Page 13 of 132 FirstFirst ... 3910111213141516172363113 ... LastLast
Results 121 to 130 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #121
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FFIEC SPAM ...

    FYI...

    Fake FFIEC SPAM / live-satellite-view .net
    - http://blog.dynamoo.com/2013/02/ffie...e-viewnet.html
    7 Feb 2013 - "This spam attempts to load malware from live-satellite-view .net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.
    From: FFIEC [mailto:complaints @ffiec .gov]
    Sent: 06 February 2013 16:17
    Subject: FFIEC Occasion No. 77715
    This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
    A hard copy of this judicial process will be delivered to your business address.
    Our institution will forward information to competent government agencies following this accusation.
    Information and contacts regarding your Occasion file # can be found at
    Occasion Number: 77715
    Observed by
    Federal Financial Institution Examination Council
    Emily Gray


    The attempted download is from [donotclick]live-satellite-view .net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page .net and ns2.http-page .net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
    7.129.51.158
    31.170.106.17
    74.4.6.128
    98.144.191.50
    175.121.229.209
    198.144.191.50
    208.117.43.145
    222.238.109.66
    able-stock .net
    capeinn .net
    duriginal .net
    euronotedetector .net
    gonita .net
    gutprofzumbns .com
    http-page .net
    live-satellite-view .net
    morepowetradersta .com
    ocean-movie .net
    starsoftgroup .net
    vespaboise .net
    "
    ___

    Ransomware Spam Pages on Github, Sourceforge, Others
    - http://www.gfi.com/blog/ransomware-s...eforge-others/
    Feb 7, 2013 - "There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit... The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too... There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain... So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”... Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem..."
    (Screenshots available at the gfi URL above.)
    ___

    Telepests... Robocalls ...
    - http://blog.dynamoo.com/2013/02/20-3...-telepest.html
    7 Feb 2013 - "For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident. There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f**k off and leave me alone. Good. I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead."

    - https://www.bbb.org/blog/2013/01/con...ing-robocalls/

    > http://www.ftc.gov/bcp/edu/microsites/robocalls/
    ___

    Whitehole Exploit Kit in-the-wild...
    - http://blog.trendmicro.com/trendlabs...t-kit-emerges/
    Feb 6, 2013 - "... there is news of an emerging exploit kit dubbed Whitehole Exploit Kit. The name Whitehole Exploit Kit is just a randomly selected name to differentiate it from BHEK. While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this. We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:
    • CVE-2012-5076
    • CVE-2011-3544
    • CVE-2012-4681
    • CVE-2012-1723
    • CVE-2013-0422
    Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole Exploit Kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism. The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems. On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes... Whitehole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalware detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once. Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments..."
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Bank Wire Transfer Notification E-mail Messages - February 07, 2013
    Fake Real Estate Offer E-mail Messages - February 07, 2013
    Fake Money Transfer Notification E-mail Messages - February 07, 2013
    Fake Debt Collection E-mail Messages - February 07, 2013
    Fake Money Transfer Notification E-mail Messages - February 07, 2013
    Malicious Attachment E-mail Messages - February 07, 2013
    Fake Product Order Quotation Attachment E-mail Messages - February 07, 2013
    (More detail and links available at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-02-08 at 07:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #122
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 5.135.67.160/28 ...

    FYI...

    radarsky .biz and something evil on 5.135.67.160/28
    - http://blog.dynamoo.com/2013/02/rada...g-evil-on.html
    8 Feb 2013 - "There is currently an injection attack -redirecting- visitors to a domain radarsky .biz (for example) hosted on 5.135.67.173 (OVH*) and suballocated to:
    inetnum: 5.135.67.160 - 5.135.67.175
    netname: MMuskatov-FI
    descr: MMuskatov
    country: FI
    org: ORG-OH6-RIPE
    admin-c: OTC15-RIPE
    tech-c: OTC15-RIPE
    status: ASSIGNED PA
    mnt-by: OVH-MNT
    source: RIPE # Filtered
    "MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress."

    * https://www.google.com/safebrowsing/...?site=AS:16276
    "... over the past 90 days, 7580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-08, and the last time suspicious content was found was on 2013-02-08... we found 518 site(s) on this network... that appeared to function as intermediaries for the infection of 3631 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1465 site(s)... that infected 7340 other site(s)..."
    ___

    Fake ACH Batch Download Notification emails
    - http://security.intuit.com/alert.php?a=71
    2/8/13 - "People are receiving fake emails with the title "ACH Batch Download Notification". Below is a copy of the email people are receiving, including the mistakes shown.
    Refund check in the amount of $4,370.00 for
    The following ACH batch has been submitted for processing.
    Initiated By: colleen
    Initiated Date & Time: Fri, 8 Feb 2013 21:38:16 +0600 Batch ID: 7718720 Batch Template Name: PAYROLL
    Please view the attached file to review the transaction details.


    This is the end of the fake email..."
    ___

    Fake BBB SPAM / madcambodia .net
    - http://blog.dynamoo.com/2013/02/bbb-...mbodianet.html
    8 Feb 2013 - "This fake BBB spam leads to malware on madcambodia .net:
    Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
    From: Better Business Bureau [notify @bbb .org]
    Subject: BBB details about your cliente's pretense ID 43C796S77
    Better Business Bureau ©
    Start With Trust ©
    Thu, 7 Feb 2013
    RE: Issue No. 43C796S77
    [redacted]
    The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
    We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
    We awaits to your prompt response.
    Best regards
    Luis Davis
    Dispute Advisor
    Better Business Bureau
    3073 Wilson Blvd, Suite 600 Arlington, VA 23501
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


    The malicious payload is at [donotclick]madcambodia .net/detects/review_complain.php (report here) hosted on:
    175.121.229.209 (Hanaro Telecom, Korea)
    198.144.191.50 (Chicago VPS, US) ..."
    ___

    Fake ADP SPAM / 048575623_02082013 .zip
    - http://blog.dynamoo.com/2013/02/adp-...082013zip.html
    8 Feb 2013 - "This fake ADP spam comes with a malicious attachment:
    Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
    From: "ops_invoice @adp .com" [ops_invoice @adp .com]
    Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
    Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Thank you for choosing ADP Payroll.
    Important: Please do not respond to this message. It comes from an unattended mailbox.


    In this case there was a ZIP file called 048575623_02082013 .zip (this may vary) with an attachment 048575623_02082013 .exe designed to look like a PDF file. VirusTotal* identifies it as a Zbot variant. According to ThreatExpert**, the malware attempts to connect to the following hosts:
    eyon-neos .eu
    quest.social-neos .eu
    social-neos .eu
    These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
    * https://www.virustotal.com/file/d961...is/1360370000/
    File name: 048575623_02082013.exe
    Detection ratio: 17/45
    Analysis date: 2013-02-09

    ** http://www.threatexpert.com/report.a...0342013e5d0ad0

    Last edited by AplusWebMaster; 2013-02-09 at 03:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #123
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Support Center / ADP SPAM

    FYI...

    Fake "Support Center" SPAM / phticker .com
    - http://blog.dynamoo.com/2013/02/supp...tickercom.html
    11 Feb 2013 - "Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker .com:
    Date: Mon, 11 Feb 2013 06:13:52 -0700
    From: "Brinda Wimberly" [noreply @mdsconsulting .be]
    Subject: Support Center
    Welcome to Help Support Center
    Hello,
    You have been successfully registered in our Ticketing System
    Please, login and check status of your ticket, or report new ticket here
    See All tickets
    Go To Profile
    This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.


    The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with other fake pharma sites..."
    ___

    Something evil on 46.163.79.209
    - http://blog.dynamoo.com/2013/02/some...616379209.html
    11 Feb 2013 - "The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
    social-neos .eu
    cloud.social-neos .eu
    quest.social-neos .eu
    archiv.social-neos .eu
    eyon-neos .eu
    international.eyon-neos .eu
    ns.eyon-neos .eu
    euroherz.eyon-neos .eu
    The domains look like they might be legitimate ones that have been hijacked, nonetheless blocking them would be an excellent move."
    ___

    Fake Citi Group SPAM
    - http://www.hotforsecurity.com/blog/s...mers-5322.html
    Feb 11, 2013 - "... it’s time Citi clients keep an eye open for e-mails that read “You have received a secure message” inviting them to read the message by opening the attachments securedoc .html...
    > http://www.hotforsecurity.com/wp-con...-Customers.png
    The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. Untrained eyes could fall for this trick, since these e-mails are written in good English, with decent grammar and harmless-looking attachments. Of the countless ways of infecting a computer, spam delivering malware continues to pay off despite restless efforts of media and the security community. Infecting PCs via spam proves an efficient dissemination method, since users are still caught off-guard by malicious links or attachments such as this message addressed to Citi Group clients..."
    ___

    Fake British Airways SPAM / epianokif .ru
    - http://blog.dynamoo.com/2013/02/brit...ianokifru.html
    11 Feb 2013 - "This fake British Airways spam leads to malware on epianokif .ru:
    Date: Mon, 11 Feb 2013 11:30:39 +0330
    From: JamesTieszen @[victimdomain .com]
    Subject: British Airways E-ticket receipts
    Attachments: E-Ticket-N234922XM .htm
    e-ticket receipt
    Booking reference: DZ87548418
    Dear,
    Thank you for booking with British Airways.
    Ticket Type: e-ticket
    This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
    Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
    Yours sincerely,
    British Airways Customer Services
    British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
    British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
    How to contact us
    Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
    If you require further assistance you may contact us
    If you have received this email in error
    This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.


    The malicious payload is at [donotclick]epianokif .ru:8080/forum/links/column.php (report here) hosted on:
    82.148.98.36 (Qatar Telecom, Qatar)
    195.210.47.208 (PS Internet Company, Kazakhstan)
    202.72.245.146 (Railcom, Mongolia) ..."
    ___

    Fake NACHA SPAM / albaperu .net
    - http://blog.dynamoo.com/2013/02/nach...baperunet.html
    11 Feb 2013 - "This fake NACHA spam leads to malware on albaperu .net:
    Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
    From: ACH Network [reproachedwp41 @direct.nacha .org]
    Subject: ACH Transfer canceled
    Aborted transfer
    The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
    Transaction ID: 838907191379
    Reason of Cancellation See detailed information in the despatch below
    Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
    13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
    2013 NACHA - The Electronic Payments Association


    The malicious payload is at [donotclick]albaperu .net/detects/case_offices.php (report here) hosted on:
    175.121.229.209 (Hanaro Telecom, Korea)
    198.144.191.50 (Chicago VPS, US)..."
    ___

    Something evil on 46.165.206.16
    - http://blog.dynamoo.com/2013/02/some...616520616.html
    11 Feb 2013 - "This is a little group of fake analytics sites containing malware (for example*), hosted on 46.165.206.16 (Leaseweb, Germany**). Sites listed in -red- have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
    adstat150 .com
    cexstat20 .com
    katestat77 .us
    kmstat505 .us
    kmstat515 .us
    kmstat530 .com
    lmstat450 .com
    mptraf11 .info
    mptraf2 .info
    mxstat205 .us
    mxstat570 .com
    mxstat740 .com
    mxstat760 .com
    rxtraf25 .ru
    rxtraf26 .ru
    skeltds .us
    vmstat100 .com
    vmstat120 .com
    vmstat140 .com

    vmstat210 .com
    vmstat230 .com
    vmstat320 .com ..."
    * http://urlquery.net/report.php?id=738388

    Diagnostic page for AS16265 (LEASEWEB)
    ** https://www.google.com/safebrowsing/...?site=AS:16265
    "... over the past 90 days, 3350 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-12, and the last time suspicious content was found was on 2013-02-12... we found 1006 site(s) on this network... that appeared to function as intermediaries for the infection of 3958 other site(s)... We found 1567 site(s)... that infected 6879 other site(s)..."

    Last edited by AplusWebMaster; 2013-02-12 at 14:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #124
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake IRS / Changelog SPAM

    FYI...

    Fake IRS SPAM / micropowerboating .net
    - http://blog.dynamoo.com/2013/02/chan...maianemru.html
    12 Feb 2013 - "This fake IRS spam leads to malware on micropowerboating .net:
    Date: Tue, 12 Feb 2013 22:06:55 +0800
    From: Internal Revenue Service [damonfq43 @taxes.irs .gov]
    Subject: Income Tax Refund TURNED DOWN
    Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.
    Please enter official website for information
    Internal Revemue Service
    Internal Revenue Services United States, Department of Treasury
    9611 Tellus. Av.
    Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
    ===
    Date: Tue, 12 Feb 2013 15:00:35 +0100
    From: Internal Revenue Service [zirconiumiag0 @irs .gov]
    Subject: Income Tax Refund NOT ACCEPTED
    Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.
    Please browse official site for more information
    Internal Revemue Service
    Internal Revenue Services United States, Department of Treasury
    3192 Aliquam Rd.
    Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
    ===
    Date: Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
    From: Internal Revenue Service [idealizesmtz @informer.irs .gov]
    Subject: Income Tax Refund TURNED DOWN
    Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.
    Please enter official site for information
    Internal Revemue Service
    Internal Revenue Services United States, Department of Treasury
    P.O. Box 265
    Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


    The malicious payload is on [donotclick]micropowerboating .net/detects/pending_details.php (report here) hosted on:
    175.121.229.209 (Hanaro Telecom, Korea)
    198.144.191.50 (Chicago VPS, US)
    The following IPs and domains should be blocked:
    175.121.229.209
    198.144.191.50

    micropowerboating .net
    morepowetradersta .com
    asistyapipressta .com
    uminteraktifcozumler .com
    rebelldagsanet .com
    madcambodia .net
    acctnmrxm .net
    capeinn .net
    albaperu .net
    live-satellite-view .net ..."
    ___

    Fake Changelog SPAM / emaianem .ru
    - http://blog.dynamoo.com/2013/02/chan...maianemru.html
    12 Feb 2013 - "This changelog spam leads to malware on emaianem .ru:
    Date: Tue, 12 Feb 2013 09:11:11 +0200
    From: LinkedIn Password [password@linkedin.com]
    Subject: Re: Changlog 10.2011
    Good day,
    changelog update - View
    L. KIRKLAND
    ===
    Date: Tue, 12 Feb 2013 05:14:54 -0600
    From: LinkedIn [welcome @linkedin .com]
    Subject: Fwd: Re: Changelog as promised(updated)
    Good morning,
    as prmised updated changelog - View
    L. AGUILAR


    The malicious payload is at [donotclick]emaianem .ru:8080/forum/links/column.php and is hosted on the same servers as found here*."
    * http://blog.dynamoo.com/2013/02/efax...ipaindoru.html
    46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
    91.121.57.231 (OVH, France)
    202.72.245.146 (Railcom, Mongolia)
    ___

    Something evil on 192.81.129.219
    - http://blog.dynamoo.com/2013/02/some...281129219.html
    12 Feb 2013 - "It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example*). The IP is controlled by Linode in the US who have been a bit quiet recently... active domains that I can identify on this IP..."
    (Long list at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=986474

    :fear :
    Last edited by AplusWebMaster; 2013-02-13 at 01:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #125
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NACHA SPAM ...

    FYI...

    Fake NACHA SPAM / thedigidares .net
    - http://blog.dynamoo.com/2013/02/nach...idaresnet.html
    13 Feb 2013 - "This fake NACHA spam leads to malware on thedigidares .net:
    Date: Wed, 13 Feb 2013 12:10:27 +0000
    From: " NACHA" [limbon@direct .nacha .org]
    Subject: Aborted transfer
    Canceled transaction
    The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.
    Transaction ID: 648919687408
    Cancellation Reason Review additional info in the statement below
    Transaction Detailed Report Report_648919687408.xls (Microsoft/Open Office Word Document)
    13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200
    2013 NACHA - The Electronic Payments Association


    The malicious payload is at [donotclick]thedigidares .net/detects/irritating-crashed-registers.php (report here*) hosted on:
    134.74.14.98 (City College of New York, US)
    175.121.229.209 (Hanaro Telecom, Korea)
    The following IPs and domains are linked and should be blocked:
    134.74.14.98
    175.121.229.209

    albaperu .net
    capeinn .net
    thedigidares .net
    madcambodia .net
    micropowerboating .net
    dressaytam .net
    acctnmrxm .net
    albaperu .net
    live-satellite-view .net
    dressaytam .net "
    * http://urlquery.net/report.php?id=993904
    BlackHole v2.0 exploit kit

    - http://blog.dynamoo.com/2013/02/nach...nakotprru.html
    13 Feb 2013 - "More fake NACHA spam, this time leading to malware on eminakotpr .ru:
    Date: Wed, 13 Feb 2013 05:24:26 +0530
    From: "ACH Network" [risk-management@nacha.org]
    Subject: Re: Fwd: ACH Transfer rejected
    The ACH transaction, initiated from your checking acc., was canceled.
    Canceled transfer:
    Transfer ID: FE-65426265630US
    Transaction Report: View
    August BLUE
    NACHA - The National Automated Clearing House Association


    The malicious payload is at [donotclick]eminakotpr .ru:8080/forum/links/column.php hosted on:
    46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
    91.121.57.231 (OVH, France)
    202.72.245.146 (Railcom, Mongolia)..."
    ___

    Malware sites to block 13/2/13
    - http://blog.dynamoo.com/2013/02/malw...ock-13213.html
    13 Feb 2013 - "These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca .ru/nothing.exe: URLquery, VirusTotal*, Comodo CAMAS, ThreatExpert**.
    I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.."
    (Long list [mostly *.ru] at the dynamoo URL above.)
    * https://www.virustotal.com/file/a604...is/1360769367/
    File name: khgkg01.exe
    Detection ratio: 8/43
    Analysis date: 2013-02-13
    Behavioural information
    TCP connections...
    85.121.3.1:80
    76.169.151.26:80
    195.228.43.24:80
    46.162.243.26:80
    ** http://www.threatexpert.com/report.a...988293dffbdc9a
    192.5.5.241
    ___

    - http://tools.cisco.com/security/cent...o=1&sortType=d
    Fake CashPro Online Digital Certificate Notification E-mail Messages - February 13, 2013
    Fake Failed Package Delivery Notification E-mail Messages - February 13, 2013
    Fake Message Receipt Notification E-mail Messages - February 13, 2013
    Fake Western Union Money Transfer Transaction E-Mail Messages - February 13, 2013
    Fake Payment Request E-mail Messages - February 13, 2013
    Fake Voicemail Message Notification E-mail Messages - February 13, 2013
    Fake Turkish Airline Ticket Booking Confirmation E-mail Messages - February 13, 2013
    Fake Antiphishing Notification E-mail Messages - February 13, 2013
    Fake Bank Transfer Confirmation Notification E-mail Messages - February 13, 2013
    Fake Product Order Change Notification E-mail Messages - February 13, 2013
    Fake Italian Policy Change Notification E-mail Messages - February 13, 2013
    Fake United Parcel Service Shipment Error E-mail Messages - February 13, 2013
    (Links and more info available at the cisco URL above.)
    ___

    Fake Bank "Secure Email Notification" SPAM
    - http://blog.dynamoo.com/2013/02/firs...ure-email.html
    13 Feb 2013 - "It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:
    Date: Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
    From: FF-inc Secure Notification [secure.notification @ff-inc .com]
    Subject: First Foundation Bank Secure Email Notification - 94JIMEEQ
    You have received a secure message
    Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @res.ff-inc .com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.
    2000-2013 First Foundation Inc. All rights reserved.


    Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file. VirusTotal detection rates* are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile @res.ff-inc .com just generates a failure message. Avoid."
    * https://www.virustotal.com/file/71b8...is/1360795797/
    File name: secure_mail_{_Case_DIG}.exe
    Detection ratio: 15/45
    Analysis date: 2013-02-13

    Last edited by AplusWebMaster; 2013-02-14 at 01:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #126
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 92.63.105.23

    FYI...

    Something evil on 92.63.105.23
    - http://blog.dynamoo.com/2013/02/some...926310523.html
    14 Feb 2013 - "Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia*) - see an example of the nastiness here** (this link is safe to click!). The following domains are present on this address, although there are probably more..."
    (Long list at the dynamoo URL above.)
    ** http://urlquery.net/report.php?id=995495
    ... Blackholev2 url structure detected

    * https://www.google.com/safebrowsing/...?site=AS:29182
    "... over the past 90 days, 606 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-14, and the last time suspicious content was found was on 2013-02-14... we found 182 site(s) on this network... that appeared to function as intermediaries for the infection of 652 other site(s)... We found 655 site(s)... that infected 4547 other site(s)..."
    ___

    Top 10 Valentine’s Day Scams...
    - http://www.hotforsecurity.com/blog/t...erts-5357.html
    Feb 14, 2013 - "... advises users to stay away from fake limousine offers and online ‘heart experts’ who claim to heal troubled relationships. This type of scam spreads through spam and redirects users to phishing, fraud and malware-infected websites... The bait that tricks men these days includes fake chocolate offers, diamond-like rings, perfumes, personalized gifts, heart-shaped jewelry and replica watches... A fast spreading scam tricks victims to download Valentine’s Day wallpapers which redirect to fraudulent websites. Users are told they won an iPhone 5 and asked for personal details. In the name of Cupid, similar scams circulate on Facebook, too. Valentine’s Day games and Android apps downloaded from unofficial marketplaces such as free love calculators may install adware and malware. Britons should be especially careful with flower offers. Valentine’s Day is not only the busiest day of the year for UK florists, but also for fake ‘flower’ scammers..."
    > http://www.hotforsecurity.com/wp-con...-experts-1.jpg
    ___

    Malicious URL hits related to “valentine” from January to Feb. 14
    > http://blog.trendmicro.com/trendlabs...-URLs-2013.png

    Malware detections related to “valentine” from January to Feb. 14
    > http://blog.trendmicro.com/trendlabs...tines-2013.png
    ___

    Fake 'Facebook blocked' emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/02/14/f...s-and-malware/
    14 Feb 2013 - "Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised campaign:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain names reconnaissance:
    gonita .net – 222.238.109.66 – Email: lockwr @rocketmail .com
    able-stock .net – 222.238.109.66
    capeinn .net – 222.238.109.66; 198.144.191.50 – Email: softonlines @yahoo .com
    Name servers used in the campaign:
    Name Server: NS1.HTTP-PAGE .NET
    Name Server: NS2.HTTP-PAGE .NET
    We’ve already seen the same name servers used in... malicious campaigns...
    Responding to 222.238.109.66 are... malicious/fraudulent domains...
    Responding to 198.144.191.50 are... malicious domains...
    We’ve already seen the same pseudo-randm C&C communication characters (EGa+AAAAAA), as well as the same C&C server (173.201.177.77) in... previously profiled campaigns..."
    (More detail at the webroot URL above.)
    ___

    Fake HP ScanJet SPAM / eipuonam .ru
    - http://blog.dynamoo.com/2013/02/hp-s...ipuonamru.html
    14 Feb 2013 - "This fake printer spam leads to malware on eipuonam .ru:
    Date: Thu, 14 Feb 2013 -02:00:50 -0800
    From: "Xanga" [noreply@xanga.com]
    Subject: Fwd: Scan from a HP ScanJet #72551
    Attachments: HP_Document.htm
    Attached document was scanned and sent
    to you using a HP A-39329P.
    SENT BY : Ingrid
    PAGES : 0
    FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]


    The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam .ru:8080/forum/links/column.php (report here*) hosted on:
    91.121.57.231 (OVH, France)
    195.210.47.208 (PS Internet, Kazakhstan)
    202.72.245.146 (Railcom, Mongolia)..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1000763
    ... Detected suspicious URL pattern
    ___

    Fake "Copies of policies" SPAM / ewinhdutik .ru
    - http://blog.dynamoo.com/2013/02/copi...nhdutikru.html
    14 Feb 2013 - "This spam leads to malware on ewinhdutik .ru:
    Date: Thu, 14 Feb 2013 07:16:28 -0500
    From: "Korbin BERG" [ConnorAlmeida @telia .com]
    Subject: RE: Korbin - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    Korbin BERG,
    ===
    Date: Thu, 14 Feb 2013 03:30:52 +0530
    From: Tagged [Tagged @taggedmail .com]
    Subject: RE: KESHIA - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    KESHIA LEVINE,


    The malicious payload is at [donotclick]ewinhdutik .ru:8080/forum/links/column.php (report here*) hosted on the same IP addresses as this attack we saw earlier:
    - http://blog.dynamoo.com/2013/02/hp-s...ipuonamru.html
    91.121.57.231 (OVH, France)
    195.210.47.208 (PS Internet, Kazakhstan)
    202.72.245.146 (Railcom, Mongolia)"
    * http://urlquery.net/report.php?id=1001864
    ... AS48716** Kazakhstan... suspicious URL pattern
    ** https://www.google.com/safebrowsing/...?site=AS:48716
    ___

    Fake HP ScanJet SPAM / 202.72.245.146
    - http://blog.dynamoo.com/2013/02/hp-s...272245146.html
    14 Feb 2013 - "This fake printer spam leads to malware on 202.72.245.146:
    Date: Thu, 14 Feb 2013 10:10:56 +0000
    From: AntonioShapard @hotmail .com
    Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
    Attachments: HP_Document.htm
    Attached document was scanned and sent
    to you using a HP A-32347P.
    SENT BY : TRISH
    PAGES : 3
    FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
    ===
    Date: Thu, 14 Feb 2013 06:07:00 -0800
    From: LinkedIn Password [password @linkedin .com]
    Subject: Fwd: Scan from a Hewlett-Packard ScanJet 83097855
    Attachments: HP_Document.htm
    Attached document was scanned and sent
    to you using a HP A-775861P.
    SENT BY : CARLINE
    PAGES : 4
    FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]


    The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/column.php which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server..."
    (Long list at the dynamoo URL above.)
    ___

    Fake Intuit SPAM / epionkalom .ru
    - http://blog.dynamoo.com/2013/02/intu...onkalomru.html
    14 Feb 2013 - "This fake Intuit spam leads to malware on epionkalom .ru:
    Date: Thu, 14 Feb 2013 09:05:48 -0500
    From: "Classmates . com" [classmatesemail @accounts.classmates .com]
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.
    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    The malicious payload is at [donotclick]epionkalom .ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:
    91.121.57.231 (OVH, France)
    195.210.47.208 (PS Internet, Kazakhstan)
    202.72.245.146 (Railcom, Mongolia) ..."
    ___

    Fake 'TurboTax State Return Rejected' SPAM
    - http://security.intuit.com/alert.php?a=72
    2/14/13 - "People are receiving fake emails with the title 'TurboTax State Return Rejected'. Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
    > http://security.intuit.com/images/turbotaxstate.jpg
    This is the end of the fake email..."

    Last edited by AplusWebMaster; 2013-02-15 at 04:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #127
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake IRS emails lead to BlackHole Exploit Kit

    FYI...

    Fake IRS emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/02/15/s...e-exploit-kit/
    Feb 15, 2013 - "Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    micropowerboating .net – 175.121.229.209; 198.144.191.50 – Email: dooronemars @aol .com
    Name Server: NS1.POOPHANAM .NET – 31.170.106.17
    Name Server: NS2.POOPHANAM .NET – 65.135.199.21
    The following malicious domains also respond to the same IPs (175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure...
    Although the initial client-side exploits serving domain used in the campaign (micropowerboating .net) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209), namely, madcambodia .net.
    Detection rate for the dropped malware:
    madcambodia .net – 175.121.229.209 – MD5: * ... Trojan-Spy.Win32.Zbot.ivkf.
    Once executed, the sample also phones back to the following C&C (command and control) servers: 94.68.61.135 :14511, 99.76.3.38 :11350
    We also got another MD5 phoning back to the same IP..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/d...9a70/analysis/
    File name: 2da28ae0df7a90ce89c7c43878927a9f
    Detection ratio: 23/45
    Analysis date: 2013-02-10 05
    ___

    Malware sites to block 15/2/13
    - http://blog.dynamoo.com/2013/02/malw...ock-15313.html
    15 Feb 2013 - "A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US**) which may be a C&C server. Interested parties might want to poke at the server a bit.. As a bonus, these are the IPs* that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more..."
    * http://www.dynamoo.com/files/botnet-feb-13.txt

    ** https://www.google.com/safebrowsing/...?site=AS:46664
    ___

    Fake IRS SPAM / azsocseclawyer .net
    - http://blog.dynamoo.com/2013/02/cum-...lawyernet.html
    15 Feb 2013 - "This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer .net:
    Date: Fri, 15 Feb 2013 09:47:25 -0500
    From: Internal Revenue Service [ahabfya196 @etax.irs .gov]
    Subject: pecuniary penalty for delay of tax return filling
    Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.
    Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.
    You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.
    Please visit official website for more information
    Internal Revenue Services United States, Department of Treasury
    Ap #822-9450 Cum Avenue
    Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


    The malicious payload is at [donotclick]azsocseclawyer .net/detects/necessary_documenting_broadcasts-sensitive.php (report here*) hosted on:
    77.241.192.47 (VPSNET, Lithunia)
    175.121.229.209 (Hanaro Telecom, Korea)..."
    * http://urlquery.net/report.php?id=1009373
    ... BlackHole v2.0 exploit kit
    ___

    Fake Wire transfer SPAM / 202.72.245.146
    - http://blog.dynamoo.com/2013/02/wire...272245146.html
    15 Feb 2013 - "This fake wire transfer spam leads to malware on 202.72.245.146:
    Date: Fri, 15 Feb 2013 07:24:40 -0500
    From: Tasha Rosenthal via LinkedIn [member @linkedin .com]
    Subject: RE: Wire transfer cancelled
    Good day,
    Wire Transfer was canceled by the other bank.
    Canceled transaction:
    FED NR: 94813904RE5666838
    Transfer Report: View
    The Federal Reserve Wire Network


    The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.
    Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146 :8080/forum/links/column.php..."

    Last edited by AplusWebMaster; 2013-02-15 at 19:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #128
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook Wall posts malware propagations ...

    FYI...

    Facebook Wall posts malware propagations ...
    - http://blog.webroot.com/2013/02/18/m...ok-wall-posts/
    Feb 18, 2013 - "We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software...
    Sample screenshot of the propagation in action:
    > https://webrootblog.files.wordpress....ware_links.png
    Sample spamvertised URL appearing on Facebook users’ Walls:
    hxxp ://0845 .com/fk7u
    Sample redirection chain:
    hxxp ://0845 .com/fk7u -> hxxp ://connectiveinnovations .com/mandolin.html?excavator=kmlumm -> hxxp ://91.218.38.245 /imagedl11.php
    Sample detection rates for the malicious executables participating in the campaign:
    hxxp ://91.218.38.245 /imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 * ... Backdoor:Win32/Tofsee.F ...
    Responding to this IP (91.218.38.245, AS197145 Infium Ltd.) are also... malicious/fraudulent domains...
    More MD5s are known to have phoned back to 91.218.38.245:
    MD5: 20057f1155515dd3a37afde0b459b2cf
    MD5: 665419c0e458883122a790f260115ada
    MD5: 1ea373c41eabd0ad3787039dd0927525
    MD5: f3472ec713d3ab2e255091194e4dccaa
    MD5: 4d54a2c022dad057f8e44701d52fec6b
    MD5: 6807409c44a4a9c83ce67abc3d5fe982
    As well as related MD5s phoning back to 185.4.227.76:
    MD5: 6b1e671746373a5d95e55d17edec5623
    MD5: 377c2e63ff3fd6f5fdd93ff27c8216fe
    MD5: 2D4C5B95321C5A9051874CEE9C9E9CDC
    MD5: 3f9df3fd39778b1a856dedebf8f39654
    MD5: 82e2672c2ca1b3200d234c6c419fc83a
    MD5: 796967255c8b99640d281e89e3ffe673
    MD5: bc1883b07b47423bd30645e54db4775c
    MD5: e6f081d2c5a3608fad9b2294f1cb6762
    What’s special about the second C&C phone back IP (185.4.227.76) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/c...5947/analysis/
    File name: Dionis
    Detection ratio: 31/45
    Analysis date: 2013-02-15

    AS197145 Infium
    - https://www.google.com/safebrowsing/...site=AS:197145

    Last edited by AplusWebMaster; 2013-02-19 at 15:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #129
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Wire Transfer emails serve client-side exploits and malware

    FYI...

    Fake Wire Transfer emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/02/19/m...s-and-malware/
    Feb 19, 2013 - "... a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes... they all share the same malicious infrastructure. Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Sample spamvertised compromised URLs:
    hxxp://2555.ruksadindan .com/page-329.htm
    hxxp://www.athenassoftware .com.br/page-329.htm
    hxxp://www.sweetgarden .ca/page-329.htm
    hxxp://lab.monohrom .uz/page-329.htm
    hxxp://easy2winpoker .com/page-329.htm
    hxxp://ideashtor .ru/page-329.htm
    Sample client-side exploits serving URL:
    hxxp:// 202.72.245.146 :8080/forum/links/public_version.php
    ... malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days...
    (Long list available at the webroot URL above.)...
    Sample malicious payload dropping URL:
    hxxp:// 202.72.245.146 :8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l
    Sample client-side exploits served: CVE-2010-0188
    Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 * ... Trojan.Win32.Yakes.cdxy.
    Once executed, the sample creates... Registry Keys... And modifies them..."
    (More detail available at the webroot URL above.)
    * https://www.virustotal.com/en/file/b...d48d/analysis/
    File name: contacts.exe
    Detection ratio: 33/46
    Analysis date: 2013-02-18
    ___

    Something evil on 67.208.74.71
    - http://blog.dynamoo.com/2013/02/some...672087471.html
    19 Feb 2013 - "67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here*.
    Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain...
    You can find a copy of the domains, IPs, WOT ratings and Google prognosis here** [csv].
    These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics...
    These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious...
    These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present...
    These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect..."
    (More detail available at the dynamoo URL above.)
    * http://blog.dynamoo.com/2013/02/some...926310523.html

    ** http://www.dynamoo.com/files/67-208-74-71.csv

    - https://www.google.com/safebrowsing/...?site=AS:33597
    ___

    Fake UPS SPAM / emmmhhh .ru
    - http://blog.dynamoo.com/2013/02/ups-spam-emmmhhhru.html
    19 Feb 2013 - "The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Valda Gill via LinkedIn
    Sent: 19 February 2013 10:00
    Subject: United Postal Service Tracking Nr. H9878032462
    You can use UPS .COM to:
    Ship Online
    Schedule a Pickup
    Open a UPS .COM Account
    Welcome to UPS Team
    Hi, [redacted].
    DEAR CUSTOMER , We were not able to delivery the post package
    PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
    With best regards , UPS Customer Services.
    Copyright 2011 United Parcel Service of America, Inc. Your USPS ...us


    There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh .ru:8080/forum/links/column.php hosted on:
    50.31.1.104 (Steadfast Networks, US)
    66.249.23.64 (Endurance International, US)
    195.210.47.208 (PS Internet Company, Kazakhstan)
    The following IPs and domains are all malicious and should be blocked:
    50.31.1.104
    66.249.23.64
    195.210.47.208
    ..."
    ___

    Something evil on 74.208.148.35
    - http://blog.dynamoo.com/2013/02/some...420814835.html
    19 Feb 2013 - "Spotted by the good folks at GFI Labs here*, here** and here*** are several Canadian domains on the same server, 74.208.148.35 (1&1, US):
    justcateringfoodservices .com
    dontgetcaught .ca
    blog.ritual .ca
    lumberlandnorth .com
    Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns..."
    * http://gfisoftware.tumblr.com/post/4...l-invoice-spam

    ** http://gfisoftware.tumblr.com/post/4...complaint-spam

    *** http://gfisoftware.tumblr.com/post/4...-transfer-spam
    ___

    Fake pharma SPAM - Cyberbunker / 84.22.104.123
    - http://blog.dynamoo.com/2013/02/cybe...422104123.html
    19 Feb 2013 - "Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:
    Date: Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
    From: Apple [noreply @bellona.wg.saar .de]
    To: [redacted]
    Subject: Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5
    Dear Customer,
    Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
    If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
    Privacy Policy
    Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.


    The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets .ru hosted on 84.22.104.123 along with... spammy sites... Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.
    (More detail at the dynamoo URL above.)

    * https://www.google.com/safebrowsing/...?site=AS:34109

    Last edited by AplusWebMaster; 2013-02-20 at 02:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #130
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake USPS SPAM with malware attachment...

    FYI...

    Fake USPS SPAM / USPS delivery failure report.zip
    - http://blog.dynamoo.com/2013/02/usps...y-failure.html
    20 Feb 2013 - "This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.
    Date: Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
    From: USPS client manager Michael Brewer [reports @usps .com]
    Subject: USPS delivery failure report
    USPS notification
    Our company’s courier couldn’t make the delivery of package.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: KnoxvilleFort
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: M1PZN6BI4F
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    USPS Global.


    The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.
    The VirusTotal detections for this are patchy and fairly generic*. Automated analysis tools are pretty inconclusive** when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start."
    * https://www.virustotal.com/en/file/6...is/1361351470/
    File name: USPS report id 943577924988734.exe
    Detection ratio: 27/46
    Analysis date: 2013-02-20
    ** http://camas.comodo.com/cgi-bin/subm...ac5b32d8e28682
    ___

    Something evil on 62.212.130.115
    - http://blog.dynamoo.com/2013/02/some...212130115.html
    20 Feb 2013 - "Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.
    Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation .co.za - these are mostly hijacked .co.za and .cl domains. The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP)...
    The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report*) and can be assumed to be malicious, and are hosted on 62.212.130.115...
    The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too..."
    (More detail at the dynamoo URL above.)
    * http://pastebin.com/FNjkdB34
    ___

    famagatra .ru injection attack in progress
    - http://blog.dynamoo.com/2013/02/fama...-progress.html
    20 Feb 2013 - "There seems to be an injection attack in progress, leading visitors to a hacked website to a malicious page on the server famagatra .ru.
    The payload is at [donotclick]famagatra .ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here*) which is basically a nasty dose of Blackhole.
    84.23.66.74 (EUserv Internet, Germany)
    195.210.47.208 (PS Inernet Company, Kazakhstan)
    210.71.250.131 (Chungwa Telecom, Taiwan)
    The following domains are IPs are all part of the same evil circus:
    84.23.66.74
    195.210.47.208
    210.71.250.131
    ..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1050803
    ... Blackholev2 redirection successful
    ___

    Fake Wire transfer SPAM / fulinaohps .ru
    - http://blog.dynamoo.com/2013/02/wire...inaohpsru.html
    20 Feb 2013 - "This fake wire transfer spam leads to malware on fulinaohps .ru:
    Date: Wed, 20 Feb 2013 04:28:14 +0600
    From: accounting@[victimdomain]
    Subject: Fwd: ACH and Wire transfers disabled.
    Dear Online Account Operator,
    Your ACH transactions have been
    temporarily disabled.
    View details
    Best regards,
    Security department


    The malicious payload is at [donotclick]fulinaohps .ru:8080/forum/links/column.php (report here*) hosted om the following IPs:
    84.23.66.74 (EUserv Internet, Germany)
    195.210.47.208 (PS Internet Company, Kazakhstan)
    210.71.250.131 (Chungwa Telecom, Taiwan)
    These are the same IPs as used in this attack**, you should block them if you can."
    * http://urlquery.net/report.php?id=1051770
    ... suspicious URL pattern... obfuscated URL
    ** http://blog.dynamoo.com/2013/02/fama...-progress.html
    ___

    Fake SendSecure Support SPAM / secure_message... .zip
    - http://blog.dynamoo.com/2013/02/send...port-spam.html
    20 Feb 2013 - "This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:
    Date: Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
    From: SendSecure Support [SendSecure.Support @bankofamerica .com]
    Subject: You have received a secure message from Bank Of America
    You have received a secure message.
    Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly.
    First time users - will need to register after opening the attachment.
    Help - https ://securemail.bankofamerica .com/websafe/help?topic=Envelope


    The zip file secure_message_02202013_01590106757637303 .zip unzips into secure_message_02202013_01590106757637303 .exe with a VirusTotal detection**... According to ThreatExpert***, the malware installs a keylogger and also tries to phone home to:
    blog.ritual .ca
    dontgetcaught .ca
    These sites are hosted on 74.208.148.35 which I posted about yesterday*. Blocking access to this IP might mitigate against this particular threat somewhat."
    * http://blog.dynamoo.com/2013/02/some...420814835.html

    ** https://www.virustotal.com/en/file/3...is/1361376818/
    File name: secure_message_02202013_{DIGIT[17]}.exe
    Detection ratio: 6/46
    Analysis date: 2013-02-20

    *** http://www.threatexpert.com/report.a...27e6479a4dffd3
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Airline Ticket Credit Card Processing E-mail Messages - February 20, 2013
    Fake CashPro Online Digital Certificate Notification E-mail Messages - February 20, 2013
    Fake Tax Document Notification E-mail Messages - February 20, 2013
    Fake Rejected Tax Form Notification E-mail Messages - February 20, 2013
    Fake Bank Deposit Notification E-mail Messages - February 20, 2013
    Fake Package Delivery Failure E-mail Messages - February 20, 2013
    Fake Product Order E-mail Messages - February 20, 2013
    (More info and links available at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-02-21 at 00:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •