malware on dmssmgf .ru:
    From: Friendster Games [mailto:friendstergames @friendster .com]
    Sent: 14 January 2013 21:47
    Subject: Verizon Wireless
    IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
    Your acknowledgment message is issued.
    Your account No. ending in 2308
    Dear Client
    For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
    Please browse your informational message for more details relating to your new transaction.
    Open Information Message
    In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
    Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
    • Viewing your utilization
    • Upgrade your tariff
    • Manage Account Members
    • Pay for your bill
    • And much, much more...
    2013 Verizon Wireless
    Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
    We respect your privacy. Please browse our policy for more information


    The malicious payload is on [donotclick]dmssmgf .ru:8080/forum/links/column.php (report here) hosted on:
    81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
    91.224.135.20 (Proservis UAB, Luthunia)
    212.112.207.15 (ip4 GmbH, Germany)
    The following IPs and domains are all connected:
    81.31.47.124
    91.224.135.20
    212.112.207.15
    dekamerionka .ru
    dmssmgf .ru
    dmpsonthh .ru
    dmeiweilik .ru
    belnialamsik .ru
    demoralization .ru
    dumarianoko .ru
    dimanakasono .ru
    bananamamor .ru
    "

    Last edited by AplusWebMaster; 2013-01-15 at 23:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #104
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake EFTPS, BBB and Fed Reserve SPAM ... 2013.01.16

    FYI...

    Fake EFTPS, BBB and Fed Reserve SPAM
    - http://www.gfi.com/blog/email-threat...-reserve-spam/
    Jan 16, 2013 - "... the AV Labs have captured and recorded* a number of notable email threats last week — generally spam related to malware...
    - Fake BBB Complaints Spam...
    - Fake EFTPS Spam...
    - FedMail ACH Spam... leads to Cridex
    Users are advised to mark the above email threats as spam if they’re found in their inbox and then/or simply delete them."
    (Screenshots available at the gfi URL above.)
    * http://gfisoftware.tumblr.com/
    ___

    Fake American Express SPAM / dozakialko .ru
    - http://blog.dynamoo.com/2013/01/amer...akialkoru.html
    16 Jan 2013 - "This fake AmEx spam leads to malware on dozakialko .ru:
    Sent: 16 January 2013 02:22
    Subject: American Express Alert: Your Transaction is Aborted
    Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated
    Valued, $5203
    Your American Express Card account retired ZUE36213 with amount of 5070 USD.
    Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
    Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100
    One small way to help the environment - get paperless statements
    Review billing
    statement
    Issue a payment
    Change notifications
    options
    You currently reading the LIMITED DATA version of the Statement-Ready Information.
    Switch to the DETAILED DATA version.
    Thank you for your Cardmembership.
    Sincerely,
    American Express Information center


    The malicious payload is at [donotclick]dozakialko .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
    89.111.176.125 (Garant-Park-Telecom, Russia)
    91.224.135.20 (Proservis UAB, Lithunia)
    212.112.207.15 (ip4 GmbH, Germany)
    Plain list of IPs and related domains for copy-and-pasting:
    89.111.176.125
    91.224.135.20
    212.112.207.15
    dekamerionka .ru
    dmssmgf .ru
    dmpsonthh .ru
    dmeiweilik .ru
    belnialamsik .ru
    demoralization .ru
    dumarianoko .ru
    dimanakasono .ru
    bananamamor .ru
    dozakialko .ru
    ..."
    * http://wepawet.iseclab.org/view.php?...b0e147&type=js
    ___

    Fake EFTPS emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/01/16/b...e-exploit-kit/
    Jan 16, 2013 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating the EFTPS (Electronic Federal Tax Payment System), in an attempt to trick its users into clicking on exploits and malware serving malicious links found in the emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....t_declined.png
    ... Upon succcessful clienet-side exploitation, the campaign drops MD5: d35a52d639468c2c4c857e6629b3f6f0 * ... Worm:Win32/Cridex.E.
    Once executed, the sample phones back to the following command and control servers:
    109.230.229.250:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA
    163.23.107.65:8080
    174.142.68.239:8080
    81.93.250.157:8080
    180.235.150.72:8080
    109.230.229.70:8080
    95.142.167.193:8080
    217.65.100.41:8080
    188.120.226.30:8080
    193.68.82.68:8080
    203.217.147.52:8080
    210.56.23.100:8080
    221.143.48.6:8080
    182.237.17.180:8080
    59.90.221.6:8080
    64.76.19.236:8080
    69.64.89.82:8080
    173.201.177.77:8080
    78.28.120.32:8080
    174.120.86.115:8080
    74.207.237.170:8080
    77.58.193.43:8080
    94.20.30.91:8080
    84.22.100.108:8080
    87.229.26.138:8080
    97.74.113.229:8080

    We’ve already seen the same pseudo-random C&C characters used in... previously profiled malicious campaigns..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/d9ca...1830/analysis/
    File name: calc.exe
    Detection ratio: 25/46
    Analysis date: 2013-01-14
    ___

    Fake ADP SPAM / teamrobotmusic .net
    - http://blog.dynamoo.com/2013/01/adp-...tmusicnet.html
    16 Jan 2013 - "This fake ADP spam leads to malware on teamrobotmusic .net:
    Date: Wed, 16 Jan 2013 18:36:25 +0200 [11:36:25 EST]
    From: "notify @adp .com" [notify @adp .com]
    Subject: ADP Speedy Information
    ADP Speedy Communication
    [redacted]
    Reference ID: 14580
    Dear ADP Client January, 16 2012
    Your Money Transfer Statement(s) have been uploaded to the web site:
    https ://www.flexdirect .adp.com/client/login.aspx
    Please see the following details:
    • Please note that your bank account will be charged-off within 1 business day for the value(s) specified on the Record(s).
    •Please don't reply to this message. auomatic informational system unable to accept incoming email. Please Contact your ADP Benefits Expert.
    This email was sent to acting users in your company that access ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 14580


    The malicious payload is on [donotclick]teamrobotmusic .net/detects/bits_remember_confident.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in a few attacks recently and should be blocked if you can..."

    Last edited by AplusWebMaster; 2013-01-16 at 19:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #105
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Vodafone/KeyBank emails serve malware

    FYI...

    Fake Vodafone emails serve malware
    - http://blog.webroot.com/2013/01/17/c...serve-malware/
    Jan 17, 2013 - "Over the past 24 hours, cybercriminals resumed spamvertising fake Vodafone MMS themed emails, in an attempt to trick the company’s customers into executing the malicious attachment found in these emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ms_malware.png
    Detection rate for the malicious executable:
    MD5: bafebf4cdf640520e6266eb05b55d7c5 * ... Trojan-Downloader.Win32.Andromeda.pfu.
    Once executed, the sample creates the following Registry values:
    \Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched -> “C:\Documents and Settings\All Users\svchost.exe“
    It also copies itself to other locations, and injects code in other processess. We intercepted a similar campaign last year, indicating that, depending on the campaign in question, cybercriminals are not always interested in popping up on everyone’s radar with persistent and systematic spamvertising of campaigns using identical templates. Instead, some of their campaigns tend to have a rather short-lived life cycle. We believe this practice is entirely based on the click-through rates for malicious URLs and actual statistics on the number of people that executed the malicious samples..."
    * https://www.virustotal.com/file/f889...is/1358366804/
    File name: MMS.jpg.exe
    Detection ratio: 21/46
    Analysis date: 2013-01-16
    ___

    Fake KeyBank "secure message" virus
    - http://blog.dynamoo.com/2013/01/keyb...ed-secure.html
    17 Jan 2013 - "This fake KeyBank spam has an attachment called securedoc.zip which contains a malicous executable file named securedoc.exe.
    Date: Thu, 17 Jan 2013 11:16:54 -0500 [11:16:54 EST]
    From: "Antoine_Pearce @KeyBank .com" [Antoine_Pearce @KeyBank .com]
    Subject: You have received a secure message
    You have received a secure message
    Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941.
    First time users - will need to register after opening the attachment.
    Help - https ://mailsafe.keybank .com/websafe/help?topic=RegEnvelope
    About IronPort Encryption - https ://mailsafe.keybank .com/websafe/about


    VirusTotal results are not good*. The ThreatExpert report for the malware can be found here**. The malware attempts to call home to:
    173.230.139.4 (Linode, US)
    192.155.83.208 (Linode, US)
    ..and download additional components from
    [donotclick]ib-blaschke .de/4kzWUR.exe
    [donotclick]chris-zukunftswege .de/DynThR8.exe
    [donotclick]blueyellowbook .com/Cct1Kk58.exe ..."
    * https://www.virustotal.com/file/ef53...is/1358440323/
    File name: securedoc.exe
    Detection ratio: 5/46
    Analysis date: 2013-01-17
    ** http://www.threatexpert.com/report.a...0f1317f1b68610
    ___

    Fake Wire Transfer SPAM / dfudont .ru
    - http://blog.dynamoo.com/2013/01/wire...tion-spam.html
    17 Jan 2013 - "This spam leads to malware on dfudont .ru:
    Date: Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
    From: SUMMERDnIKYkatTerry @aol .com
    Subject: Fwd: Wire Transfer Confirmation (FED_59983S76643)
    Dear Bank Account Operator,
    WIRE TRANSFER: FED86180794682707910
    CURRENT STATUS: PENDING
    Please REVIEW YOUR TRANSACTION as soon as possible.


    The malicious payload is at [donotclick]dfudont .ru:8080/forum/links/column.php hosted on:
    89.111.176.125 (Garant-Park-Telecom, Russia)
    91.224.135.20 (Proservis UAB, Lithunia)
    212.112.207.15 (ip4 GmbH, Germany)
    These IPs have been used in several malware attacks recently - blocking them is a good idea. The following malicious domains are also present on these servers:
    dekamerionka .ru
    dmssmgf .ru
    dmpsonthh .ru
    dmeiweilik .ru
    belnialamsik .ru
    demoralization .ru
    damagalko .ru
    dozakialko .ru
    dumarianoko .ru
    dimanakasono .ru
    bananamamor .ru
    dfudont .ru
    Update: there is also a fake Sendspace spam sending visitors to the same payload...
    Date: Thu, 17 Jan 2013 03:03:55 +0430
    From: Badoo [noreply @badoo .com]
    Subject: You have been sent a file (Filename: [redacted]_N584581.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).
    You can use the following link to retrieve your file:
    Download
    Thank you,
    Sendspace, the best free file sharing service.


    Last edited by AplusWebMaster; 2013-01-18 at 00:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #106
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Java update is malware

    FYI...

    Fake Java update is malware
    - http://blog.trendmicro.com/trendlabs...ava-0-day-fix/
    Jan 17, 2013 - "... We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport .com/cybercrime-suspect-arrested/javaupdate11.jar.
    > http://blog.trendmicro.com/trendlabs...pdate_site.gif
    Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat is clearly piggybacking on the Java zero-day incident and users’ fears. The use of fake software updates is an old social engineering tactic. This is not the first time that cybercriminals took advantage of software updates. Last year, we reported about a malware disguised as a Yahoo! Messenger, which we found in time for Yahoo!’s announcement of its update for Messenger..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #107
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Jobs / Bank trojan ...

    FYI...

    Fake "A.R.T. Logistics" job offer
    - http://blog.dynamoo.com/2013/01/art-...job-offer.html
    18 Jan 2013 - "There may be various genuine companies in the world with a name similar to "A.R.T. Logistics Industrial & Trading Ltd", but this job offer does not come from a genuine company. Instead it is trying to recruit people for money laundering ("money mule") jobs and parcel reshipping scams (a way of laundering stolen goods). Note that the scammers aren't even consistent in the way they name the company.
    From: ART LOGISTICS INDUSTRIAL AND TRADING LTD [info@sender .org]
    Reply-To: artlogisticsltd @yahoo .com.ph
    Date: 18 January 2013 07:49
    Subject: A.R.T. LOGISTICS INDUSTRIAL & TRADING LIMITED
    A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
    Export & Import Agent‚ Service Company.
    46/F Tower 1, Metroplaza 223 Hing Fong Road,
    Kwai Chung New Territories, Hong Kong.
    A.R.T. Logistics mainly provides services to customers in Russia, Kazakhstan and Hong Kong. We provide: - Air freight - Sea freight (FCL & LCL to EU, Russia, Kazakhstan & Central Asia) - Rail freight - Road Freight (FTL & LTL to any place in Russia, Kazakhstan and Central Asia) Our company has worked in Russia, Kazakhstan & Central Asia since 2005 and has wide experience of transport such as airfreight, container and rail.
    We are presently shifting our base to North America and we have collective customers in the United State & Canada but We find it difficult establishing payments modalities with this customers and we don't intend loosing our customers. We are searching for a front line representative as intermediary by establishing a medium of getting payments from this customers in Canada & America by making payments through you to us. Do contact us for more information at this e-mail: (artlogis @e-mail .ua).
    Subject to your satisfaction with the front line representative offer, you will be made our foreign payment receiving officer in your region and you will deduct 10% of every transactions made through you for your services as our Financial Representative.
    Sincerely,
    Yasar Feng Xu
    A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
    N.B Reply to: artlogisticsltd @yahoo .com.ph


    In this case, the spam originates from 31.186.186.2 [mail.zsmirotice .cz]. Avoid!"
    ___

    Shylock banking trojan travels by Skype
    - http://h-online.com/-1786928
    18 Jan 2013 - "The banking trojan Shylock has found itself a new distribution channel – Skype. The security firm CSIS* recently discovered a Shylock module called "msg.gsm" trying to use the VoIP software to infect other computers. If successful, the malware then sets up a typical backdoor. The module tries to send Shylock as a file, bypassing warnings from the Skype software by confirming them itself and cleaning any generated messages from the Skype history. Once the trojan has been transferred it connects to a command and control server which can ask it to install a VNC server allowing remote control of the computer, get cookies, inject HTTP code into web sites being browsed, spread Shylock over removable drives, or upload files to a server. The epicenter of infections is, according to CSIS, the UK... At the time of writing, the most recent VirusTotal test** shows 15 of the engines now detecting it..."
    * https://www.csis.dk/en/csis/blog/3811/

    ** https://www.virustotal.com/file/4bd9...c842/analysis/
    File name: 8fbeb78b06985c3188562e2f1b82d57d
    Detection ratio: 15/46
    Analysis date: 2013-01-18
    ___

    Fake LinkedIn SPAM / shininghill .net
    - http://blog.dynamoo.com/2013/01/link...nghillnet.html
    18 Jan 2013 - "This fake LinkedIn spam leads to malware on shininghill .net:
    Date: Fri, 18 Jan 2013 18:16:32 +0200
    From: "LinkedIn" [announce@e .linkedin .com]
    Subject: LinkedIn Information service message
    LinkedIn
    REMINDERS
    Invite notifications:
    ? From MiaDiaz ( Your renter)
    PENDING EVENTS
    ∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.
    Don't want to get email info letters? Change your message settings.
    LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.


    The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.
    The following domains appear to be active on this IP address, all should be considered to be malicious..."
    (More detail at the dynamoo URL above.)
    ___

    Fake ADP SPAM / dopaminko .ru
    - http://blog.dynamoo.com/2013/01/adp-...paminkoru.html
    18 Jan 2013 - "This fake ADP spam leads to malware on dopaminko .ru:
    Date: Fri, 18 Jan 2013 09:08:38 -0500
    From: "service @paypal .com" [service @paypal .com]
    Subject: ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 544043911
    Fri, 18 Jan 2013 09:08:38 -0500
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www.lexdirect.adp .com/client/login.aspx
    Please see the following notes:
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 206179035
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    © 2013 ADP, Inc. All rights reserved.


    The malicious payload is at [donotclick]dopaminko .ru:8080/forum/links/column.php hosted on the following familiar IP addresses:
    89.111.176.125 (Garant-Park-Telecom, Russia)
    91.224.135.20 (Proservis UAB, Lithunia)
    212.112.207.15 (ip4 GmbH, Germany)
    These following malicious domains appear to be active on these servers..."
    (More detail at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2013-01-18 at 23:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #108
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phish, malware, and hacks - 2013.01.21 ...

    FYI...

    Phishers target UnionBank of the Philippines clients
    - http://www.gfi.com/blog/phishers-tar...pines-clients/
    Jan 21, 2013 - "We have been alerted by an ongoing phishing campaign that targets clients and online banking users of the UnionBank of the Philippines. The phishing URL, which is being sent to users in the form of spam, is found hosted on a legitimate but compromised Russian domain. We have also found previous records of the said domain hosting a different phishing page a few days ago. The spam entices users to visit a certain URL to “reactivate” their account... This phishing page has closely mimicked the look or template of legitimate pages where users can enter their sensitive banking information... Once users have entered and submitted their information, a confirmation window pops up and then users are redirected to the legitimate UnionBank website... Most UnionBank users have their PayPal accounts tied to their banking accounts, so it is very important to steer clear from emails claiming to be from the bank that ask for banking details... better call them and inquire about the email you receive just to be sure. It also pays to consult this Anti-Fraud and Anti-Phishing Guidelines page* from UnionBank for guidance on how to identify phishing pages from the real ones."
    * http://www.unionbankph.com/index.php...083&Itemid=472
    (Screenshots available at the gfi URL above.)
    ___

    Malware Masks as Latest Java Update
    - http://www.gfi.com/blog/malware-mask...t-java-update/
    Jan 21, 2013 - "... security experts have discovered a new zero-day, critical flaw on Java not so long ago and is already integrated into popular exploit kits, such as Blackhole, Redkit, Cool and Nuclear Pack. The said flaw, once exploited, is said to allow remote code execution on a target system without authentication from the user. This, of course, gives malware files the upper hand if users visit sites/URLs where they are hosted. Immediately after the vulnerability is found, Oracle has released its patch. Despite this speedy response from the company, many security experts have already began advising users to just forget the patch and disable Java in their browsers. Perhaps some users have already made the move of disabling Java entirely, or perhaps some users have opted still to apply the patch. If you belong in the former group, latter group, let this be our reminder to you: Please make sure that you’re downloading the patch straight from the Oracle website* and nowhere else because it’s highly likely that what you may be installing onto your system is malware**..."
    * http://java.com/en/download/index.jsp

    ** http://blog.trendmicro.com/trendlabs...ava-0-day-fix/
    ___

    Kenyan Judiciary (judiciary .go.ke) hacked to serve malware
    - http://blog.dynamoo.com/2013/01/keny...ke-hacked.html
    21 Jan 2013 - "The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.
    > https://lh3.ggpht.com/-DbemA5jmT9g/U...iary-go-ke.png
    The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary .go.ke /wlc.htm attempting to redirect visitors to [donotclick]dfudont .ru:8080/forum/links/column.php where there's a nasty exploit kit.
    > https://lh3.ggpht.com/-OhchceHjVws/U...ary-go-ke2.png
    Of course, most visitors to the judiciary .go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm."
    ___

    LinkedIn spam / prepadav .com
    - http://blog.dynamoo.com/2013/01/link...epadavcom.html
    21 Jan 2013 - "This fake LinkedIn spam leads to malware on prepadav .com:
    From: LinkedIn [mailto :news@ linkedin .com]
    Sent: 21 January 2013 16:21
    Subject: LinkedIn Reminder from your co-worker
    LinkedIn
    REMINDERS
    Invitation reminders:
    From CooperWright ( Your employer)
    PENDING LETTERS
    • There are a total of 2 messages awaiting your action. Acces to your InBox now.
    Don't wish to receive email notifications? Adjust your letters settings.
    LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.


    The malicious payload is at [donotclick]prepadav .com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can..."
    ___

    Fake Intuit SPAM / danadala .ru
    - http://blog.dynamoo.com/2013/01/intu...anadalaru.html
    21 Jan 2013 - "This fake Intuit spam leads to malware on danadala .ru:
    Date: Mon, 21 Jan 2013 04:45:31 -0300
    From: RylieBouthillette @hotmail .com
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.
    Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
    amount to be seceded: 5670 USD
    Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
    Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    The malicious payload is at [donotclick]danadala .ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:
    89.111.176.125 (Garant-Park-Telecom, Russia)
    91.224.135.20 (Proservis UAB, Lithunia)
    212.112.207.15 (ip4 GmbH, Germany)..."

    Last edited by AplusWebMaster; 2013-01-22 at 01:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #109
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Exploit kit, 'Droid malware - 2013.01.22

    FYI...

    Blackhole exploit kit on avirasecureserver .com
    - http://blog.dynamoo.com/2013/01/chee...it-kit-on.html
    22 Jan 2013 - "What is avirasecureserver .com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit*. This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP... There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm... QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=788732

    - https://www.google.com/safebrowsing/...?site=AS:20860
    "Of the 18705 site(s) we tested on this network over the past 90 days, 1489 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-21... Over the past 90 days, we found 14 site(s) on this network... that appeared to function as intermediaries for the infection of 670 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s)... that infected 1080 other site(s)..."
    ___

    'Droid malware spreads through compromised legitimate Web sites
    - http://blog.webroot.com/2013/01/22/a...ate-web-sites/
    22 Jan 2013 - "... our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign...
    Sample screenshot of the executed Android malware:
    > https://webrootblog.files.wordpress....plications.png
    ... Sample malicious URLs displayed to Android users:
    hxxp ://adobeflashplayer-up .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
    hxxp ://googleplaynew .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
    hxp ://browsernew-update .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
    ... Detection rate for the malicious .apk files:
    flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e * ... Android.SmsSend.212.origin.
    Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 * ... HEUR:Trojan-SMS.AndroidOS.Opfake.bo.
    ... Upon execution, the Android sample phones back to gaga01 .net/rq.php – 93.170.107.57 – Email: mypiupiu1 @gmail.com transmitting..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/2076...is/1358799096/
    File name: flash_player_installer.apk
    Detection ratio: 5/46
    Analysis date: 2013-01-21
    ** https://www.virustotal.com/file/6899...is/1358799258/
    File name: Android_installer-1.apk
    Detection ratio: 5/46
    Analysis date: 2013-01-21

    > https://www.google.com/safebrowsing/...?site=AS:57062
    "Of the 2027 site(s) we tested on this network over the past 90 days, 23 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-22... Over the past 90 days, we found 75 site(s) on this network... that appeared to function as intermediaries for the infection of 104 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 496 site(s)... that infected 1485 other site(s)..."
    ___

    Something evil on 109.123.66.30
    - http://blog.dynamoo.com/2013/01/some...091236630.html
    22 January 2013 - "109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here*). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here. Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands .com - in this case darkhands .com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www .darkhands .com. In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars). Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group... Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here**)... It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea."
    (Long list of domains at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=796905

    ** http://blog.dynamoo.com/2012/12/some...722926138.html
    ___

    Fake Swiss tax SPAM / africanbeat .net
    - http://blog.dynamoo.com/2013/01/dutc...-tax-spam.html
    22 Jan 2013 - "This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat .net:
    From: report@ ag .ch via bernina .co .il
    Date: 22 January 2013 13:48
    Subject: Re: je NAT3799 belastingformulier
    Mailed-by: bernina .co .il
    [redacted]
    Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
    vindt u aanbevelingen en tips van onze fiscalisten HIER
    ( Wacht 2 minuten op het verslag te laden)
    Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.
    Kanton Aargau
    Sonja Urech
    Sachbearbeiterin Wehrpflichtersatzverwaltung
    Departement Gesundheit und Soziales
    Abteilung Militär und Bevölkerungsschutz
    Rohrerstrasse 7, Postfach, 6253 Aarau
    Tel.: +41 (0)62 332 31 62
    Fax: +41 (0)62 332 33 18

    Translated as:
    We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
    You can find recommendations and tips from our tax specialists HERE
    (Wait 2 minutes for the report to load)
    We ask you to correct the error and send the corrected report to your tax advisor as soon as possible.


    The link leads to an exploit kit at [donotclick]africanbeat .net/detects/urgent.php (report here*) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea)..."
    (More at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=801678

    Last edited by AplusWebMaster; 2013-01-22 at 19:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #110
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP, EFTPS, exploit kit, etc...

    FYI...

    Fake Intuit emails lead to Black Hole Exploit Kit
    - http://blog.webroot.com/2013/01/23/f...e-exploit-kit/
    Jan 23, 2013 - "Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails. Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    dopaminko .ru – 212.112.207.15
    Name server: ns1.dopaminko .ru – 62.76.185.169
    Name server: ns2.dopaminko .ru – 41.168.5.140
    Name server: ns3.dopaminko .ru – 42.121.116.38
    Name server: ns4.dopaminko .ru – 110.164.58.250
    Name server: ns5.dopaminko .ru – 210.71.250.131
    More malicious domains are known to have responded to the same IP (212.112.207.15)...
    Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure..."
    (More detail at the webroot URL above.)
    ___

    Phishing Scam spreads via Facebook PM
    - http://www.gfi.com/blog/phishing-sca...a-facebook-pm/
    Jan 23, 2013 - "We’ve seen a number of cases wherein phishers have used compromised Twitter accounts to send direct messages (DMs) to their followers. We’re now beginning to see this same tactic used in Facebook in the form of private messages (PMs), and this isn’t just some spam mail in your inbox claiming you have received a “private message”... Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them... Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook—”Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves."
    (Screenshots available at the gfi URL above.)
    ___

    Fake NACHA SPAM / canonicalgrumbles .biz
    - http://blog.dynamoo.com/2013/01/nach...umblesbiz.html
    23 Jan 2013 - "... fake NACHA spam leads to malware on canonicalgrumbles .biz... The malicious payload is at [donotclick]canonicalgrumbles .biz/closest/984y3fh8u3hfu3jcihei.php (report here*) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting .com). I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=814512
    ___

    Bogus Job SPAM ...
    - http://blog.dynamoo.com/2013/01/h-se...mate-firm.html
    23 Jan 2013 - "H Seal is a real, legitimate firm. This email is -not- from H Seal, but a criminal organisation wanting to recruit people for money laundering and other unlawful activities. Originating IP is 199.254.123.20 ..."
    (More detail at the dynamoo URL above.)
    ___

    Fake Corporate eFax SPAM / 13.carnovirious .net
    - http://blog.dynamoo.com/2013/01/corp...iriousnet.html
    23 Jan 2013 - "This spam is leading to malware on 13.carnovirious .net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then... The spam leads to an exploit kit on [donotclick]13.carnovirious .net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well..."
    (More detail at the dynamoo URL above.)
    ___

    Fake USPS SPAM / euronotedetector .net
    - http://blog.dynamoo.com/2013/01/usps...tectornet.html
    23 Jan 2013 - "This fake USPS spam leads to malware on euronotedetector .net... The malicious payload is at [donotclick]euronotedetector .net/detects/updated_led-concerns.php hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecome, Korea) which has been used in several recent attacks..."
    (More detail at the dynamoo URL above.)
    ___

    Fake BT Business SPAM / esenstialin .ru
    - http://blog.dynamoo.com/2013/01/bt-b...stialinru.html
    23 Jan 2013 - "This fake BT Business spam leads to malware on esenstialin .ru... The malicious payload is on [donotclick]esenstialin .ru:8080/forum/links/column.php hosted on the following IPs:
    50.31.1.104 (Steadfast Networks, US)
    91.224.135.20 (Proservis UAB, Lithunia)..."
    (More detail at the dynamoo URL above.)
    ___

    Something evil on 74.91.117.50
    - http://blog.dynamoo.com/2013/01/some...749111750.html
    23 Jan 2013 - "OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run. The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.
    These are the domains that I can see right now:
    13.blumotorada .net
    13.carnovirious .net
    The domains are registered wit these apparently fake details:
    Glen Drobney office @glenarrinera .com
    1118 hagler dr / neptune bch
    FL 32266 US
    Phone: +1.9044019773
    Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking."
    ___

    Fake ADP SPAM / elemikn .ru
    - http://blog.dynamoo.com/2013/01/adp-spam-elemiknru.html
    22 Jan 2013 - "This fake ADP spam potentially leads to malware on elemikn .ru:
    Date: Tue, 22 Jan 2013 12:25:06 +0100
    From: LinkedIn [welcome @linkedin .com]
    Subject: ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 815979361
    Tue, 22 Jan 2013 12:25:06 +0100
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www .flexdirect .adp .com/client/login.aspx
    Please see the following notes:
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 286532564
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    © 2013 ADP, Inc. All rights reserved.


    The malicious payload is at [donotclick]elemikn .ru:8080/forum/links/column.php but at the moment the domain does not seem to be resolving (which is a good thing!)
    ___

    Fake "Batch Payment File Reversed" SPAM / kendallvile .com
    - http://blog.dynamoo.com/2013/01/batc...rsed-spam.html
    22 Jan 2013 - "This spam leads to malware on kendallvile .com:
    From: batchservice @eftps .net [batchservice @eftps .net]
    Date: 22 January 2013 17:56
    Subject: Batch Payment File Reversed
    === PLEASE NOT REPLY TO THIS MESSAGE===
    [redacted]
    This notification was mailed to inform you that your payment file has Reversed. 2013-01-21-9.56.22.496135
    Detailed information is accessible by sign into the Batch Provider with this link.
    --
    With Best Regards,
    EFTPS
    Contact Us: EFTPS Batch Provider Customer Service


    This leads to an exploit kit on [donotclick]kendallvile .com/detects/exceptions_authority_distance_disturbing.php (report here*) hosted on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which should be blocked if you can."
    * http://www.urlquery.net/report.php?id=802578

    Last edited by AplusWebMaster; 2013-01-23 at 22:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •