Page 14 of 132 FirstFirst ... 41011121314151617182464114 ... LastLast
Results 131 to 140 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #131
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP/Verizon SPAM ...

    FYI...

    Fake ADP SPAM / faneroomk .ru
    - http://blog.dynamoo.com/2013/02/adp-...neroomkru.html
    21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
    Sent: 20 February 2013 20:02
    Subject: ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 001737199
    Thu, 21 Feb 2013 02:01:39 +0600
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www.flexdirect .adp.com/client/login.aspx
    Please see the following notes:
    • Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    • Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 890911798
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    © 2013 ADP, Inc. All rights reserved.


    The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
    41.168.5.140
    110.164.58.250
    184.106.195.200
    210.71.250.131
    203.171.234.53
    ..."
    (More detail at the dynamoo URL above.)
    ___

    Fake Verizon Wireless SPAM / participamoz .com
    - http://blog.dynamoo.com/2013/02/veri...ipamozcom.html
    20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
    Date: Wed, 20 Feb 2013 23:24:49 +0400
    From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
    Subject: Verizon wireless online bill.
    Important account information from Verizon Wireless
    Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
    Total Balance Due: $48.15
    Scheduled Automatic Payment Date: 02/25/2012
    Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
    > Review and Pay Your Bill
    Thank you for choosing Verizon Wireless.
    My Verizon is also available 24/7 to assist you with:
    Vrowsing your usage
    Updating your plan
    Adding Account Members
    Paying your bill
    Finding accessories for your devices
    And much, much more...
    2011 Verizon Wireless
    Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
    We respect your privacy. Please review our privacy policy for more information
    If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.


    The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
    161.200.156.200 (Chulanet, Thailand)
    173.251.62.46 (MSP Digital / Cablevision, US)
    The following IPs and domains are connected should be treated as malicious:
    161.200.156.200
    173.251.62.46

    prosctermobile .com
    aftandilosmacerati .com
    pardontemabelos .com
    participamoz .com ..."
    ___

    Fake Verizon emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/02/21/f...e-exploit-kit/
    Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
    Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
    Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
    ... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDS:DangerousObject.Multi.Generic.
    It then attempts to phone back to the following IPs:
    110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
    98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
    94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
    91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
    122.60.136.168, 84.72.243.231, 79.56.80.211
    ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/8...3dd9/analysis/
    File name: info.exe
    Detection ratio: 25/46
    Analysis date: 2013-02-21
    ___

    Fake "Efax Corporate" SPAM / fuigadosi .ru
    - http://blog.dynamoo.com/2013/02/efax...igadosiru.html
    21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
    Date: Thu, 21 Feb 2013 -05:24:35 -0800
    From: LinkedIn Password [password @linkedin .com]
    Subject: Efax Corporate
    Attachments: EFAX_Corporate.htm
    Fax Message [Caller-ID: 705646877]
    You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
    * The reference number for this fax is [eFAX-806896385].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax ® is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax ® Customer Agreement.


    The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
    84.23.66.74 (EUserv Internet, Germany)
    122.160.168.219 (Trackon Couriers, India)
    210.71.250.131 (Chungwa Telecom, China)..."
    * http://urlquery.net/report.php?id=1060334
    ___

    Fake Trustwave TrustKeeper emails - Phish ...
    - http://blog.spiderlabs.com/2013/02/-...ing-alert.html
    21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
    > http://npercoco.typepad.com/.a/6a013...1337399970c-pi ..."
    ___

    Fake inTuit emails - overdue payment
    - http://security.intuit.com/alert.php?a=73
    2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
    Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Earline Robles


    This is the end of the fake email.
    Steps to Take Now: Do -not- open the attachment in the email..."
    ___

    Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
    - http://blog.dynamoo.com/2013/02/scan...-pro-spam.html
    21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
    Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
    From: Tagged [Tagged @taggedmail .com]
    Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
    A Document was sent to you using a XEROX WorkJet PRO 760820.
    SENT BY : BRYNN
    IMAGES : 5
    FORMAT (.JPEG) DOWNLOAD


    The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
    84.23.66.74 (EUserv Internet, Germany)
    122.160.168.219 (Trackon Couriers, India)
    210.71.250.131 (Chungwa Telecom, China)
    Which are the same IPs found in this attack** and several others. Block 'em if you can."
    * http://www.urlquery.net/report.php?id=1064138

    ** http://blog.dynamoo.com/2013/02/efax...igadosiru.html
    ___

    Fake ACH transaction SPAM / payment receipt - 884993762994.zip
    - http://blog.dynamoo.com/2013/02/ach-...tion-spam.html
    21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
    Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
    From: Payment notification system [homebodiesga38@gmail.com]
    Subject: Automatic transfer notification
    ACH transaction is completed. $443 has been successfully transferred.
    If the transaction was made by mistake please contact our customer service.
    Receipt on payment is attached.
    This is an automatically generated email, please do not reply


    Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."

    Last edited by AplusWebMaster; 2013-02-22 at 02:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #132
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice / D.P. Svc SPAM ...

    FYI...

    Fake Invoice SPAM - "End of Aug. Stat" forummersedec .ru
    - http://blog.dynamoo.com/2013/02/end-...ersedecru.html
    22 Feb 2013 - "This fake invoice email leads to malware on forummersedec .ru:
    Date: Fri, 22 Feb 2013 11:33:38 +0530
    From: AlissonNistler@ [victimdomain]
    Subject: Re: FW: End of Aug. Stat.
    Attachments: Invoices-1207-2012.htm
    Hallo,
    as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
    Regards


    The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec .ru:8080/forum/links/column.php (report here*) hosted on
    84.23.66.74 (EUserv Internet, Germany)
    122.160.168.219 (Trackon Couriers, India)
    The following IPs and domains are related and should be blocked:
    84.23.66.74
    122.160.168.219
    ...
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1069702
    ___

    Fake "Data Processing" SPAM / dekolink .net
    - http://blog.dynamoo.com/2013/02/data...kolinknet.html
    22 Feb 2013 - "This fake "Data Processing" spam leads to malware on dekolink .net:
    Date: Fri, 22 Feb 2013 08:06:43 -0500
    From: "Data Processing Service" [customersupport @dataprocessingservice .com]
    Subject: ACH file ID '768.579
    Files Processing Service
    SUCCESS Note
    We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
    FILE SUMMARY:
    Item count: 79
    Total debits: $28,544.53
    Total credits: $28,544.53
    For more info click here


    The malicious payload is at [donotclick]dekolink .net/detects/when-weird-contrast.php (report here*) hosted on the following servers:
    50.7.251.59 (FDC Servers, Czech Republic)
    176.120.38.238 (Langate, Ukraine).."
    * http://urlquery.net/report.php?id=1062564
    ... BlackHole v2.0 exploit kit
    ___

    Fake LinkedIn SPAM / greatfallsma .com
    - http://blog.dynamoo.com/2013/02/link...allsmacom.html
    22 Feb 2013 - "This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma .com:
    From: LinkedIn [mailto:papersv@ informer.linkedin .com]
    Sent: 22 February 2013 15:58
    Subject: Reminder about link requests pending
    See who connected with you this week on LinkedIn
    Now it's easy to connect with people you email
    Continue
    This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
    © 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063

    > Another example:
    Date: Fri, 22 Feb 2013 18:21:25 +0200
    From: "LinkedIn" [noblest00@ info.linkedin .com]
    Subject: Reminder about link requests pending
    [redacted]
    See who requested link with you on LinkedIn
    Now it's easy to connect with people you email
    Continue
    This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
    2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043


    The malicious payload is at [donotclick]greatfallsma .com/detects/impossible_appearing_timing.php (report here*) hosted on:
    50.7.251.59 (FDC Servers, Czech Republic)
    176.120.38.238 (Langate, Ukraine)
    These are the same two servers used in this attack, blocking them would probably be a good idea."
    * http://urlquery.net/report.php?id=1071027
    ... Blackhole 2 Landing Page

    Last edited by AplusWebMaster; 2013-02-22 at 19:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #133
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ACH emails serve client-side exploits and malware

    FYI...

    Fake ACH emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/02/25/m...s-and-malware/
    Feb 25, 2013 - "... yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ervice_ach.png
    ... Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 * ... Trojan-Spy.Win32.Zbot.jfpy.
    ... It then attempts to connect to the following IPs:
    24.120.165.58, 66.117.77.134, 64.219.121.189, 66.117.77.134, 75.47.231.138, 108.211.64.46,
    91.99.146.167, 108.211.64.46, 71.43.217.3, 81.136.230.235, 101.162.73.132, 99.76.3.38,
    85.29.177.249, 24.126.54.116, 108.130.34.42, 99.116.134.54, 80.252.59.142

    Malicious domain name reconnaissance:
    dekolink .net – 50.7.251.59; 176.120.38.238 – Email: wondermitch @hotmail .com
    Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
    Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com ..."
    (More detail available at the webroot URL above.)
    * https://www.virustotal.com/en/file/1...ca62/analysis/
    File name: info.exe
    Detection ratio: 27/45
    Analysis date: 2013-02-25
    ___

    Trustwave Trustkeeper Phish
    - https://isc.sans.edu/diary.html?storyid=15271
    Last Updated: 2013-02-25 17:41:36 UTC - ... the give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised. Click on the image for a full size example.
    > https://isc.sans.edu/diaryimages/ima...twavephish.png
    [Update:] An analysis of this phish by Trustwave's own Spiderlabs can be found here:
    - http://blog.spiderlabs.com/2013/02/m...per-phish.html

    - http://blog.dynamoo.com/2013/02/trus...ties-scan.html
    25 Feb 2013 - "... this "TrustKeeper Vulnerabilities Scan Information" -spam- leads to an exploit kit on saberdelvino .net...
    > https://lh3.ggpht.com/-Gyic2-WNNZE/U.../trustwave.png
    ... The malicious payload is at [donotclick]saberdelvino .net/detects/random-ship-members-daily.php (report here*) hosted on the following IPs:
    118.97.77.122 (PT Telekon, Indonesia)
    176.120.38.238 (Langate, Ukraine)..."
    * http://www.urlquery.net/report.php?id=1120754
    ... Blackhole 2

    Last edited by AplusWebMaster; 2013-02-25 at 23:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #134
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default Fake Facebook/Intuit SPAM ...

    FYI...

    Fake Facebook SPAM / lazaro-sosa .com
    - http://blog.dynamoo.com/2013/02/face...o-sosacom.html
    26 Feb 2013 - "This fake Facebook spam leads to malware on lazaro-sosa .com:
    Date: Tue, 26 Feb 2013 14:26:20 +0200
    From: "Facebook" [twiddlingv29@informer.facebook.com]
    Subject: Brian Parker commented your photo.
    facebook
    Brian Parker commented on Your photo.
    Reply to this email to comment on this photo.
    See Comment
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
    Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307


    The malicious payload is at [donotclick]lazaro-sosa .com/detects/queue-breaks-many_suffering.php (report here*) hosted on:
    118.97.77.122 (PT Telkom, Indonesia)
    147.91.83.31 (AMRES, Serbia)
    Blocking these IPs is probably prudent."
    * http://www.urlquery.net/report.php?id=1135254
    ... Blackhole
    ___

    Fake Intuit SPAM / forumligandaz .ru
    - http://blog.dynamoo.com/2013/02/intu...igandazru.html
    26 Feb 2013 - "This fake Intuit spam leads to malware on forumligandaz .ru:
    Date: Tue, 26 Feb 2013 01:27:09 +0330
    From: "Classmates . com" [classmatesemail@accounts.classmates.com]
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.
    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    The malicious payload is at [donotclick]forumligandaz .ru:8080/forum/links/column.php hosted on:
    31.200.240.153 (Unelink Telecom, Spain)
    83.169.41.58 (Host Europe, Germany)
    Blocklist:
    31.200.240.153
    83.169.41.58 ..."
    (More detail at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2013-02-26 at 22:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #135
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake US Airways SPAM...

    FYI...

    Fake US Airways SPAM / berrybots .net
    - http://blog.dynamoo.com/2013/02/us-a...rybotsnet.html
    27 Feb 2013 - "... fake US Airways spam leads to malware on berrybots .net:
    Date: Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
    From: bursarp1 @email-usairways .com
    Subject: Your US Airways trip...
    > http://images.usairways.com/newEmail..._630px_yrs.gif
    Confirmation code: B339AO
    Date issued: Tuesday, February 26, 2013
    Barcode
    [redacted]
    Scan at any US Airways kiosk to check in
    Passenger summary
    Passenger name
    Frequent flyer # (Airline)
    Ticket number
    Special needs
    Angel Morris 40614552582 (US) 22401837506661
    Robert White 12938253579871
    Fly details Download to Outlook
    Depart: Philadelphia, PA (PHL) Chicago, IL (O'Hare) (ORD)...

    (More detail at the dynamoo URL above.)


    Picture version (click to enlarge):
    > http://blog.dynamoo.com/2013/02/us-a...rybotsnet.html
    The malicious payload is at [donotclick]berrybots .net/detects/circulation-comparatively.php (report here*) hosted on:
    118.97.77.122 (PT Telkon, Jakarta)
    147.91.83.31 (AMRES, Serbia)
    195.88.139.78 (Neiron Systems, Ukraine)
    Recommended blocklist:
    118.97.77.122
    147.91.83.31
    195.88.139.78

    greatfallsma .com
    lazaro-sosa .com
    yoga-thegame .net
    dekolink .net
    saberdelvino .net
    berrybots .net ..."
    * http://www.urlquery.net/report.php?id=1168427
    ... Blackhole Java applet with obfuscated URL
    ... 147.91.83.31 Blackhole 2 Landing Page
    ___

    Fake Invoice-themed SPAM / forumusaaa .ru
    - http://blog.dynamoo.com/2013/02/end-...umusaaaru.html
    27 Feb 2013 - "This invoice-themed spam leads to malware on forumusaaa .ru:
    Date: Thu, 28 Feb 2013 06:04:08 +0530
    From: "Lisa HAGEN" [WilsonVenditti @ykm .com .tr]
    Subject: Re: FW: End of Aug. Statement
    Attachments: Invoice_JAN-2966.htm
    Good day,
    as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
    Regards
    Lisa HAGEN


    The malware is hosted at [donotclick]forumusaaa .ru:8080/forum/links/column.php (report here*) hosted on:
    31.200.240.153 (Unelink Telecom, Spain)
    83.169.41.58 (Host Europe, Germany)
    Blocklist:
    31.200.240.153
    83.169.41.58
    ..."
    (More listed at the dynamoo URL above.)
    * http://www.urlquery.net/report.php?id=1170276
    ... suspicious URL pattern
    ... 31.200.240.153 Blackhole 2 Landing Page
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Payment Advice Notification E-mail Messages - February 27, 2013
    Fake Overdue Payment Notification E-mail Messages - February 27, 2013
    Fake Bank Account Update E-mail Messages - February 27, 2013
    Fake Product Order E-mail Messages - February 27, 2013
    Fake Product Order Quotation Attachment E-mail - February 27, 2013
    Fake Wire Transfer Notification E-mail Messages - February 27, 2013
    Fake Invoice Statement Attachment E-mail Messages - February 27, 2013
    Fake Bank Account Statement Notification E-mail Messages - February 27, 2013
    Fake Quotation Attachment E-mail Messages - February 27, 2013
    (Links and more info at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-02-27 at 23:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #136
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down "Follow this link" SPAM ...

    FYI...

    "Follow this link" SPAM / sidesgenealogist .org
    - http://blog.dynamoo.com/2013/02/foll...link-spam.html
    28 Feb 2013 - "This rather terse spam appears to lead to an exploit kit on sidesgenealogist .org:
    From: Josefina Underwood [mailto:hdFQe @heathrowexpress .com]
    Sent: 27 February 2013 16:43
    Subject: Follow this link
    I have found it http ://www.eurosaudi .com/templates/beez/wps.php?v20120226
    Sincerely yours,
    Sara Walton


    The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist .org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here* that indicates an exploit kit. The malware is hosted on 188.93.210.226 (Logol.ru, Russia**). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
    reinstalltwomonthold .org
    nephewremovalonly .org
    scriptselse .org
    everflowinggopayment .net "
    * http://urlquery.net/report.php?id=1180853
    ... Blackholev2 url structure detected... Multiple Exploit Kit Payload detection

    ** https://www.google.com/safebrowsing/...?site=AS:49352
    ___

    Fake "Contract" SPAM / forumny .ru
    - http://blog.dynamoo.com/2013/02/cont...forumnyru.html
    28 Feb 2013 - "This contracts-themed spam leads to malware on forumny .ru:
    Date: Thu, 28 Feb 2013 11:43:15 +0400
    From: "LiveJournal.com" [do-not-reply @livejournal .com]
    Subject: Fw: Contract of 09.07.2011
    Attachments: Contract_Scan_IM0826.htm
    Dear Sirs,
    In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
    Best regards,
    SHERLENE DARBY, secretary


    The -attachment- Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny .ru:8080/forum/links/column.php (report here*) on:
    31.200.240.153 (Unelink Telecom, Spain)
    83.169.41.58 (Host Europe, Germany)
    Blocklist:
    31.200.240.153
    83.169.41.58 ..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1183959
    ... suspicious URL pattern
    ... 31.200.240.153 Blackhole 2 Landing Page
    ___

    Fake job offer
    - http://blog.dynamoo.com/2013/02/usan...job-offer.html
    28 Feb 2013 - "This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
    Date: Thu, 28 Feb 2013 14:57:55 -0600
    From: andrzej.wojnarowski@[victimdomain]
    Subject: There is a vacancy of a Regional manager in USA:
    If you have excellent administrative skills, working knowledge of Microsoft Office,
    a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
    are organized, present yourself well and are a team player with the ability to work independently,
    are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
    If you are interested in this job, please, send us your contact information:
    Full name:
    Country:
    City:
    E-mail:
    Please email us for details: Paulette @usanewwork .com


    In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
    Sarah Shepard info @usanewwork .com
    360-860-3630 fax: 360-860-3321
    4478 Pratt Avenue
    Tukwila WA 98168
    us
    The domain was only registered two days ago on 28/2/13. The nameservers ns1.stageportal .net and ns2.stageportal .net are shared by several other domains offering similar fake jobs...
    IP addresses involved are:
    5.135.90.19 (OVH, France)
    69.169.90.62 (Big Brain Host, US)
    199.96.86.139 (Microglobe LLC, US)
    This job offer is best avoided unless you like prison food..."
    (More detail at the dynamoo URL above.)
    ___

    Fake BBB SPAM / forumnywrk .ru
    - http://blog.dynamoo.com/2013/02/bbb-...umnywrkru.html
    28 Feb 2013 - "This fake BBB Spam leads to malware on forumnywrk .ru:
    Date: Thu, 28 Feb 2013 07:29:10 -0500 [07:29:10 EST]
    From: LinkedIn Password [password @linkedin .com]
    Subject: Urgent information from BBB
    Attn: Owner/Manager
    Here with the Better Business Bureau notifies you that we have received a complaint (ID 832708632)
    from one of your customers with respect to their dealership with you.
    Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
    We are looking forward to your prompt reply.
    Regards,
    VERSIE Stringer


    The malicious payload is on [donotclick]forumnywrk .ru:8080/forum/links/column.php hosted on:
    31.200.240.153 (Unelink Telecom, Spain)
    83.169.41.58 (Host Europe, Germany)
    Blocklist:
    83.169.41.58
    31.200.240.153
    ..."
    (More detail at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2013-03-01 at 06:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #137
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Casino-themed Blackhole sites

    FYI...

    Casino-themed Blackhole sites
    - http://blog.dynamoo.com/2013/03/casi...ole-sites.html
    1 March 2013 - "Here's a a couple of URLs that look suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
    [donotclick]888casino-luckystar .net/discussing/sizes_agreed.php
    [donotclick]555slotsportal .org/discussing/alternative_distance.php
    [donotclick]555slotsportal .net/shrift.php
    [donotclick]555slotsportal .net/discussing/alternative_distance.php
    [donotclick]555slotsportal .me/discussing/alternative_distance.php
    [donotclick]sexstreamsmatez .biz/discussing/alternative_distance.php
    You can find a sample report here*... there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1199381
    ... Detected BlackHole v2.0 exploit kit URL pattern

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #138
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default Fake Delta/eFax/dealer SPAM ...

    FYI...

    Fake Delta Airlines SPAM / inanimateweaknesses .net and complainpaywall .net
    - http://blog.dynamoo.com/2013/03/delt...eaknesses.html
    4 March 2013 - "This fake Delta Airlines spam leads to malware on inanimateweaknesses .net and complainpaywall .net:
    From: DELTA CONFIRMATION [mailto:cggQozvOc @sutaffu .co.jp]
    Sent: 04 March 2013 14:27
    Subject: Your Receipt and Itinerary
    Thank you for choosing Delta. We encourage you to review this information before your trip.
    If you need to contact Delta or check on your flight information, go to delta.com/itineraries
    Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta .com/itineraries.
    Take control and make changes to your itineraries at delta.com/itineraries.
    Speed through the airport. Check-in online for your flight.
    Check-in
    Flight Information
    DELTA CONFIRMATION #: D0514B3
    TICKET #: 00920195845933
    Bkng Meals/ Seat/
    Day Date Flight Status Class City Time Other Cabin
    --- ----- --------------- ------ ----- ------------
    Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
    AR SAN FRANCISCO 8211P COACH
    Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
    AR NYC-KENNEDY 812A# COACH
    Check your flight information online at delta.com/itineraries


    The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here*) or [donotclick]complainpaywall .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here**) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
    Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page."
    * http://urlquery.net/report.php?id=1246850
    ... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
    ** http://urlquery.net/report.php?id=1246854
    ... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
    ___

    Fake eFax SPAM / forumla .ru
    - http://blog.dynamoo.com/2013/03/efax...forumlaru.html
    4 Mar 2013- "This fake eFax spam leads to malware on forumla .ru:
    Date: Mon, 4 Mar 2013 08:53:20 +0300
    From: LinkedIn [welcome @linkedin .com]
    Subject: Efax Corporate
    Attachments: Efax_Corporate.htm
    Fax Message [Caller-ID: 646370000]
    You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
    * The reference number for this fax is [eFAX-336705661].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax ® is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax ® Customer Agreement.


    The malicious payload is at [donotclick]forumla .ru:8080/forum/links/column.php (report here*) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
    foruminanki .ru
    ny-news-forum .ru
    forumilllionois .ru
    forum-ny .ru
    forumny .ru
    forumla .ru"
    * http://urlquery.net/report.php?id=1247054
    ... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit
    ___

    Fake dealerbid .co.uk SPAM
    - http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html
    4 March 2013 - "This -spam- uses an email address ONLY used to sign up for dealerbid .co.uk
    From: HM Revenue & Customs [enroll @hmrc .gov.uk]
    Date: 4 March 2013 13:37
    Subject: HMRC Tax Refund ID: 3976244
    Dear Taxpayer,
    After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
    A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
    Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
    Kind regards,
    Paul McWeeney
    Head of Consumer Sales and Service


    The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
    everybodyonline .co.uk
    uk-car-discount .co.uk
    The email address has been -stolen- from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run. It looks like I am not the only person to notice this same problem*.."
    * http://www.reviewcentre.com/Car-Deal...review_1884815
    ___

    Fake Justin Bieber social media claims
    - http://www.hoax-slayer.com/bieber-dies-crash-hoax.shtml
    March 4, 2013 - "Outline: Message circulating via social media claims that popular young singing star Justin Bieber has died in a car accident...
    > http://www.hoax-slayer.com/images/bieber-crash-hoax.jpg
    ... Many of these false death rumours originate from several tasteless "prank" websites that allow users to create fake news stories detailing the supposed death of various celebrities. Users can generally pick from several "news" templates, add the name of their chosen celebrity and then attempt to fool their friends by sharing the -bogus- story..."
    ___

    Fake Facebook email/SPAM 'Violation of Terms' - Phishing Scam
    - http://www.hoax-slayer.com/facebook-...ing-scam.shtml
    March 4, 2013 - "Outline: Inbox message purporting to be from "Mark Zurckerberg" claims that the user's Facebook Page has violated the Facebook Terms of Service and may be permanently deleted unless the account is verified by clicking a link in the message... There have been a number of variations of these Facebook account phishing scams distributed in recent years. If you receive any message that claims that your Facebook account may be disabled or deleted if you do not verify account details, do not click on any links or attachments that it may contain. It is always safest to login to your Facebook account - and other online accounts - by entering the address into your browser's address bar rather than by following a link."

    Last edited by AplusWebMaster; 2013-03-04 at 21:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #139
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New Java exploits centered exploit kit

    FYI...

    New Java exploits centered exploit kit
    - http://blog.webroot.com/2013/03/05/c...d-exploit-kit/
    March 5, 2013 - "... its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”... More details:
    Sample screenshot of the statistics page of the newly released Web malware exploitation kit:
    > https://webrootblog.files.wordpress....tics_loads.png
    The majority of affected users are U.S.-based hosts, and the majority of infected operating systems are Windows NT 6.1, followed by Windows XP... according to the cybercriminals pitching the kit, they’ve also managed to infect some Mac OS X hosts... competing Web malware exploitation kits tend to exploit a much more diversified set of client-side vulnerabilities, consequently, achieving higher exploitation rates... In the wake of two recently announced Java zero day vulnerabilities, users are advised to disable Java, as well as to ensure that they’re not running any outdated versions of their third-party software and browser plugins."

    - http://seclists.org/fulldisclosure/2013/Mar/38
    4 Mar 2013 - "... 5 -new- security issues were discovered in Java SE 7..."
    ___

    Fake British Airways SPAM / forum-la .ru
    - http://blog.dynamoo.com/2013/03/brit...ipts-spam.html
    4 March 2013 - "This fake British Airways spam leads to malware on forum-la .ru:
    From: LiveJournal.com [do-not-reply @livejournal .com]
    Date: 4 March 2013 12:17
    Subject: British Airways E-ticket receipts
    e-ticket receipt
    Booking reference: 9AZ3049885
    Dear,
    Thank you for booking with British Airways.
    Ticket Type: e-ticket
    This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
    Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
    Yours sincerely,
    British Airways Customer Services
    British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
    British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
    How to contact us
    Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
    If you require further assistance you may contact us
    If you have received this email in error
    This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.


    The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la .ru:8080/forum/links/column.php (report here*) hosted on:
    198.104.62.49 (NTT America, US)
    210.71.250.131 (Chungwa Telecom, Taiwan)
    Blocklist:
    198.104.62.49
    210.71.250.131

    forumla .ru
    forumny .ru
    forum-la .ru
    foruminanki .ru
    ny-news-forum .ru
    forumilllionois .ru
    forum-ny .ru ..."
    * http://www.urlquery.net/report.php?id=1251838
    ... Detected suspicious URL pattern
    ___

    iFrame injections drive traffic to Blackhole exploit kit
    - http://nakedsecurity.sophos.com/2013...e-exploit-kit/
    March 5, 2013 - "... recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites. JavaScript libraries on the legitimate websites are prepended with code... SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats! If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites... have been compromised in some way over the past week.
    > https://sophosnews.files.wordpress.c...lexa.png?w=640
    ... Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites. As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
    > https://sophosnews.files.wordpress.c...isps.png?w=640
    Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
    > https://sophosnews.files.wordpress.c...ntry.png?w=640
    If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect* if the attacks were agnostic to the platform.
    > https://sophosnews.files.wordpress.c...form.png?w=640
    Most of these servers are running CentOS (then Debian then Ubuntu). This last piece of data gives us some clues as to how these attacks are happening. Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this. Digging around it appears that this is indeed the root cause. The folks over at Sucuri** managed to get hold of the rogue module that was used on one such victim server.
    Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded..."
    * http://news.netcraft.com/archives/20...er-survey.html

    ** http://blog.sucuri.net/2013/02/web-s...e-modules.html
    ___

    Something evil on 5.9.196.3 and 5.9.196.6
    - http://blog.dynamoo.com/2013/03/some...nd-591966.html
    5 March 2013 - "Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama .nl/relay.php) leading to two identified malware landing pages:
    [donotclick]kisielius.surfwing .me/world/explode_conscious-scandal.jar (report here*)
    [donotclick]alkalichlorideasenteeseen.oyunhan .net/world/romance-apparatus_clinical_repay.php (report here**)
    Domains visible on 5.9.196.3 include:
    alkalichlorideasenteeseen.oyunhan .net
    kisielius.surfwing .me
    dificilmentekvelijitten.surfwing .me
    kisielius.surfwing .me
    befool-immatriculation.nanovit .me
    locoburgemeester.toys2bsold .com
    ratiocination-wselig.smithsisters .us
    A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
    inspegrafstatkakukano.creatinaweb .com
    Blocking these domains completely is probably a good idea:
    oyunhan .net
    surfwing .me
    nanovit .me
    toys2bsold .com
    smithsisters .us
    creatinaweb .com
    5.9.196.0/28 is a Hetzner IP*** ... I haven't seen anything of value in this /28, blocking it may be prudent."
    * http://www.urlquery.net/report.php?id=1248746
    ... Zip archive data
    ** http://www.urlquery.net/report.php?id=1265212
    ... Adobe PDF Memory Corruption
    *** https://www.google.com/safebrowsing/...?site=AS:24940
    "... over the past 90 days, 6823 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-04, and the last time suspicious content was found was on 2013-03-04..."
    ___

    Fake HP printer SPAM / giliaonso .ru
    - http://blog.dynamoo.com/2013/03/scan...njet-spam.html
    5 Mar 2013 - "This fake HP printer spam leads to malware on giliaonso .ru:
    Date: Tue, 5 Mar 2013 12:53:40 +0500
    From: "Classmates . com" [classmatesemail @accounts.classmates .com]
    Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
    Attachments: HP_Scan.htm
    Attached document was scanned and sent
    to you using a HP A-16292P.
    SENT BY : Landon
    PAGES : 6
    FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]


    The attachment leads to malware on [donotclick]giliaonso .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
    46.4.77.145 (Hetzner, Germany)
    198.104.62.49 (NTT America, US)
    210.71.250.131 (Chungwa Telecom, Taiwan)
    Blocklist:
    46.4.77.145
    198.104.62.49
    210.71.250.131
    ..."
    * http://urlquery.net/report.php?id=1266289
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 210.71.250.131
    ___

    Fake Sendspace SPAM / forumkianko .ru
    - http://blog.dynamoo.com/2013/03/send...mkiankoru.html
    5 Mar 2013 - "This fake Sendspace spam leads to malware on forumkianko .ru:
    Date: Tue, 5 Mar 2013 06:52:10 +0100
    From: AyanaLinney@ [redacted]
    Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
    sendspace - The best free file sharing service.
    Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.


    The malicious payload is at [donotclick]forumkianko .ru:8080/forum/links/column.php (report here*) hosted on:
    46.4.77.145 (Hetzner, Germany***)
    198.104.62.49 (NTT America, US)
    210.71.250.131 (Chungwa Telecom, Taiwan)
    These IPs are the same as used in this attack**..."
    * http://urlquery.net/report.php?id=1267580
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 46.4.77.145
    ** http://blog.dynamoo.com/2013/03/scan...njet-spam.html

    *** https://www.google.com/safebrowsing/...?site=AS:24940

    Last edited by AplusWebMaster; 2013-03-05 at 18:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #140
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BT SPAM ...

    FYI...

    Fake BT SPAM / ginagion .ru
    - http://blog.dynamoo.com/2013/03/bt-b...inagionru.html
    6 March 2013 - "This fake BT spam leads to malware on ginagion .ru:
    From: Bebo Service [mailto:service=noreply.bebo .com@bebo .com] On Behalf Of Bebo Service
    Sent: 05 March 2013 21:22
    Subject: BT Business Direct Order
    Notice of delivery
    Hi,
    We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.
    Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
    ***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
    We've despatched...
    ..using the attached shipment details...
    Courier Ref Carriage method
    Royal Mail FM320725534 1-3 Days
    Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
    For information on how track your delivery, please follow to attached file.
    Important information for Yodel deliveries:
    If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.


    The malicious payload is at [donotclick]ginagion .ru:8080/forum/links/column.php ... hosted on:
    41.72.150.100 (Hetzner, South Africa)
    117.104.150.170 (NTT, Japan)
    212.180.176.4 (Supermedia, Poland)
    Blocklist:
    41.72.150.100
    117.104.150.170
    212.180.176.4

    gosbfosod .ru
    giliaonso .ru
    forum-ny .ru
    ginagion .ru ..."
    ___

    Pizza SPAM / gimalayad .ru
    - http://blog.dynamoo.com/2013/03/pizz...malayadru.html
    6 Mar 2013 - "... This spam actually leads to malware on gimalayad .ru:
    Date: Wed, 6 Mar 2013 12:22:04 +0330
    From: Tagged [Tagged @taggedmail .com]
    Subject: Fwd: Order confirmation
    You??™ve just ordered pizza from our site
    Pizza Ultimate Cheese Lover's with extras:
    Drinks
    - Grolsch x 6
    - 7up x 3
    - Budweiser x 4
    - Carling x 2...
    If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
    CANCEL ORDER NOW!
    If you don??™t do that shortly, the order will be confirmed and delivered to you...
    Total Charge: 232.33$
    ========
    Date: Wed, 6 Mar 2013 09:16:56 +0100
    From: "Xanga" [noreply @xanga .com]
    Subject: Re: Fwd: Order confirmation
    You??™ve just ordered pizza from our site
    Pizza Ultimate Cheese Lover's with extras:
    - Beef
    - Pepperoni...
    - Extra Sauce
    Pizza Italian Trio with extras:
    - Beef
    - Black Olives...
    Drinks
    - Simply Orange x 4
    - Fanta x 2
    - 7up x 2
    - Heineken x 2
    - Lift x 5
    - Pepsi x 4
    - Budweiser x 4
    Total Charge: 242.67$
    If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
    CANCEL ORDER NOW!
    If you don??™t do that shortly, the order will be confirmed and delivered to you.
    With Respect
    PIERO`s Pizzeria


    The malicious payload is at [donotclick]gimalayad .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack:
    41.72.150.100 (Hetzner, South Africa)
    117.104.150.170 (NTT, Japan)
    212.180.176.4 (Supermedia, Poland)
    Blocklist:
    41.72.150.100
    117.104.150.170
    212.180.176.4
    ..."
    * http://www.urlquery.net/report.php?id=1289205
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
    ___

    Fake inTuit email
    - http://security.intuit.com/alert.php?a=76
    3/06/13 - "People are receiving fake emails with the title 'Please respond - overdue payment.' These mails are coming from auto-invoice @quickbooks .com, which is -not- a legitimate email address. Below is a copy of the email... The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.

    Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Earline Robles


    This is the end of the fake email.
    Steps to Take Now:
    - Do -not- open the attachment in the email...
    - Delete the email..."
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Malicious Attachment E-mail Messages - March 06, 2013
    Fake Unpaid Debt Invoice E-mail Messages - March 06, 2013
    Fake Overdue Payment Notification E-mail Messages - March 06, 2013
    Fake Employee Document Sharing Notification E-mail - March 06, 2013
    Fake Money Transfer Notification E-mail Messages - March 06, 2013
    Fake UPS Payment Document Attachment E-mail Messages - March 06, 2013
    (Links and more info at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-03-07 at 17:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •