Page 12 of 132 FirstFirst ... 289101112131415162262112 ... LastLast
Results 111 to 120 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #111
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Flash, LinkedIn, pharma, efax ...

    FYI...

    Fake Flash Updates - via SPAM attachment...
    - http://www.gfi.com/blog/fake-adobe-f...es-in-the-web/
    Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
    (Screenshots available at the gfi URL above.)
    ___

    Malicious BT SPAM
    - http://www.gfi.com/blog/beware-malic...ng-in-inboxes/
    Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."
    * http://gfisoftware.tumblr.com/post/4...ttachment-spam
    ___

    Fake ADP SPAM / 14.sofacomplete .com
    - http://blog.dynamoo.com/2013/01/adp-...mpletecom.html
    24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
    From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
    Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
    Digital Certificate About to Expire
    The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
    Days left before expiration: 1
    Expiration date: Jan 25 23:59:59 GMT-03:59 2013
    Renewing Your Digital Certificate
    1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
    2. Follow the instructions on the screen.
    3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
    Deleting Your Old Digital Certificate
    After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.


    The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on 73.246.103.26 (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."
    ___

    Fake LinkedIn emails lead to client-side exploits and malware
    - http://blog.webroot.com/2013/01/24/f...s-and-malware/
    Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Name servers used by these malicious domains:
    Name server: ns1.http-page .net – 31.170.106.17 – Email: ezvalue @yahoo .com
    Name server: ns2.http-page .net – 7.129.51.158 – Email: ezvalue @yahoo .com
    Name Server: ns1.high-grades .com – 208.117.43.145
    Name Server: ns2.high-grades .com – 92.121.9.25
    Sample malicious payload dropping URL:
    hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
    Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
    Upon execution, the same creates the following process on the affected hosts:
    %AppData%\Bytaa\yjdoly.exe
    The following registry keys:
    HKEY_CURRENT_USER\Software\Microsoft\Rekime
    ... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
    177.1.100.2 :11709
    190.33.36.175 :11404
    213.109.254.122 :29436
    41.69.182.117 :29817
    64.219.114.114 :13503
    161.184.174.65 :14545
    93.177.174.72 :10119
    69.132.202.147 :16149
    ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/224c...b58d/analysis/
    File name: info.ex_
    Detection ratio: 30/44
    Analysis date: 2013-01-23
    ___

    Fake pharma sites 24/1/13
    - http://blog.dynamoo.com/2013/01/fake...tes-24113.html
    24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
    Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
    From: "Account Info Change" [noreply @etraxx .com]
    Subject: Updated information
    Attention please:
    - Over 50 new positions added (view recently added products)
    - Free positions included with all accounts (read more here)
    - The hottest products awaiting you in the first weeks of the new year (read more here)
    - We want you to feel as comfortable as possible while you?re at our portal.
    Click Here to Unsubscribe


    As with a few days ago, these sites are hosted on:
    199.59.56.59 (Hostwinds, Australia)
    209.236.67.220 (WestHost Inc, US)
    Currently active spamvertised sites are as follows:
    (Long list available at the dynamoo URL above.)
    ___

    Fake Efax Corporate SPAM / epimarkun .ru
    - http://blog.dynamoo.com/2013/01/efax...imarkunru.html
    24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
    Date: Thu, 24 Jan 2013 04:04:42 +0600
    From: Habbo Hotel [auto-contact @habbo .com]
    Subject: Efax Corporate
    Attachments: Efax_Corporate.htm
    Fax Message [Caller-ID: 963153883]
    You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
    * The reference number for this fax is [eFAX-009228416].
    View attached fax using your Internet Browser.
    � 2013 j2 Global Communications, Inc. All rights reserved.
    eFax � is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax � Customer Agreement.


    There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs:
    50.31.1.104 (Steadfast Networks, US)
    94.23.3.196 (OVH, France)
    202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
    These IPs and domains are all malicious:
    50.31.1.104
    94.23.3.196
    202.72.245.146
    dmssmgf .ru
    esekundi .ru
    esenstialin .ru
    disownon .ru
    epimarkun .ru
    damagalko .ru
    dumarianoko .ru
    epiratko .ru
    dfudont .ru
    ..."

    Last edited by AplusWebMaster; 2013-01-25 at 01:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #112
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake UPS, FedEx SPAM ...

    FYI...

    Chase Phish, LinkedIn, American Express Open and Verizon Wireless Spam
    - http://www.gfi.com/blog/email-threat...wireless-spam/
    Jan 25, 2013 - "In this week’s Email Threats roundup, we are highlighting spam and phishing campaigns that have made a comeback, such as LinkedIn and Chase spam, but took advantage of different social engineering lures this time around. You Know It’s Awkward When… you receive an email notification that claims to originate from LinkedIn, saying you have an event invitation from one of your employees; however, (1) you don’t own a company and (2) you don’t have people under you that you can call “employees.” Furthermore, isn’t LinkedIn Events the latest thing-of-the-past?... these don’t matter now. What does matter is that recipients should not click any of the malicious links in the message body as they lead to serious system infections..."
    - http://gfisoftware.tumblr.com/post/4...dentials-phish
    - http://gfisoftware.tumblr.com/post/4...-linkedin-spam
    - http://gfisoftware.tumblr.com/post/4...ress-open-spam
    - http://gfisoftware.tumblr.com/post/4...-wireless-spam
    ___

    Fake Craigslist fax-to-email...
    - http://techblog.avira.com/2013/01/25...ifications/en/
    Jan 25, 2013 - "If you receive such a message containing an HTML page attached, don’t open it. The email pretends to come from “craigslist – automated message, do not reply <robot @craigslist .org>” and has the subject ”Efax Corporate”...
    > http://techblog.avira.com/wp-content...ax-malware.jpg
    ... contains a malicious java script code which would download malware on your computer.
    > http://techblog.avira.com/wp-content...st-malware.jpg ..."
    ___

    Fake UPS SPAM / eziponoma .ru
    - http://blog.dynamoo.com/2013/01/ups-...iponomaru.html
    25 Jan 2013 - "This fake UPS spam leads to malware on eziponoma .ru:
    From: messages-noreply @bounce .linkedin .com... On Behalf Of LinkedIn Password
    Sent: 25 January 2013 04:12
    Subject: UPS Tracking Number H0931698016
    You can use UPS Services to:
    Ship Online
    Schedule a Pickup
    Open a UPS Services Account
    Welcome to UPS .com Customer Services
    Hi, [redacted].
    DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG
    PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
    With Respect , Your UPS Customer Services...


    The malicious payload is at [donotclick]eziponoma .ru:8080/forum/links/column.php which is hosted on:
    94.23.3.196 (OVH, France)
    195.210.47.208 (PS Internet Company, Kazakhstan)
    202.72.245.146 (Railcom, Mongolia)"
    ___

    Fake FedEx SPAM / vespaboise .net
    - http://blog.dynamoo.com/2013/01/fede...aboisenet.html
    25 Jan 2013 - "This fake FedEx spam leads to malware on vespaboise .net:
    Date: Fri, 25 Jan 2013 15:39:33 +0200
    From: services @fedex .com
    Subject: FedEx Billing - Bill Prepared to be Paid
    FedEx Billing - Bill Prepared to be Paid
    fedex.com
    [redacted]
    You have a new invoice(s) from FedEx that is prepared for discharge.
    The following invoice(s) are ready for your overview:
    Invoice Number
    Invoice Amount
    2-649-22849
    49.81
    1-181-19580
    257.40
    To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http ://www.fedex .com/us/account/fbo
    Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http ://www.fedex .com/us/account/fbo
    Thank you,
    Revenue Services
    FedEx
    Please Not try to reply to this message. auto informer system cannot accept incoming mail.
    The content of this message is protected by copyright and trademark laws under U.S. and international law.
    review our privacy policy . All rights reserved.


    The malicious payload is at [donotclick]vespaboise .net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent."
    ___

    Blackhole exploit kit - distribution
    - http://www.symantec.com/connect/blog...ew-spam-affair
    Jan 24, 2013 - "... -redirect- ... to the following malicious URL:
    dfudont .ru :8080/[REMOVED]/column.php...
    BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:
    Web Attack: Blackhole Exploit Kit Website 8
    Web Attack: Blackhole Exploit Kit
    Web Attack: Blackhole Functions
    Web Attack: Blackhole Toolkit Website 20
    Web Attack: Blackhole Toolkit Website 31...
    Heatmap distribution for IPS detections associated with Blackhole exploit kit:
    > https://www.symantec.com/connect/sit.../image4_26.png
    ... If the Blackhole exploit is successful, W32.Cridex* is then downloaded onto the compromised computer... ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email."
    * W32.Cridex: https://www.symantec.com/security_re...012103-0840-99
    W32.Cridex!gen1: https://www.symantec.com/security_re...032300-4035-99

    - http://centralops.net/co/DomainDossier.aspx - Jan 25, 2013
    canonical name dfudont .ru
    addresses: 94.23.3.196, 195.210.47.208, 202.72.245.146
    domain: DFUDONT .RU
    nserver: ns1.dfudont .ru. 62.76.185.169
    nserver: ns2.dfudont .ru. 41.168.5.140
    nserver: ns3.dfudont .ru. 42.121.116.38
    nserver: ns4.dfudont .ru. 110.164.58.250
    nserver: ns5.dfudont .ru. 210.71.250.131
    state: REGISTERED, DELEGATED, UNVERIFIED
    person: Private Person...
    country: FR
    origin: AS16276
    - https://www.google.com/safebrowsing/...?site=AS:16276
    "... over the past 90 days, 7886 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-25, and the last time suspicious content was found was on 2013-01-25... we found 458 site(s) on this network... that appeared to function as intermediaries for the infection of 3498 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1447 site(s)... that infected 6601 other site(s)..."
    - http://centralops.net/co/DomainDossier.aspx - Jan 27, 2013
    canonical name dfudont .ru
    addresses: 195.210.47.208, 202.72.245.146
    domain: DFUDONT .RU
    state: REGISTERED, DELEGATED, UNVERIFIED
    person: Private Person...
    country: KZ - Kazakhstan
    origin: AS48716
    - https://www.google.com/safebrowsing/...?site=AS:48716
    "... over the past 90 days, 25 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-27, and the last time suspicious content was found was on 2013-01-27... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 23 site(s)... that infected 965 other site(s)..."

    Last edited by AplusWebMaster; 2013-01-27 at 22:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #113
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus BBB emails spread Zbot

    FYI...

    Bogus BBB emails spread Zbot...
    - http://www.hotforsecurity.com/blog/n...zbot-5135.html
    Jan 25, 2013 - "... Better Business Bureau spam campaign.... the e-mails infect people with a Trojan that steals sensitive information from recipients... the BBB attack consists of a message supposedly from the Better Business Bureau telling recipients that a business customer has filed a formal complaint against them. The bogus e-mail invites the recipient to reply and mend the situation, but not before they open the attached document that, depending on the campaign, hides a downloader, a password stealer, and a BlackHole component. The subject line of these messages generally read: “complaint report,” “complaint ID,” “case” and a set of random digits. The bogus e-mails used in the January campaign carry as an attachment a zip file named “case” and arbitrary signs that hide a password stealer and a downloader of ZBot – identified by Bitdefender as Trojan.Generic.KD.835502. To make it more believable, attackers deliver the exe file with the Adobe Reader icon, so if file extensions are hidden by the operating system, chances are you’ll mistake it for a PDF document...
    > http://www.hotforsecurity.com/wp-con...er-of-ZBot.png
    ZBot is a banker Trojan that steals e-banking information and logs keystrokes, but also has some limited backdoor and proxy features that allows its masters to take control of the machine. Crooks seem to find the BBB scam highly rewarding, as they refresh it several times a year since it was first spotted in 2010. It was November 2012 when Bitdefender anti-spam lab signaled another huge wave of BBB scam spreading Trojan.Generic.8271699, a downloader awfully similar to the infamous BlackHole exploit pack... Organizations such as the Better Business Bureau NEVER send complaints via e-mail with attachments and links, exactly to avoid frauds. EXE files are a big no-no in e-mail messages. In fact, they are so dangerous that no company will e-mail you this kind of attachment. If your e-mail messages carry an exe file, just get rid of it..."
    ___

    Super Bowl Scams ...
    - https://www.bbb.org/blog/2013/01/don...er-bowl-scams/
    Jan 22, 2013 - "... be on the alert for knock-off team jerseys, counterfeit memorabilia and phony game tickets... Tickets for the big game can be an even bigger rip-off. There are thousands of Super Bowl tickets currently listed on Craig’s List, but the site offers no guarantees of any kind and does not require identification of its listers. Buying in person isn’t always an improvement, as it’s gotten easier and easier for scammers to make fake tickets that look real... In general, avoid scams by being -skeptical- of:
    • Offers that sound “too good to be true”
    • Pushy sales tactics
    • Poor quality of merchandise
    • Offers that require wire transfer of funds ..."
    More: https://www.bbb.org/blog/
    ___

    Phishing Scams use Facebook Info for Personalized SPAM
    - https://www.bbb.org/blog/2013/01/new...onalized-spam/
    Jan 25, 2013 - "... scammers are exploiting the fact that you’re more likely to click on a link if it was sent by a friend. Scammers find your information through Facebook or other social media accounts. Some set up fake accounts and send out friend requests. When you accept the request, they can view your friends and personal and contact information. Other scammers rely on social media users not locking down their privacy settings*, so basic information, such as your name, email address and friends’ names, is publicly available..."
    * http://www.facebook.com/help/392235220834308/

    Last edited by AplusWebMaster; 2013-01-27 at 18:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #114
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus Paypal emails lead to BlackHole Exploit Kit

    FYI...

    Bogus Paypal emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/01/28/b...e-exploit-kit/
    Jan 28, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    duriginal .net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
    Name server: NS1.HTTP-PAGE .NET – 31.170.106.17 – Email: ezvalue @yahoo .com
    Name server: NS2.HTTP-PAGE .NET – 7.129.51.158 – Email: ezvalue @yahoo .com
    The campaign shares the same infrastructure... three of these campaigns have been launched by the same malicious party.
    Upon successsful client-side exploitation, the campaign drops MD5: 423daf9994d552ca43f8958634ede6ee * ...Trojan-Spy.Win32.Zbot.ilmw..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/56af...e199/analysis/
    File name: contacts.exe
    Detection ratio: 25/46
    Analysis date: 2013-01-28
    ___

    Zbot sites to block - 28/1/13
    - http://blog.dynamoo.com/2013/01/zbot...ock-28113.html
    28 Jan 2013 - "These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can. There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers..."
    (Long list at the dynamoo URL above.)
    ___

    Fake Facebook SPAM / gonita .net
    - http://blog.dynamoo.com/2013/01/most...book-spam.html
    28 Jan 2013 - "This fake Facebook spam leads to malware on gonita .net:
    Date: Mon, 28 Jan 2013 17:30:50 +0100
    From: "Facebook" [addlingabn2 @bmatter .com]
    Subject: Most recent events on Facebook
    facebook
    Hi [redacted],
    You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
    Kind regards,
    The Facebook Team
    Log in to Facebook and start connecting
    Sign in
    Please use the link below to resume your account :
    http ://www.facebook .com/resume/
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
    Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301


    The malicious payload is at [donotclick]gonita .net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea)... malicious domains are active on the same IP..."

    Last edited by AplusWebMaster; 2013-01-29 at 00:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #115
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FedEx, Intelius SPAM...

    FYI...

    Intelius SPAM (or is it a data breach?)
    - http://blog.dynamoo.com/2013/01/inte...ta-breach.html
    30 Jan 2013 - "This spam was sent to an email address only used for register for intelius.com . Either there has been a data breach at Intelius, or they have decided to go into the gambling business.
    From: Grand Palace Slots [no-reply @tsm -forum .net]
    Date: 30 January 2013 10:39
    Subject: Try to play slots - 10$ free
    Mailed-By: tsm-forum .net
    Feel the unique excitement of playing at the world's premiere games!
    Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!
    This is a great offer, especially when you see what else Grand Palace has to offer:
    - US players welcome
    - more than 100 fun games, realistic graphics
    - the most secure and up-to-date software
    - professional support staff to help you with whatever you might need, any time of the day or night!
    And in the end we want to give you 10$ absolutelly free! (Use code CASH10)
    Hurry up! Your free Grand Palace cash is waiting! Play Today!
    http ://www .igrandpalacegold .com
    Click here to opt out of this email:
    http ://unsubscribe .igrandpalacegold .com


    The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www .igrandpalacegold .com on 91.217.52.125 (Fajncom SRO, Czech Republic)... I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option.."
    ___

    Fake FedEx emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/01/29/f...e-exploit-kit/
    Jan 29, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    vespaboise.net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
    Name Server: NS1.HTTP-PAGE .NET
    Name Server: NS2.HTTP-PAGE .NET
    ... Upon successful client-side exploitation, the FedEx themed campaign drops MD5: c2f72ff5b0cf4dec4ce33e4cc65796b1 * ...PWS:Win32/Zbot.gen!AM.
    ... It also attempts to connect to the following IPs:
    14.96.171.173, 64.219.114.114, 68.49.120.165, 70.50.58.41, 70.136.9.2, 71.42.56.253,
    71.43.217.3, 72.218.14.223, 76.219.198.177, 80.252.59.142, 83.111.92.83, 87.5.135.46,
    87.203.87.232, 98.71.136.168, 98.245.242.245, 108.83.233.190. 115.133.156.53,
    151.66.19.166. 194.94.127.98, 206.45.59.85
    ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/1e89...d1df/analysis/
    File name: calc.exe
    Detection ratio: 24/46
    Analysis date: 2013-01-30
    ___

    Malicious Spam Emails Target Nightclub Disaster in Santa Maria
    - http://www.symantec.com/connect/blog...er-santa-maria
    Jan 30, 2013 - "... spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse. Further analysis of the malicious file shows that the threat creates the following file:
    %SystemDrive%\ProgramData\ift.txt
    It also alters the registry entries for Internet Explorer. The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an infostealer. Samples of the spam emails are shown below (Figures 1 and 2). The email has the following characteristics:
    Subject: Video mostra momento exato da tragedia em Santa Maria no Rio Grande Do Sul segunda-feira, 28 de janeiro de 2013
    Subject: VIDEO DO ACIDENTE DA BOATE DE SANTA MARIA RS.
    Translation: Video shows the beginning of the tragedy in Santa Maria, Rio Grande Do Sul Monday, January 28, 2013
    Translation: Video of the Nightclub accident in Santa Maria RS
    1) https://www.symantec.com/connect/sit...terSpam1_0.png
    2) https://www.symantec.com/connect/sit...terSpam2_0.png
    Users are advised to exercise caution when looking for videos, images, and news of recent popular events. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams."
    ___

    Fake FDIC SPAM / 1wstdfgh.organiccrap .com
    - http://blog.dynamoo.com/2013/01/fdic...iccrapcom.html
    30 Jan 2013 - "Here's a slightly new spin on old spam, leading to malware on 1wstdfgh.organiccrap .com:
    Date: Wed, 30 Jan 2013 16:16:32 +0200
    From: "Тимур.Носков @fdic .gov" [midshipmanc631 @buprousa .com]
    Subject: Important notice from FDIC
    Attention!
    Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.
    We apologize for causing you troubles by this measure.
    If you need any assistance, please do not hesitate to contact us.
    Sincerely yours,
    Federal Deposit Insurance Corporation
    Security Department


    The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa .com/track .php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap .com/closest/984y3fh8u3hfu3jcihei .php (report here*) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:
    1wstdfgh.organiccrap .com
    23v4tn6dgdr.organiccrap .com
    v446numygjsrg.mymom .info
    3vbtnyumv.ns02 .us
    crvbhn7jbtd.mywww .biz "
    * http://urlquery.net/report.php?id=891059

    Last edited by AplusWebMaster; 2013-01-30 at 17:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #116
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook, FDIC emails serve malware links...

    FYI...

    Fake FDIC SPAM / 123435jynfbdf.myWWW .biz
    - http://blog.dynamoo.com/2013/01/fdic...fmywwwbiz.html
    31 Jan 2013 - "More FDIC themed spam, leading to a malicious payload on the same IP as this one:
    From: ".Афанасьев @fdic .gov" [mailto:dickysmv341 @homesextapes .com]
    Sent: 30 January 2013 15:03
    Subject: Changing security requirements
    Importance: High
    Dear Sirs,
    In connection with the introduction of a new security system for the purpose of preventing new cases of wire fraud, all your account ACH and WIRE transactions will be temporarily blocked unless the special security requirements are met.. In order to fully re-establish your account, you are asked to install a special security software. Please open the link below to download and install the latest security version.
    We apologize for the inconveniences caused to you by this measure.
    Please do not hesitate to contact us if you have any questions.
    Yours faithfully,
    Federal Deposit Insurance Corporation
    Security Department


    In this case the malicious payload is at [donotclick]123435jynfbdf.myWWW .biz./closest/984y3fh8u3hfu3jcihei.php and is hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US). At the moment the following domains seem to be active:
    123435jynfbdf.myWWW .biz
    1wstdfgh.organiccrap .com
    23v4tn6dgdr.organiccrap .com
    v446numygjsrg.mymom .info
    1wvrbtnytjtyjj.mymom .info
    1ewgthytj.mymom .info
    3vbtnyumv.ns02 .us
    crvbhn7jbtd.mywww .biz
    1dfcsdbnhgnnh.mywww .biz
    13rehjkfr.mywww .biz
    ___

    Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/01/31/m...s-and-malware/
    Jan 31, 2013 - "In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs. Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
    ... Malicious domain name reconnaissance:
    kidstoytowers .com – 62.75.181.220 – responding to the same IP is also the following domain – dailyfrontiernews .com
    Upon successful client-side exploitation, the campaign drops MD5: 9356fcd388b4bae53cad7aea4127d966 * ...W32/Injector.YMS!tr..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/d97f...5cbd/analysis/
    File name: test53356736863192.bin
    Detection ratio: 3/46
    Analysis date: 2013-01-28
    ___

    Fake American Airlines email
    - http://msmvps.com/blogs/spywaresucks...5/1823091.aspx
    Jan 25 2013 - "This is -not- a real American Airlines / American Eagle email:
    > http://msmvps.com/cfs-filesystemfile...0_380EFE9A.png
    These types of spoof emails still work, fooling too many people. As always, if you hover your mouse cursor over the hyperlink it becomes easy to tell that the email is not legitimate.
    > http://msmvps.com/cfs-filesystemfile...0_21200751.png
    ___

    Dear Facebook, this change sucks
    - http://msmvps.com/blogs/spywaresucks...3/1822008.aspx
    Jan 3 2013 - "1. I don’t want to receive emails (aka most likely SPAM) from strangers.
    > http://msmvps.com/cfs-filesystemfile...0_15139385.png
    2. Your “control who can send you messages” link is broken.
    > http://msmvps.com/cfs-filesystemfile...0_7E249C3B.png

    > http://msmvps.com/cfs-filesystemfile...0_2B09D94A.png
    Filed under: I ain't happy about this*...
    * http://msmvps.com/blogs/spywaresucks..._/default.aspx

    Last edited by AplusWebMaster; 2013-02-01 at 03:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #117
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Photo, Booking SPAM ...

    FYI...

    Fake Booking .com ‘Credit Card was not Accepted’ emails lead to malware
    - http://blog.webroot.com/2013/02/01/f...ad-to-malware/
    Feb 1, 2013 - "Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking .com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....am_malware.png
    ... Sample detection rate for the malicious executable: MD5: 75db84cfb0e1932282433cdb113fb689 * ... TrojanDownloader:Win32/Kuluoz.B...
    Once executed, the sample phones back to the following command and control (C&C) servers:
    hxxp:// 66.232.145.174 :6667...
    hxxp:// 175.45.142.15 :8080...
    hxxp:// 66.84.10.68 :8080...
    hxxp:// 202.169.224.202 :8080...
    hxxp:// 89.19.20.202 :8080...
    hxxp:// 74.208.111.15 :8080...
    hxxp:// 85.214.50.161 :8080
    hxxp:// 184.106.214.159 :8080
    hxxp:// 46.4.178.174 :8080
    hxxp:// 217.11.63.194 :8080
    hxxp:// 82.113.204.228 :8080
    hxxp:// 85.214.22.38 :8080
    hxxp:// 202.153.132.24 :8080
    hxxp:// 85.186.22.146 :8080
    hxxp:// 77.79.81.166 :8080
    hxxp:// 84.38.159.166 :8080
    hxxp:// 81.93.248.152 :8080
    hxxp:// 118.97.15.13 :8080
    ...
    More malware variants are known to have phoned back to the same IPs..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/1fcc...is/1359641226/
    File name: BookingInfo.exe
    Detection ratio: 26/46
    Analysis date: 2013-01-31
    ___

    Fake Photo SPAM / eghirhiam .ru
    - http://blog.dynamoo.com/2013/02/phot...hirhiamru.html
    1 Feb 2013 - "Here's a tersely-worded Photos spam leading to malware on eghirhiam .ru:
    Subject: Photos

    Good day,
    your photos here http: //www.jonko .com/photos.htm


    As is usually the case, the malware -bounces- through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam .ru:8080/forum/links/public_version.php (report here) hosted on:
    82.148.98.36 (Qatar Telecom, Qatar)
    195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
    202.72.245.146 (Railcom, Mongolia)
    The following IPs and domains are all related and should be blocked:
    82.148.98.36
    195.210.47.208
    202.72.245.146

    bananamamor.ru
    damagalko .ru
    dekamerionka .ru
    dfudont .ru
    disownon .ru
    dmpsonthh .ru
    dmssmgf .ru
    dumarianoko .ru
    eghirhiam .ru
    epiratko .ru
    esekundi .ru
    evkotnka .ru
    evskindarka .ru
    evujalo .ru
    exiansik .ru
    eziponoma .ru ..."
    ___

    Something evil on 50.116.40.194
    - http://blog.dynamoo.com/2013/02/some...011640194.html
    1 Feb 2013 - "50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans .org/read/walls_levels.php - report here*) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:
    14.goodstudentloans .org
    14.mattresstoppersreviews .net"
    * http://urlquery.net/report.php?id=903191

    Last edited by AplusWebMaster; 2013-02-01 at 18:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #118
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake pharma SPAM and more...

    FYI...

    Fake StumbleUpon SPAM / drugstorepillstablets .ru
    - http://blog.dynamoo.com/2013/02/stum...tabletsru.html
    4 Feb 2013 - "This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets .ru:
    Date: Mon, 4 Feb 2013 01:01:46 -0600 (CST)
    From: StumbleUpon [no-reply @stumblemail .com]
    Subject: Update: Changes to Your Email Settings
    Hi [redacted],
    This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.
    Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.
    Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!
    Thanks for Stumbling,
    The StumbleUpon Team
    P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
    Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.
    StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107


    There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK)..."
    (More detail at the dynamoo URL above.)
    ___

    Something evil on 108.61.12.43 and 212.7.192.100
    - http://blog.dynamoo.com/2013/02/some...11243-and.html
    4 Feb 2013 - "A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die*:
    helloherebro .com
    painterinvoice .ru
    painterinvoicet .ru
    immediatelyinvoicew .ru
    While you are at it, you might like to block 212.7.192.100** (Dediserv, Netherlands) as well."
    * http://malwaremustdie.blogspot.co.uk...ploit-kit.html

    ** http://malwaremustdie.blogspot.co.uk...-infector.html
    ___

    Phytiva / XCHC pump-and-dump SPAM
    - http://blog.dynamoo.com/2013/02/phyt...-and-dump.html
    4 Feb 2013 - "This pump-and-dump spam (at least I assume that's what it is) caught my eye:
    From: Hugh Crouch [tacticallyf44 @riceco .com]
    Date: 4 February 2013 12:39
    Subject: RE: Targeting the global Cosmoceutical market
    US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.
    Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.
    We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
    For more information, please visit
    You can unsubscribe from all our future email communications at


    The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www .xn--80aakfmpm2afbm .xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid."
    ___

    Fake FedEx emails lead to malware
    - http://blog.webroot.com/2013/02/04/f...ad-to-malware/
    Feb 4, 2013 - "... the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    ... Detection rate for the malware variants distributed over the past 24 hours:
    MD5: bf061265407ea1f7c21fbf5f545c4c2b * ...PAK_Generic.001
    The campaign is ongoing, so watch what you click on!..."
    (More detail at the websense URL above.)
    * https://www.virustotal.com/file/603b...a2a2/analysis/
    File name: ukjlbkma.exe
    Detection ratio: 30/46
    Analysis date: 2013-02-04
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Tax Documents Notification E-mail Messages - February 04, 2013
    Fake Apple Coupon Offer E-mail Messages - February 04, 2013
    Malicious Attachment E-mail Message - February 04, 2013
    Fake Product Order Request E-mail Messages - February 04, 2013
    Fake Portuguese Money Deposit E-mail Messages - February 04, 2013
    Fake Purchase Order Notification E-mail Messages - February 04, 2013
    Fake Product Order E-mail Message - February 04, 2013
    Fake Telegraphic Transfer E-mail Messages - February 04, 2013
    Fake Money Transfer Notification E-mail Messages - February 04, 2013
    Malicious Personal Photograph Attachment E-mail Messages - February 04, 2013
    Malicious Personal Pictures Attachment E-mail Messages - February 04, 2013
    Fake Xerox Scan Attachment E-mail Messages - February 04, 2013
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-02-05 at 02:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #119
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon emails lead to BlackHole...

    FYI...

    Fake ‘Your Kindle e-book Amazon receipt’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/02/05/y...e-exploit-kit/
    5 Feb 2013 - "Kindle owners, watch what you click on! Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon .com. In reality, when users click on -any- of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    starsoftgroup.net – 175.121.229.209; 198.144.191.50 – Email: wondermitch @hotmail .com
    Name Server: NS1.HTTP-PAGE .NET
    Name Server: NS2.HTTP-PAGE .NET
    We’ve already seen the same name servers used in the following previously profiled campaigns, indicating that they’ve been launched by the same cybercriminals... Upon successful client-side exploitation, the campaign drops MD5: 13d23f4c1eb1d4d3841e2de50b1948cc * ... UDS:DangerousObject.Multi.Generic...
    Upon execution, the sample also phones back to the following C&C servers:
    hxxp :// 195.191.22.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
    hxxp :// 37.122.209.102 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
    hxxp :// 217.65.100.41 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
    hxxp :// 173.201.177.77 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
    hxxp :// 210.56.23.100 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
    hxxp :// 213.214.74.5 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
    hxxp :// 180.235.150.72 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
    We’ve already seen the same pseudo-random C&C communication characters (DPNilBA) used... As well as the same C&C server IPs (173.201.177.77; 210.56.23.100; 180.235.150.72) ...
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/74bd...e6a2/analysis/
    File name: DWIntl20.Dll
    Detection ratio: 7/46
    Analysis date: 2013-02-04
    ___

    Free Disneyland Tickets Survey SCAM
    - http://www.hoax-slayer.com/disneylan...vey-scam.shtml
    Feb 5, 2013
    Outline: Various -Facebook- messages claim that users can receive free tickets to Disneyland by liking and sharing a picture and participating in online surveys.
    Brief Analysis: The supposed giveaways are scams designed to trick people into spamming their friends and participating in -bogus- online surveys. No matter how many surveys they complete, participants will -never- receive the promised Disneyland tickets. These offers are not endorsed by and have no connection to Disney. If you receive one of these messages, do not click any links that it contains.
    > http://www.hoax-slayer.com/images/di...ckets-scam.jpg
    ___

    Fake Amazon .com SPAM / salam-tv .com
    - http://blog.dynamoo.com/2013/02/amaz...lam-tvcom.html
    5 Feb 2013 - "This fake Amazon email leads to malware on salam-tv .com:
    Date: Tue, 5 Feb 2013 18:32:06 +0100
    From: "Amazon.com Orders" [no-reply @amazon .com]
    Subject: Your Amazon.com order receipt.
    Click here if the e-mail below is not displayed correctly.
    Follow us:
    Your Amazoncom Today's Deals See All Departments
    Dear Amazon.com Customer,
    Thanks for your order, [redacted]!
    Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
    Order Details:
    E-mail Address: [redacted]
    Billing Address:
    1170 CROSSING CRK N Rd.
    Fort Wayne OH 49476-1748
    United States
    Phone: 1- 749-787-0001
    Order Grand Total: $ 91.99
    Earn 3% rewards on your Amazon .com orders with the Amazon Visa Card. Learn More
    Order Summary:
    Details:
    Order #: C59-2302433-5787713
    Subtotal of items: $ 91.99
    Total before tax: $ 91.99
    Tax Collected: $0.00
    Grand Total: $ 90.00
    Gift Certificates: $ 1.99
    Total for this Order: $ 91.99
    Find Great Deals on Millions of Items Storewide
    We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
    2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon .com, the Amazon .com logo and 1-Click are registered trademarks of Amazon .com, Inc. or its affiliates. Amazon .com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571
    Please note that this message was sent to the following e-mail address: [redacted]


    The malicious payload should be at [donotclick]salam-tv .com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
    morepowetradersta .com
    capeinn .net
    starsoftgroup .net
    salam-tv .com "
    ___

    Malwarebytes uncovers digital certificate-spoofing Trojan
    - http://blog.malwarebytes.org/intelli...dangerous-mix/
    Update (Feb 4th, 3:44 PM): Egnyte has promptly taken down the illicit account following our call. However, digital signature is still in use.
    "... we just spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:
    > http://blog.malwarebytes.org/wp-cont...3/02/digi1.png
    This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does -not- exist and was registered with bogus data... The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:
    > http://blog.malwarebytes.org/wp-cont...02/invoice.png
    ... the malware connects to: som.egnyte .com ... size matters as many antivirus scanners have trouble with detecting larger files. Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed (See this ThreatExpert report* for proof). Its certificate has, since then, been revoked... What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people... Digital certificate theft can be used in targeted attacks as a spear phishing attack for example...An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely..."
    * http://www.threatexpert.com/report.a...213d3551eb3c28

    Last edited by AplusWebMaster; 2013-02-06 at 01:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #120
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake job offers / Google store - malicious apps ...

    FYI...

    Fake job offer inukjob .com, ineurojob .com and hollandsjob .com
    - http://blog.dynamoo.com/2013/02/inuk...ffer-also.html
    6 Feb 2013 - "This fake job offer from inukjob .com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.
    From: Victim
    To: Victim
    Date: 6 February 2013 09:16
    Subject: Looking for remote assistants, paid $ 100 per hour helping other people
    Good afternoon!
    Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny? While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
    This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.
    Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
    Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
    most of them devoted themselves to our job.
    We are in all respects ready to remove all your doubts and help you to understand all details.
    Position is called the "Regional Manager".
    Functional duties:
    - to represent the interests of foreign companies in the region (For example: providing your address for correspondence.)
    - to take control of transactions between the company and the client in your area.
    For more information, please, email us attaching your CV, the country and city of residence.
    It will considerably increase your chances for employment. Email: Kelsey @inukjob .com
    Best Regards,
    PR Manager


    I've seen another variant with a reply address of Delores @inukjob .com. In all these cases, the email appears to come from the victim (here's why*). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN .COM. The WHOIS details are fake:
    Tara Zwilling info @inukjob .com
    315-362-4562 fax: 315-362-4511
    3201 Oak Street
    Syracuse NY 13221
    us
    There is -no- number 3201 Oak Street in Syracuse, New York (see for yourself**) and the Zip code is incorrect, it should be 13203 and -not- 13221. There's -no- web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany). The following mailservers can be found at that IP:
    mx.ineurojob .com
    mx.hollandsjob .com
    mx.inukjob .com
    You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts .net (also on 31.214.169.94) and ns2.ariparts .net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:
    hollandsjob .com
    pracapolsk .com
    ariparts .net
    ineurojob .com
    All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid."
    * http://blog.dynamoo.com/2011/09/why-...self-spam.html

    ** http://goo.gl/maps/KimC4
    ___

    Google store - malicious apps
    - http://blog.webroot.com/2013/02/05/a...un-protection/
    5 Feb 2013 - "Recently, two applications designed with malicious intent were discovered within the Google Play application store. The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers. The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer. The malware was designed to record audio through the computer’s microphone. AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates. An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security. With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network. While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection... For all users, we recommend ensuring that AutoRun is -disabled- on your computer. Even though Microsoft rolled out updates to disable, it is possible it could be enabled. Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •