Page 113 of 132 FirstFirst ... 1363103109110111112113114115116117123 ... LastLast
Results 1,121 to 1,130 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1121
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'FedEx/USPS' SPAM - updates, Sundown EK

    FYI...

    Fake 'FedEx/USPS' SPAM - updates
    - https://myonlinesecurity.co.uk/spoof...d-locky-sites/
    28 Dec 2016

    29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
    cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-add...2/information/
    dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-add...4/information/
    shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-add...0/information/
    italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-add...2/information/
    salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-add...0/information/
    zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-add...4/information/

    /counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

    /counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

    > 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

    /counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

    /counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    7] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Updated Sundown EK ...
    - http://blog.trendmicro.com/trendlabs...steganography/
    Dec 29, 2016 - "... On December 27, 2016, we noticed that Sundown was updated... The PNG files weren’t just used to store harvested information; the malware designers now used -steganography- to hide their exploit code. The newly updated exploit kit was used by multiple-malvertising-campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets:
    > https://blog.trendmicro.com/trendlab...nography-1.jpg
    ... previous Sundown versions directly connected victims to the Flash-exploit-file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code... we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189... The Sundown exploit kit exploits vulnerabilities in Adobe Flash and JavaScript, among others... Indicators of Compromise: The following domains were used by the Sundown Exploit kit with the matching IP addresses:
    xbs.q30 .biz (188.165.163.228)
    cjf.0340 .mobi (93.190.143.211)
    The Chthonic sample has the following SHA1 hash:
    c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9
    The sample also used the following C&C server:
    pationare .bit"

    pationare .bit: 'Could not find an IP address for this domain name.'

    188.165.163.228: https://www.virustotal.com/en/ip-add...8/information/

    93.190.143.211: https://www.virustotal.com/en/ip-add...1/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1122
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'FTC' SPAM

    FYI...

    Fake 'FTC' SPAM - ransomware
    - https://myonlinesecurity.co.uk/spoof...-notification/
    3 Jan 2017 - "... an email with the subject of 'Consumer complaint notification' pretending to come from Federal Trade Commission <ftc.mvUJw@ ftc .gov.uk>... this is a ransomware version. Techhelplist* has kindly helped out and run the sample on a test system and got this very seasonal screenshot:
    * https://twitter.com/Techhelplistcom/...16984371646469
    ... The domain “ftc .gov.uk” does -not- exist... The link-in-the-email goes to:
    http ://govapego .com//COMPLAINT42084270.zip

    Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C574&ssl=1

    3 January 2017: COMPLAINT42084270.zip: Extracts to: COMPLAINT.pdf.exe - Current Virus total detections 21/57*
    Payload Security**..."
    * https://www.virustotal.com/en/file/7...is/1483458092/
    COMPLAINT.pdf.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.4.123.67: https://www.virustotal.com/en/ip-add...7/information/

    govapego .com: 92.51.134.34: https://www.virustotal.com/en/ip-add...4/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1123
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Blockchain - phish

    FYI...

    Blockchain - phish
    - https://myonlinesecurity.co.uk/verif...hain-phishing/
    4 Jan 2017 - "... don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Blockchain website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phish will ask you fill in the html ( webpage) form that comes attached to the email. The link-in-the-email goes to
    http:// 178.33.66.249 /~kudi/admin/blockchain/info/login.php .. which is an OVH German server..

    Screenshot: https://i2.wp.com/myonlinesecurity.c...61%2C998&ssl=1

    If you follow through, all they want is your email address and password but none of the other information that these phishing scams usually ask for:
    > https://i2.wp.com/myonlinesecurity.c...24%2C758&ssl=1 .."

    178.33.66.249: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/53...f706/analysis/
    Detection: 5/68

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1124
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'New Invoice' SPAM, Tech support SCAM on Macs

    FYI...

    Fake 'New Invoice' SPAM - Cerber ransomware
    - https://myonlinesecurity.co.uk/new-i...er-ransomware/
    5 Jan 2017 - "... an email with the subject of 'New Invoice #2768-16'... pretending to come from what I assume are random companies, names and email addresses with a zip attachment containing a js file that eventually delivers Cerber ransomware... One of the emails looks like:
    From: Janie Cain <asgard1234@ post .su>
    Date:Thu 05/01/2017 17:25
    Subject: New Invoice #2768-16
    Attachment: info-inv.zip
    This email is being sent in order to inform you that a new invoice has been generated for your account.
    Please see the file that is attached.
    The file is password protected to protect your information.
    The password is 123456
    Thank you.
    Janie Cain


    5 January 2017: info-inv.zip: Extracts to: info-inv.js - Current Virus total detections 12/54*
    ... Analysis by techhelplist[1] has found it to deliver Cerber ransomware. It downloads from 86.106.131.141 /10.mov which is a renamed .exe file that if you try to run manually would open windows media player instead, although the script file will run it successfully (VirusTotal 3/45**) (Payload Security ***) (MALWR [4]). This Cerber version contacts -576- hosts... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://twitter.com/Techhelplistcom/...05275580772353

    * https://www.virustotal.com/en/file/8...is/1483646751/

    ** https://virustotal.com/en/file/a7843...42bb/analysis/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (576)

    4] https://malwr.com/analysis/MTQ2NTI1Z...YzMTg5NjBhOGI/

    86.106.131.141: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/92...f181/analysis/
    ___

    Tech support SCAM - DoS on Macs
    - https://blog.malwarebytes.com/101/ma...-via-mail-app/
    Jan 5, 2017 - "... yet another 'technique' that targets Mac OS users running Safari... second variant appears to still be capable of opening up iTunes, without any prompt in Safari... IOCs:
    safari-get[.]com: Could not find an IP address for this domain name
    safari-get[.]net: 111.118.212.86: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/4f...9831/analysis/
    safari-serverhost[.]com: Could not find an IP address for this domain name
    safari-serverhost[.]net: 111.118.212.86 "

    Last edited by AplusWebMaster; 2017-01-06 at 15:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1125
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Merry X-Mas Ransomware, Fake 'Apple' SPAM

    FYI...

    Merry X-Mas Ransomware
    - https://isc.sans.edu/diary.html?storyid=21905
    2017-01-09 - "... Merry X-Mas Ransomware was first reported as distributed through malicious spam (malspam) disguised as FTC consumer complaints*...
    * https://myonlinesecurity.co.uk/spoof...-notification/
    3 Jan 2017
    By Sunday 2017-01-08, I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as 'court attendance' notifications. The malspam was a -fake- notification to appear in court. Email headers indicate the sender's address was -spoofed- and the email came from a cloudapp .net domain associated with Microsoft:
    > https://isc.sans.edu/diaryimages/ima...y-image-02.jpg
    The -link- from the malspam downloaded a zip archive. The zip archive contained a Microsoft Word document with a malicious macro. If macros were enabled on the Word document, it downloaded and executed the ransomware.
    Flow chart of the infection process:
    > https://isc.sans.edu/diaryimages/ima...y-image-03.jpg
    ... IoCs follow:
    192.185.18.204 port 80 - neogenomes .com - GET /court/PlaintNote_12545_copy.zip [initial zip download]
    81.4.123.67 port 443 - onion1 .host:443 - GET /temper/PGPClient.exe [ransomware binary]
    168.235.98.160 port 443 - onion1 .pw - POST /blog/index.php [post-infection callback]
    ... Malspam with links to malware is a common threat. This is not an unusual method of malware distribution, and its holiday theme also fits the season... Still, we need to keep an ongoing dialog to promote awareness of this and other ransomware threats. Too many people continue to fall for it..."
    (More detail at the isc URL above.)

    192.185.18.204: https://www.virustotal.com/en/ip-add...4/information/

    81.4.123.67: https://www.virustotal.com/en/ip-add...7/information/

    168.235.98.160: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Apple' SPAM - links to malware
    - https://myonlinesecurity.co.uk/spoof...er-ransomware/
    9 Jan 2016 - "... an email with the subject of 'Apple latest security checks' pretending to come from Support@ App .com... Link goes to ‘http ://bellinghamontap .com/apple.zip’... Attachment: Link in email...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...k-1024x666.png

    9 January 2017: apple.zip: Extracts to: apple.exe - Current Virus total detections 4/56*
    Payload Security**. I am guessing from this report it is Cerber ransomware, by the number of IP addresses it contacts... The basic rule is NEVER open any attachment to an email -or- click-a-link in an email unless you are expecting it...."
    * https://www.virustotal.com/en/file/5...8b7f/analysis/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (576)

    bellinghamontap .com: 192.254.185.196: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/78...007e/analysis/

    Last edited by AplusWebMaster; 2017-01-10 at 00:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1126
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Certificate UPDATE' SPAM, Ransom Victims Who-Pay-Up Get-Stiffed

    FYI...

    Fake 'Certificate UPDATE' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    10 Jan 2017 - "... an email with the subject of 'Certificate UPDATE' pretending to come from Administrator at your-own-email-address delivers Trickbot banking Trojan... One of the emails looks like:
    From: Administrator <Administrator@ victim domain .tld >
    Date: Tue 10/01/2017 01:25
    Subject: Certificate UPDATE
    Attachment: certificate.zip
    **********Important – Internal ONLY**********
    Your Web mail account Certificate is about to expire. Please update it.
    New Certificate is in attachment. Download and launch file.
    Certificate details:
    Filename: Certificate.crt
    Key: 6260-6233-GFPV-6072-UAAV-1048
    Domain: ...
    MX record: ...


    10 January 2017: certificate.zip: Extracts to: Certificate_webmail.scr - Current Virus total detections 15/57*
    Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1484029988/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    78.47.139.102
    36.37.176.6
    201.236.219.180
    144.76.203.79

    ___

    Extortionists Wipe Databases, Victims Who-Pay-Up Get-Stiffed
    - https://krebsonsecurity.com/2017/01/...p-get-stiffed/
    Jan 10, 2017 - "Tens of thousands of personal and possibly proprietary databases that were left accessible to the public online have just been -wiped- from the Internet, replaced with ransom-notes demanding payment for the return of the files. Adding insult to injury, it appears that virtually none-of-the-victims (who) have paid the ransom have gotten-their-files-back because multiple-fraudsters are now wise to the extortion attempts and are competing to replace-each-other’s-ransom notes.
    At the eye of this developing data destruction maelstrom is an online database platform called MongoDB. Tens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them..."
    Shodan, a specialized search engine designed to find things that probably won’t be picked up by Google, lists the number of open, remotely accessible MongDB databases available as of Jan. 10, 2017
    > https://krebsonsecurity.com/wp-conte...hodanmongo.png
    ... Truth 1: “If you connect it to the Internet, someone will try to hack it.”
    Truth 2: “If what you put on the Internet has value, someone will invest time and effort to steal it.”
    Truth 3: “Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
    (More detail at the 1st krebsonsecurity URL at the top.)

    Last edited by AplusWebMaster; 2017-01-10 at 22:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1127
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Document', Neutrino Bot SPAM

    FYI...

    Fake 'Document' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/docum...king-trojan-2/
    11 Jan 2017 - "An email with the subject of 'Document from Vogel' (random name) pretending to come from the same random name at your-own-email-address with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
    From: Michael Vogel <Michael.Vogel@ victim domain .tld >
    Date: Wed 11/01/2017 06:59
    Subject: Document from Vogel
    To: admin@victim domain.tld + 9 other names at my domain
    Attachment: Vogel_1101_30.doc
    My company sent you a document. Check it attached.
    Regards,
    Michael Vogel
    G8 Education Limited


    11 January 2017: Vogel_1101_30.doc - Current Virus total detections 9/55*
    Payload Security** shows a download of what pretends to be a png (image file) but is actually a renamed .exe file from ‘http ://artslogan .com.br/images/jhfkjsdhfntnt.png’ which is renamed by the script to yatzxwe.exe and automatically run (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1484121516/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    189.1.168.176
    78.47.139.102
    36.37.176.6
    201.236.219.180
    144.76.203.79


    *** https://www.virustotal.com/en/file/5...is/1484091723/
    ___

    Post-holiday spam campaign delivers Neutrino Bot
    - https://blog.malwarebytes.com/cyberc...-neutrino-bot/
    Jan 11, 2017 - "During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year... over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window:
    > https://blog.malwarebytes.com/wp-con...7/01/email.png
    The booby-trapped document asks users to enable-macros in order to launch the malicious code:
    > https://blog.malwarebytes.com/wp-con...ro_blocked.png
    If the macro executes, the final payload will be downloaded and executed. This is Neutrino bot..."
    IOCs:
    Malicious doc:
    agranfoundation[.]org/Microsoft[.]report[.]doc: 192.185.77.168
    xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc: 176.53.17.106
    ecpi[.]ro/Microsoft[.]report[.]doc: 89.42.223.64
    ilkhaberadana[.]com/Microsoft[.]report[.]doc: 159.253.46.194
    cincote[.]com/Microsoft[.]report[.]doc: 192.185.145.46
    mallsofjeddah[.]com/Microsoft[.]report[.]doc: 192.185.191.165
    dianasoligorsk[.]by/Microsoft[.]report[.]doc: 178.124.131.21
    8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d
    Neutrino bot:
    www .endclothing [.]cu[.]cc/nn.exe: 137.74.93.42
    87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe
    b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b
    ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111

    Last edited by AplusWebMaster; 2017-01-11 at 20:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1128
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'MoneyGram' SPAM, 'Phishy' tweets, Indian tech support SCAMS

    FYI...

    Fake 'MoneyGram' SPAM - delivers Java Jacksbot
    - https://myonlinesecurity.co.uk/spoof...rgent-request/
    12 Jan 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...previously mentioned... HERE*....
    * https://myonlinesecurity.co.uk/?s=java+adwind
    ... This version is slightly unusual... has a html attachment with -links- for you to download the file yourself.

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ion-email-.png

    If you are unwise enough to open the html -attachment- you see a webpage looking like this:
    > https://myonlinesecurity.co.uk/wp-co...nfirmation.png
    The page tries to automatically download the zip file, if that doesn’t work then the download button appears. That goes to http ://dreamsbroker .com/Requested%20Missing-Confirmation%20of%20payment.zip which extracts to 2 identical but differently named java.jar files. Received documents And Customers identification.jar and Request Missing Transaction Details and Refrence.jar

    12 January 2017: Received documents And Customers identification.jar (323kb) - Current Virus total detections 24/55*
    Payload Security**. These malicious attachments have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1484201418/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    83.243.41.200

    dreamsbroker .com: 180.235.148.70: https://www.virustotal.com/en/ip-add...0/information/
    ___

    'Phishy' sponsored tweets
    - https://blog.malwarebytes.com/cyberc...nsored-tweets/
    Jan 12, 2016 - "Another day, another couple of rogue sponsored tweets [1], [2] which lead to phishing:
    1] https://blog.malwarebytes.com/cyberc...card-phishing/
    2] https://www.scmagazineuk.com/crimina...rticle/629182/
    The account pushing the first phish has now been deleted, but it’s trivial to set up another one – and the phishing URL itself is -still- active, ready to be redeployed at a moment’s notice... site is located at
    verifiedaccounts(dot)us
    and – like the older versions of this scam – is all about getting yourself verified:
    > https://blog.malwarebytes.com/wp-con...red-phish1.jpg
    The site kicks things off by asking for username, email address, account type, phone number, year of account creation, and (finally) associated password. It’s not long before they’re sniffing around your wallet, too:
    > https://blog.malwarebytes.com/wp-con...red-phish2.jpg
    ... We strongly advise all users of Twitter to be on their guard – just because a tweet is sponsored, doesn’t mean the content it leads to is legitimate. Be on your guard and don’t hand over login details, payment credentials, or anything else to sites -claiming- they can get you verified."

    verifiedaccounts(dot)us: 192.185.128.203: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/a5...3883/analysis/
    Detection ratio: 10/68
    ___

    More Indian tech support SCAMS
    - http://blog.dynamoo.com/2017/01/scam...ineer-and.html
    12 Jan 2017 - "... huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. For example.. this:
    One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know. The conversation goes something like this..
    Victim: "But I don't get my internet from BT.."
    Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."
    Victim: "How do I know you're from BT?
    Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."
    The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
    .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
    This is just something to do with how Windows handles compressed files and folders. All Windows machines should have this entry, but it looks sufficiently scary about to impress at least some victims.
    >> NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.
    However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims. And don't just ignore the call - report it. If you are in the UK you can report this sort of -scam- to Action Fraud* - it will certainly help law enforcement if they have an idea of how many potential victims there are."
    * http://www.actionfraud.police.uk/report_fraud

    Last edited by AplusWebMaster; 2017-01-13 at 00:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1129
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake blank-body/no-subject SPAM

    FYI...

    Fake blank-body/no-subject SPAM - delivers Cerber
    - https://myonlinesecurity.co.uk/empty...er-ransomware/
    15 Jan 2017 - "I have been seeing these emails sporadically for the last month or so, but all previous versions have been corrupt... today’s actually has a working zip file. These arrive as a blank/empty email with no-subject pretending to come from asisianu@ pauleycreative .co.uk with a zip file containing a malicious word doc. They all actually come from asisianu at random email addresses, sometimes they spoof your-own-email-address, but always the 'From' address in the email is asisianu@pauleycreative .co.uk. This is Cerber ransomware... The email looks like:
    From: asisianu@ pauleycreative .co.uk
    Date: Sun 15/01/2017 06:54
    Subject: none
    Attachment: EMAIL_31327_info.zip


    Body content: Totally empty/blank

    15 January 2017: 12412.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
    http ://coolzeropa .top/admin.php?f=0.dat which is renamed by the script to rcica.exe (VirusTotal 7/58**).
    This also drops a full screen set of instructions on how to decrypt and pay the ransom:
    _HOW_TO_DECRYPT_CDF8WC_.hta ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1484469048/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (577)

    *** https://www.virustotal.com/en/file/e...is/1484469369/

    coolzeropa .top: 35.161.229.79: https://www.virustotal.com/en/ip-add...9/information/
    84.200.34.99: https://www.virustotal.com/en/ip-add...9/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1130
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Blank-emails no-subject SPAM

    FYI...

    Blank-emails no-subject SPAM - deliver Locky and Kovter
    - https://myonlinesecurity.co.uk/blank...ky-and-kovter/
    17 Jan 2017 - "... We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post:
    > https://myonlinesecurity.co.uk/spoof...d-locky-sites/
    It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems. We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware. The emails received so far today are totally-blank, no-subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human:
    From: charlie.wills@ 02glass .com
    Date: Mon 16/01/2017 23:30 (arrived 07:35 utc 17/01/2017)
    Subject: blank


    Attachment: 38168891.zip extracts to 38168891.doc.zip extracts to 38168891.doc.jse
    VirusTotal 5/54* | Payload Security**
    Payload:
    1bin Locky: https://www.virustotal.com/en/file/2...is/1484631951/
    File name: a1.exe / Detection: 16/55

    2.bin Kovter:
    https://www.virustotal.com/en/file/a...is/1484642102/
    File name: 2.bin / Detection: 12/56

    * https://www.virustotal.com/en/file/9...is/1484641911/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (171)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •