Page 16 of 132 FirstFirst ... 61213141516171819202666116 ... LastLast
Results 151 to 160 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #151
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NACHA / ScanJet SPAM ...

    FYI...

    Fake NACHA SPAM / encodeshole .org
    - http://blog.dynamoo.com/2013/03/nacha-spam.html
    21 March 2013 - "This fake NACHA spam leads to malware on encodeshole .org:
    From: "Тимур.Родионов @direct.nacha .org" [mailto:biker @wmuttkecompany .com]
    Sent: 20 March 2013 18:51
    Subject: Payment ID 454806207096 rejected
    Importance: High
    Dear Sirs,
    Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
    Click here for more information
    Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
    Best regards,
    ACH Network Rules Department
    NACHA - The Electronic Payments Association
    10933 Sunrise Valley Drive, Suite 771
    Herndon, VA 20190
    Phone: 703-561-0849 Fax: 703-787-0548


    The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
    91.234.33.187
    encodeshole .org
    rotariesnotify .org
    rigidembraces .info
    storeboughtmodelers .info
    * http://urlquery.net/report.php?id=1536940
    ... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 91.234.33.187

    - https://www.google.com/safebrowsing/...?site=AS:56485
    "... over the past 90 days, 54 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-21, and the last time suspicious content was found was on 2013-03-21... Over the past 90 days, we found 8 site(s) on this network... that appeared to function as intermediaries for the infection of 23 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 13 site(s)... that infected 30 other site(s)..."
    ___

    Fake ScanJet SPAM / hillaryklinton .ru
    - http://blog.dynamoo.com/2013/03/scan...t-spam_21.html
    21 March 2013 - "This fake printer spam leads to malware on the amusingly-named hillaryklinton .ru:
    From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn Password
    Sent: 21 March 2013 06:56
    Subject: Scan from a Hewlett-Packard ScanJet #269644
    Attached document was scanned and sent
    to you using a Hewlett-Packard HP Officejet 6209P.
    Sent by: SANDIE
    Images : 1
    Attachment Type: .HTM [INTERNET EXPLORER]
    Hewlett-Packard Officejet Location: machine location not set


    In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton .ru:8080/forum/links/column.php (report here*) hosted on:
    50.22.0.2 (SoftLayer, US)
    62.75.157.196 (Inergenia, Germany)
    109.230.229.156 (High Quality Server, Germany)
    Blocklist:
    50.22.0.2
    62.75.157.196
    109.230.229.156

    foruminanki .ru
    forumla .ru
    forumny .ru
    gulivaerinf .ru
    gxnaika .ru
    hanofk .ru
    heelicotper .ru
    hifnsiiip .ru
    hillaryklinton .ru
    himalayaori .ru
    humalinaoo .ru
    * http://urlquery.net/report.php?id=1535161
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 109.230.229.156
    ___

    Fake CNN emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/03/21/f...-exploit-kit/?
    March 21, 2013 - "... thousands of malicious ‘CNN Breaking News’ themed emails... exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Malicious domain name reconnaissance:
    webpageparking .net – 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247...
    Responding to 24.111.157.113 ... malicious domains...
    Upon successful clienet-side exploitation, the campaign drops MD5: 24d406ef41e9a4bc558e22bde0917cc5 * ... Worm:Win32/Cridex.E...
    * https://www.virustotal.com/en/file/3...89be/analysis/
    File name: deskadp.dll
    Detection ratio: 23/45
    Analysis date: 2013-03-21 10:46
    ___

    Fake "Data Processing Service" spam / airtrantran .com
    - http://blog.dynamoo.com/2013/03/data...vice-spam.html
    21 Mar 2013 - "This spam leads to malware on airtrantran .com
    Date: Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
    From: Data Processing Service [customerservice @dataprocessingservice .com]
    Subject: ACH file ID "973.995" has been processed successfully
    Files Processing Service
    SUCCESS Notification
    We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
    FILE SUMMARY:
    Item count: 21
    Total debits: $17,903.59
    Total credits: $17,903.59
    For addidional info review it here


    24.111.157.113 (Midcontinent Media, US)
    58.26.233.175 (TMnet, Malaysia)
    109.74.61.59 (Ace Telecom, Hungary)
    155.239.247.247 (Centurion Telkom, South Africa)
    Blocklist:
    24.111.157.113
    58.26.233.175
    109.74.61.59
    155.239.247.247
    ..."
    ___

    Fake Facebook SPAM / scriptuserreported .org
    - http://blog.dynamoo.com/2013/03/face...portedorg.html
    21 Mar 2013 - "This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported .org:
    Date: Thu, 21 Mar 2013 10:56:28 -0500
    From: Facebook [update+oi=MKW63Z @facebookmail .com]
    Subject: John Jenkins commented photo of you.
    facebook
    John Jenkins commented on {l5}.
    reply to this email to comment on this photo.
    see comment
    this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
    facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}


    The malicious payload is at [donotclick]scriptuserreported .org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
    inetnum: 5.39.37.24 - 5.39.37.31
    netname: n2p3DoHost
    descr: DoHost n2 p3
    country: FR ...
    Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here*). This server also hosts the following potentially malicious domains:
    pesteringpricelinecom .net
    resolveconsolidate .net
    scriptuserreported .org
    provingmoa .com
    Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
    workhomeheres01 .com
    workhomeheres02 .com
    There's also a work-at-home scam on 5.39.37.24:
    makeworkhome12 .pl
    5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
    myadminspanels .info
    supermyadminspanels .info
    So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host .net...
    Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
    Minimum blocklist:
    5.39.37.31
    pesteringpricelinecom .net
    resolveconsolidate .net
    scriptuserreported .org
    provingmoa .com
    Recommended blocklist:
    5.39.37.24/29
    makeworkhome12 .pl
    myadminspanels .info
    supermyadminspanels .info
    workhomeheres01 .com
    workhomeheres02 .com
    rl-host .net
    pesteringpricelinecom .net
    resolveconsolidate.net
    scriptuserreported .org
    provingmoa .com"
    * http://urlquery.net/report.php?id=1539128
    ... Detected live BlackHole v2.0 exploit kit 5.39.37.31
    ___

    Fake Changelog SPAM / hillairusbomges .ru
    - http://blog.dynamoo.com/2013/03/chan...sbomgesru.html
    21 Mar 2013 - "This fake changelog spam leads to malware on hillairusbomges .ru:
    Date: Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
    From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
    Subject: Re: Changelog Oct.
    Good morning,
    as prmised updated changelog - View
    L. LOYD


    The malicious payload is at [donotclick]hillairusbomges .ru:8080/forum/links/column.php (report here*) hosted on:
    50.22.0.2 (Softlayer / Monday Sessions Media, US)
    66.249.23.64 (Endurance International Group, US)
    188.165.202.204 (OVH, France)
    Blocklist:
    50.22.0.2
    66.249.23.64
    188.165.202.204
    ..."
    * http://urlquery.net/report.php?id=1540852
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204

    Last edited by AplusWebMaster; 2013-03-22 at 06:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #152
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Zendesk pharma SPAM ...

    FYI...

    Fake Zendesk SPAM / vagh .ru / pillshighest .com
    - http://blog.dynamoo.com/2013/03/zend...-security.html
    22 Mar 2013 - "This unusual spam leads to a fake pharma site on pillshighest .com via vagh .ru and an intermediate -hacked- site.
    Date: Fri, 22 Mar 2013 13:52:08 -0700
    From: Support Team [pinbot @schwegler .com]
    To: [redacted]
    Subject: An important notice about security
    We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
    We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
    Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
    Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
    Use a strong password. If your password is weak, you can create a new one.
    We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
    Support Team
    Questions? See our FAQ.
    This email was sent to [redacted].
    �2013 Zendesk, Inc. | All Rights Reserved
    Privacy Policy | Terms and Conditions


    There appears to be no malware involved in this attack. After the user has clicked through to the -hacked- site (in this case [donotclick]www.2001hockey .com/promo/page/ - report here*) the victim is -bounced- to [donotclick]vagh .ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine**) and then on to [donotclick]pillshighest .com on 91.217.53.30 (Fanjcom, Czech Republic).
    Some IPs and domains you might want to block:
    91.217.53.30
    193.105.210.212
    ..."
    (More listed at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1547240
    ... RBN - Known Russian Business Network IP - 109.120.138.155***

    ** https://www.google.com/safebrowsing/...?site=AS:57954

    *** https://www.google.com/safebrowsing/...?site=AS:30968

    - http://nakedsecurity.sophos.com/2013...curity-notice/
    March 22, 2013
    > https://sophosnews.files.wordpress.c...tice.jpg?w=640
    ___

    Fake ACH email - malware...
    - http://www.hoax-slayer.com/ach-file-...-malware.shtml
    March 22, 2013 - "Outline: Message purporting to be from the Automated Clearing House (ACH) claims that a file submitted by a user has been successfully processed and invites recipients to click a link to read more information about the large sum transactions listed....
    Brief Analysis: The email is -not- from ACH and the transactions listed in the message are not genuine. The -link- in the email opens a compromised website that harbours information-stealing malware... Those who do click the link will be taken to one of several websites that harbour malware. Once downloaded, such malware can typically make connections with remote servers controlled by criminals, download and install further malware components and harvest personal and financial information from the infected computer.
    Scammers have targeted the ACH and the entity's managing body NACHA for several years. Some have been malware attacks such as this one. Others have been phishing scams intent on tricking people into divulging their personal and financial information. The ACH is an official funds transfer system that processes large volumes of credit and debit transactions in the United States and this makes it an attractive target for scammers.
    Neither ACH nor NACHA will ever send you an unsolicited email that asks you to open an attachment or follow a link and supply personal information. If you receive an email that claims to be from the ACH or NACHA, do not open any attachments that it may contain. Do not follow any links in the email. Do not reply to the email or supply any information to the senders."
    ___

    Fake Wire Transfer SPAM / dataprocessingservice-alerts .com
    - http://blog.dynamoo.com/2013/03/wire...ingservic.html
    22 Mar 2013 - "This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts .com:
    Date: Fri, 22 Mar 2013 10:42:22 -0600
    From: support @digitalinsight .com
    Subject: Terminated Wire Transfer Notification - Ref: 54133
    Immediate Transfers Processing Service
    STATUS Notification
    The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
    TRANSACTION SUMMARY:
    Initiated By: [redacted]
    Initiated Date & Time: 2013-03-21 4:00:46 PM PST
    Reference Number: 54133
    For addidional info visit this link


    The payload is at [donotclick]dataprocessingservice-alerts .com/kill/chosen_wishs_refuses-limits.php (report here*) hosted on:
    24.111.157.113 (Midcontinent Media, US)
    58.26.233.175 (TMNet, Malaysia)
    155.239.247.247 (Centurion Telkom, South Africa)
    Blocklist:
    24.111.157.113
    58.26.233.175
    155.239.247.247
    ..."
    * http://urlquery.net/report.php?id=1548528
    ... Detected live BlackHole v2.0 exploit kit 24.111.157.113
    ___

    Fake Changelog SPAM / hohohomaza .ru
    - http://blog.dynamoo.com/2013/03/chan...ohomazaru.html
    22 Mar 2013 - "Evil changelog spam episode 274, leading to malware on hohohomaza .ru. Hohoho indeed.
    Date: Fri, 22 Mar 2013 11:06:48 -0430
    From: Hank Sears via LinkedIn [member @linkedin .com]
    Subject: Fwd: Changelog as promised (upd.)
    Hello,
    as promised changelog - View
    L. HENDRICKS


    The malware landing page is at [donotclick]hohohomaza .ru:8080/forum/links/column.php hosted on:
    50.22.0.2 (Softlayer / Monday Sessions Media, US)
    66.249.23.64 (Endurance International Group, US)
    80.246.62.143 (Alfahosting / Host Europe, Germany)
    Blocklist:
    50.22.0.2
    66.249.23.64
    80.246.62.143
    ..."

    Last edited by AplusWebMaster; 2013-03-23 at 17:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #153
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBC, BoA, Printer SPAM... more...

    FYI...

    Fake BBC emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/03/25/m...e-exploit-kit/
    March 25, 2013 - "Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the fake BBC News email:
    > https://webrootblog.files.wordpress....kit_cyprus.png
    ... Sample client-side exploits serving URL: hxxp ://crackedserverz .com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1 @gmx .us...
    Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 * ...Spyware/Win32.Zbot..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/4...38c7/analysis/
    File name: 1d4aaaf4ae7bfdb0d9936cd71ea717b2
    Detection ratio: 23/45
    Analysis date: 2013-03-21

    - https://www.net-security.org/malware_news.php?id=2444
    25.03.2013
    Fake: https://www.net-security.org/images/...s-fake-big.jpg
    ___

    Fake Bank of America SPAM / PAYMENT RECEIPT 25-03-2013-GBK-74
    - http://blog.dynamoo.com/2013/03/bank...eceipt-25.html
    25 Mar 2013 - "This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip
    Date: Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
    From: Bank of America [gaudilyl30 @gmail .com]
    Subject: Your transaction is completed
    Transaction is completed. $4924 has been successfully transferred.
    If the transaction was made by mistake please contact our customer service.
    Payment receipt is attached.
    *** This is an automatically generated email, please do not reply ***
    Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
    © 2013 Bank of America Corporation. All rights reserved


    Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal*. Comodo CAMAS detects traffic to the domains seantit .ru and programcam .ru hosted on:
    59.99.226.54 (BSNL Internet, India)
    66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
    77.241.198.65 (VPSnet, Lithunia)
    81.20.146.229 (GONetwork, Estonia)
    103.14.8.20 (Symphony Communication, Thailand)
    Plain list:
    59.99.226.54
    66.248.200.143
    77.241.198.65
    81.20.146.229
    103.14.8.20
    ..."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en/file/b...755d/analysis/
    File name: Loaf Harley Goals
    Detection ratio: 22/46
    Analysis date: 2013-03-25
    ___

    Fake HP ScanJet SPAM / humaniopa .ru
    - http://blog.dynamoo.com/2013/03/scan...manioparu.html
    25 Mar 2013 - "This fake printer spam leads to malware on humaniopa .ru:
    Date: Mon, 25 Mar 2013 03:57:54 -0500
    From: LinkedIn Connections [connections @linkedin .com]
    Subject: Scan from a HP ScanJet #928909620
    Attachments: Scanned_Document.htm
    Attached document was scanned and sent
    to you using a Hewlett-Packard HP Officejet 98278P.
    Sent by: CHANG
    Images : 5
    Attachment Type: .HTM [INTERNET EXPLORER]
    Hewlett-Packard Officejet Location: machine location not set


    The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa .ru:8080/forum/links/column.php (report here*) hosted on:
    66.249.23.64 (Endurance International Group, US)
    72.11.155.182 (OC3 Networks, US)
    72.167.254.194 (GoDaddy, US)
    95.211.154.196 (Leaseweb, Netherlands)
    Blocklist:
    66.249.23.64
    72.11.155.182
    72.167.254.194
    95.211.154.196
    ..."
    * http://urlquery.net/report.php?id=1592330
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 95.211.154.196
    ___

    Fake "Copies of policies" SPAM / heepsteronst .ru
    - http://blog.dynamoo.com/2013/03/copi...teronstru.html
    25 Mar 2013 - "This spam leads to malware on heepsteronst .ru:
    Date: Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
    From: Ashley Madison [donotreply @ashleymadison .com]
    Subject: RE: DEBBRA - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    DEBBRA Barnard,


    The malicious payload is at [donotclick]heepsteronst .ru:8080/forum/links/column.php (report here*). The IP addresses used are the same ones as used in this attack**."
    * http://urlquery.net/report.php?id=1593558
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
    ** http://blog.dynamoo.com/2013/03/scan...manioparu.html
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Future of Digital Marketing Event Notification E-mail Message - 2013 Mar 25
    Fake Product Order Shipping Documents E-mail Messages - 2013 Mar 25
    Fake Online Dating Request E-mail Messages - 2013 Mar 25
    Fake Product Sample Request E-mail Messages - 2013 Mar 25
    Fake Product Order E-mail Message - 2013 Mar 25
    Fake Quotation Request With Attached Sample Design Notification E-mail Messages - 2013 Mar 25
    Fake Shipment Notification E-mail Messages - 2013 Mar 25
    Fake Bank Repayment Information E-mail Messages - 2013 Mar 25
    Fake Payment Transaction Notification E-mail Messages - 2013 Mar 25
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-03-25 at 23:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #154
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP, NACHA, DHL SPAM lead to malware

    FYI...

    Fake ADP emails lead to malware
    - http://blog.webroot.com/2013/03/26/a...ad-to-malware/
    March 26, 2013 - "Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....der_botnet.png
    Detection rate for the malicious attachment:
    MD5: 54e9a0495fbd5c952af7507d15ebab90 * ... Trojan.Win32.FakeAV.qqdm
    ... Initiating the following TCP connections:
    213.186.47.54 :8080
    195.93.201.42 :80
    216.55.186.239 :80
    77.92.151.6 :80
    66.118.64.208 :80
    ...
    Detection rates for the downloaded malware samples:
    hxxp://infoshore.biz/cx5oMi.exe – MD5: 13eeca375585322c676812cf9e2e9789 ** ... Heuristic.LooksLike.Win32.Suspicious.B
    hxxp://axelditter.de/w91qZ5.exe – MD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM...
    It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
    109.162.153.126 :25603
    81.149.242.235 :28768
    88.241.148.26 :19376
    78.166.167.62 :26509
    88.232.36.188 :11389
    80.6.67.158 :11016
    ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/f...is/1363949422/
    File name: ADP_Invoice.exe
    Detection ratio: 24/46
    Analysis date: 2013-03-22
    ** https://www.virustotal.com/en/file/8...is/1363952056/
    File name: ADP_cx5oMi.exe
    Detection ratio: 3/46
    Analysis date: 2013-03-22
    ___

    Fake NACHA SPAM / breathtakingundistinguished .biz
    - http://blog.dynamoo.com/2013/03/nach...nguishedb.html
    26 March 2013 - "This fake NACHA spam leads to malware on breathtakingundistinguished .biz:
    From: "Гена.Симонов@direct .nacha .org" [mailto:corruptnessljx953 @bsilogistik .com]
    Sent: 25 March 2013 22:26
    Subject: Re: Your Direct Deposit disallowance
    Importance: High
    Attn: Accounting Department
    We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
    Click here for more information
    Please consult with your financial institution to acquire the updated version of the software.
    Yours truly,
    ACH Network Rules Department
    NACHA - The Electronic Payments Association
    19681 Sunrise Valley Drive, Suite 275
    Herndon, VA 20135
    Phone: 703-561-1796 Fax: 703-787-1698


    The malicious payload is at [donotclick]breathtakingundistinguished .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
    necessarytimealtering .biz
    hitwiseintelligence .biz
    breathtakingundistinguished .biz "
    * http://urlquery.net/report.php?id=1615815
    ... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 62.173.138.71
    ___

    Fake DHL Spam / LABEL-ID-NY26032013-GFK73.zip
    - http://blog.dynamoo.com/2013/03/dhl-...-gfk73zip.html
    26 Mar 2013 - "This DHL-themed spam contains a malicious attachment.
    Date: Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
    From: Bart Whitt - DHL regional manager [reports @dhl .com]
    Subject: DHL delivery report NY20032013-GFK73
    Web Version | Update preferences | Unsubscribe
    DHL notification
    Our company’s courier couldn’t make the delivery of parcel.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: ETBAKPRSU3
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    DHL Global
    Edit your subscription | Unsubscribe

    > https://lh3.ggpht.com/-7RU-0iFN_k8/U.../s1600/dhl.png

    Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
    VirusTotal detections for this malware are low (7/46*). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
    Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here**."
    * https://www.virustotal.com/en/file/f...is/1364296589/
    File name: LABEL-ID-NY26032013-GFK73.exe
    Detection ratio: 7/46
    Analysis date: 2013-03-26
    ** http://blog.dynamoo.com/2013/03/bank...eceipt-25.html

    Screenshot: http://threattrack.tumblr.com/post/4...ification-spam
    __

    Fake eFax SPAM / hjuiopsdbgp .ru
    - http://blog.dynamoo.com/2013/03/efax...opsdbgpru.html
    26 Mar 2013 - "This fake eFax spam leads to malware on hjuiopsdbgp.ru:
    Date: Tue, 26 Mar 2013 06:23:36 +0800
    From: LinkedIn [welcome @linkedin .com]
    Subject: Efax Corporate
    Attachments: Efax_Pages.htm
    Fax Message [Caller-ID: 378677295]
    You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
    * The reference number for this fax is [eFAX-677484317].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax ® is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax ® Customer Agreement.


    The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
    66.249.23.64 (Endurance International Group, US)
    69.46.253.241 (RapidDSL & Wireless, US)
    95.211.154.196 (Leaseweb, Netherlands)
    Blocklist:
    66.249.23.64
    69.46.253.241
    95.211.154.196
    ..."
    * http://urlquery.net/report.php?id=1617697
    ... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit 95.211.154.196
    ___

    Fake UPS SPAM / Label_8827712794 .zip
    - http://blog.dynamoo.com/2013/03/ups-...712794zip.html
    26 Mar 2013 - "This fake UPS spam has a malicious EXE-in-ZIP attachment:
    Date: Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
    From: UPS Express Services [service-notification @ups .com]
    Subject: UPS - Your package is available for pickup ( Parcel 4HS287FD )
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.
    CONFIDENTIALITY NOTICE...


    The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46*. ThreatExpert reports** that the malware is a Pony downloader which tries to phone home to:
    aseforum.ro (199.19.212.149 / Vexxhost, Canada)
    23.localizetoday.com (192.81.131.18 / Linode, US)
    Assuming that all domains on those are malicious, this is a partial blocklist:
    192.81.131.18
    199.19.212.149

    aseforum .ro
    htlounge .com
    htlounge .net
    topcancernews .com
    23.localizetoday .com
    23.localizedonline .com
    23.localizedonline .net"
    * https://www.virustotal.com/en/file/b...is/1364312344/
    File name: Label_8827712794.exe
    Detection ratio: 6/46
    Analysis date: 2013-03-26
    ** http://www.threatexpert.com/report.a...095b509d678f5e

    Screenshot: http://threattrack.tumblr.com/post/4...ge-pickup-spam
    ___

    Fake Wire Transfer SPAM / hondatravel .ru
    - http://blog.dynamoo.com/2013/03/wire...atravelru.html
    26 March 2013 - "This fake Wire Transfer spam leads to malware on hondatravel .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
    Sent: 26 March 2013 11:52
    Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
    Dear Bank Account Operator,
    WIRE TRANSFER: FED68081773954793456
    CURRENT STATUS: PENDING
    Please REVIEW YOUR TRANSACTION as soon as possible.


    The malicious payload is at [donotclick]hondatravel .ru:8080/forum/links/column.php (report here*) hosted on:
    66.249.23.64 (Endurance International Group, US)
    69.46.253.241 (RapidDSL & Wireless, US)
    These IPs were seen earlier with this attack**."
    * http://urlquery.net/report.php?id=1618697
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 66.249.23.64
    ** http://blog.dynamoo.com/2013/03/efax...opsdbgpru.html

    Screenshot: http://threattrack.tumblr.com/post/4...g-service-spam
    ___

    Fake TRAFFIC TICKET SPAM / hondatravel .ru
    - http://blog.dynamoo.com/2013/03/ny-t...atravelru.html
    26 Mar 2013 - "I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel .ru:
    Date: Wed, 27 Mar 2013 04:24:14 +0330
    From: "LiveJournal .com" [do-not-reply @livejournal .com]
    Subject: Fwd: Re: NY TRAFFIC TICKET
    New-York Department of Motor Vehicles
    TRAFFIC TICKET
    NEW-YORK POLICE DEPARTMENT
    THE PERSON CHARGED AS FOLLOWS
    Time: 2:15 AM
    Date of Offense: 28/07/2012
    SPEED OVER 50 ZONE
    TO PLEAD CLICK HERE AND FILL OUT THE FORM


    The malicious payload appears to be identical to this spam run* earlier today."
    * http://blog.dynamoo.com/2013/03/wire...atravelru.html

    Screenshot: http://threattrack.tumblr.com/post/4...ic-ticket-spam

    Last edited by AplusWebMaster; 2013-03-27 at 20:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #155
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NACHA, Airline E-ticket receipt SPAM

    FYI...

    Fake Airline E-ticket receipt SPAM / illuminataf .ru
    - http://blog.dynamoo.com/2013/03/brit...s-spam_27.html
    27 Mar 2013 - "This fake airline ticket spam leads to malware on illuminataf .ru:
    Date: Wed, 27 Mar 2013 03:23:05 +0100
    From: "Xanga" [noreply @xanga .com]
    Subject: British Airways E-ticket receipts
    Attachments: E-Ticket-Receipt.htm
    e-ticket receipt
    Booking reference: JQ15191488
    Dear,
    Thank you for booking with British Airways.
    Ticket Type: e-ticket
    This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
    Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
    Yours sincerely,
    British Airways Customer Services ...


    The attachment E-Ticket-Receipt.htm leads to a malicious payload at [donotclick]illuminataf .ru:8080/forum/links/column.php (report here*) hosted on:
    66.249.23.64 (Endurance International Group, US)
    69.46.253.241 (RapidDSL & Wireless, US)
    223.4.209.134 (Alibaba (China) Technology Co, China)
    Blocklist:
    66.249.23.64
    69.46.253.241
    223.4.209.134
    ..."
    * http://urlquery.net/report.php?id=1633301
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 69.46.253.241
    ___

    Fake NACHA SPAM / mgithessia .biz
    - http://blog.dynamoo.com/2013/03/nach...hessiabiz.html
    27 March 2013 - "This fake NACHA spam leads to malware on mgithessia .biz:
    From: "Олег.Тихонов@direct .nacha .org" [mailto:universe87 @mmsrealestate .com]
    Sent: 27 March 2013 03:25
    Subject: Disallowed Direct Deposit payment
    Importance: High
    To whom it may concern:
    We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
    Click here for more information
    Please consult with your financial institution to obtain the updated version of the software.
    Kind regards,
    ACH Network Rules Department
    NACHA - The Electronic Payments Association
    11329 Sunrise Valley Drive, Suite 865
    Herndon, VA 20172
    Phone: 703-561-1927 Fax: 703-787-1894


    The malicious payload is at [donotclick]mgithessia .biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this*.
    * http://urlquery.net/report.php?id=1635808
    ... Detected live BlackHole v2.0 exploit kit 46.4.150.118
    DNS services are provided by justintvfreefall .org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
    Recommended blocklist:
    46.4.150.118
    5.187.4.53
    5.187.4.58
    ..."
    ___

    Sendspace Spam
    - http://threattrack.tumblr.com/post/4...sendspace-spam
    27 March, 2013 - "Subjects seen: You have been sent a file (Filename: [removed].pdf)
    Typical e-mail details:
    Sendspace File Delivery Notification:
    You’ve got a file called [removed].pdf, (625.62 KB) waiting to be downloaded at sendspace.(It was sent by CONCHA ).
    You can use the following link to retrieve your file:
    Download
    Thank you,
    Sendspace, the best free file sharing service.


    Malicious URLs:
    my311 .com/info.htm - 173.246.66.199
    contentaz .com/info.htm - 66.147.244.103
    illuminataf .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84 ..."
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Kj91qz4rgp.png
    ___

    Xerox WorkJet Pro Spam
    - http://threattrack.tumblr.com/post/4...rkjet-pro-spam
    27 March 2013 - "Subjects seen:
    Fwd: Fwd: Scan from a Xerox W. Pro #[removed]
    Typical e-mail details:
    A Document was sent to you using a XEROX WorkJet PRO
    SENT BY : Anderson
    IMAGES : 4
    FORMAT (.JPEG) DOWNLOAD


    Malicious URLs:
    thuocdonga .com/info.htm - 66.147.244.103
    ilianorkin .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...7vs1qz4rgp.png

    Last edited by AplusWebMaster; 2013-03-28 at 03:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #156
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Changelog, Printer SPAM ...

    FYI...

    Fake Xerox ptr SPAM / ilianorkin .ru
    - http://blog.dynamoo.com/2013/03/scan...anorkinru.html
    28 March 2013 - "This fake printer spam leads to malware on ilianorkin .ru:
    From: officejet @[victimdomain]
    Sent: 27 March 2013 08:35
    Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
    A Document was sent to you using a XEROX WorkJet PRO 481864299.
    SENT BY : Omar
    IMAGES : 9
    FORMAT (.JPEG) DOWNLOAD


    The malicious payload is at [donotclick]ilianorkin .ru:8080/forum/links/column.php (report here*) hosted on:
    66.249.23.64 (Endurance International Group, US)
    69.46.253.241 (RapidDSL & Wireless, US)
    140.114.75.84 (TANET, Taiwan)
    Blocklist:
    66.249.23.64
    69.46.253.241
    140.114.75.84
    ..."
    * http://urlquery.net/report.php?id=1652917
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 140.114.75.84

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...7vs1qz4rgp.png
    ___

    Fake Changelog SPAM / Changelog_Urgent_N992.doc.exe
    - http://blog.dynamoo.com/2013/03/chan...992docexe.html
    28 March 2013 - "This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe
    From: Logistics Express [admin @ups .com]
    Subject: Re: Changelog 2011 update
    Hi,
    as promised changelog,
    Michaud Abran


    VirusTotal* detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports** the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive. If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases."
    * https://www.virustotal.com/en/file/f...is/1364462703/
    File name: Changelog_Urgent_N992.doc.exe
    Detection ratio: 18/46
    Analysis date: 2013-03-28
    ** http://camas.comodo.com/cgi-bin/subm...e26149e977eee6
    ___

    Fake Facebook SPAM / ipiniadto .ru
    - http://blog.dynamoo.com/2013/03/face...iniadtoru.html
    28 Mar 2013 - "The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto .ru:
    Date: Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
    From: FilesTube [filestube @filestube .com]
    Subject: You have notifications pending
    facebook
    Hi,
    Here's some activity you may have missed on Facebook.
    BERTIE Goldstein has posted statuses, photos and more on Facebook.
    Go To Facebook
    See All Notifications
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
    Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


    The malicious payload is at [donotclick]ipiniadto .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as used in this attack**:
    66.249.23.64 (Endurance International Group, US)
    69.46.253.241 (RapidDSL & Wireless, US)
    140.114.75.84 (TANET, Taiwan)
    Blocklist:
    66.249.23.64
    69.46.253.241
    140.114.75.84
    ..."
    * http://urlquery.net/report.php?id=1661788
    ... Detected suspicious URL pattern... Blackholev2 redirection 66.249.23.64
    ** http://blog.dynamoo.com/2013/03/scan...anorkinru.html
    ___

    Key Secured Message Spam
    - http://threattrack.tumblr.com/post/4...d-message-spam
    28 March 2013 - "Subjects seen:
    Key Secured Message
    Typical e-mail details:
    You have received a Secured Message from:
    [removed] @key .com
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password - [removed]
    To read the encrypted message, complete the following steps:
    - Double-click the encrypted message file attachment to download the file to your computer.
    - Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    - The message is password-protected, enter your password to open it.
    This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from
    disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
    immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.0016.


    Malicious URLs:
    24.cellulazetrainingcenter .com/ponyb/gate.php
    23.mylocalreports .info/ponyb/gate.php
    htlounge .com:8080/ponyb/gate.php
    rueba .com/eXkdB.exe
    nikosst .com/yttur.exe
    bmwautomotiveparts .com/kUXY.exe
    "
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...4wN1qz4rgp.png
    ___

    ADP Netsecure Spam
    - http://threattrack.tumblr.com/post/4...netsecure-spam
    28 March 2013 - "Subjects seen:
    ADP Immediate Notification
    Typical e-mail details:
    ADP Immediate Notification
    Reference #: [removed]
    Thu, 28 Mar 2013 -01:38:59 -0800
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    flexdirect .adp.com/client/login.aspx
    Please see the following notes:
    • Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    • Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!


    Malicious URLs:
    forum.awake-rp .ru/kpindex.htm
    ipiniadto .ru:8080/forum/links/column.php
    otrs.gtg .travel/kpindex.htm
    ej-co .ru/kpindex.htm
    w w w.ddanports .com/kpindex.htm
    yunoksoo.g3 .cc/kpindex.htm
    w w w.nzles .com/kpindex.htm
    thewellshampstead .co.uk/kpindex.htm

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...gxw1qz4rgp.png

    Fake ADP Spam / ipiniadto .ru
    - http://blog.dynamoo.com/2013/03/adp-...iniadtoru.html
    28 Mar 2013 - "This fake ADP spam leads to malware on ipiniadto .ru:
    Date: Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
    From: Bebo Service [service @noreply.bebo .com]
    Subject: ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 120327398
    Thu, 28 Mar 2013 04:22:48 +0600
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www.flexdirect .adp .com/client/login.aspx
    Please see the following notes:
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 975316004
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    © 2013 ADP, Inc. All rights reserved.


    The malicious landing page and recommended blocklist are the same as for this parallel attack* also running today."
    * http://blog.dynamoo.com/2013/03/face...iniadtoru.html

    Last edited by AplusWebMaster; 2013-03-28 at 23:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #157
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Overdue Payment' Spam

    FYI...

    Fake 'Overdue Payment' Spam
    - http://threattrack.tumblr.com/post/4...e-payment-spam
    March 29, 2013 - "Subjects seen:
    Please respond - overdue payment
    Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 02/04/2013 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Caroline Givens


    Malicious URLs:
    24.cellutytelosangeles .com/ponyb/gate.php
    24.cellutytela .com/ponyb/gate.php
    topcancernews .com:8080/ponyb/gate.php
    spireportal .net/L3ork1v.exe
    ftp(DOT)riddlepress .com/bahpZsn6.exe
    easy .com.gr/QpEQ.exe
    "
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...7bS1qz4rgp.png

    Fake Overdue payment SPAM / INVOICE_28781731.zip
    - http://blog.dynamoo.com/2013/03/plea...ment-spam.html
    29 Mar 2013 - "This spam comes with a malware-laden attachment called INVOICE_28781731.zip:
    Date: Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
    From: Victor_Lindsey @key .com
    Subject: Please respond - overdue payment
    Please find attached your invoices for the past months. Remit the payment by 02/04/2013
    as outlines under our "Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Victor Lindsey
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...


    Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal* detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports** a callback to topcancernews .com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack***. Looking for that IP in your logs might show if any of your clients."
    * https://www.virustotal.com/en/file/d...is/1364586082/
    File name: INVOICE_28781731.exe
    Detection ratio: 16/46
    Analysis date: 2013-03-29
    ** http://camas.comodo.com/cgi-bin/subm...6ef091ee4c1a16
    *** http://blog.dynamoo.com/2013/03/ups-...712794zip.html
    ___

    Fake FlashPlayer/browser hijack in-the-wild
    - http://blogs.technet.com/b/mmpc/arch...edirected=true
    26 Mar 2013 - "... The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
    > https://www.microsoft.com/security/p.../preflayer.jpg
    ... most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe... It then changes the user’s browser start page. It changes the start page for the following browsers:
    FireFox, Chrome, Internet Explorer, Yandex
    ... to one of the following pages:
    hxxp ://www.anasayfada .net
    hxxp ://www.heydex .com
    These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing... Domain info...
    hxxp ://www.anasayfada .net - 109.235.251.146
    hxxps ://flash-player-download .com/ - 31.3.228.202
    hxxp ://www.yonlen .net/ - 37.220.28.122
    hxxp ://www.heydex .com - 188.132.235.218 [ now > 109.200.27.170 ]
    It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA... misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust."

    Last edited by AplusWebMaster; 2013-03-30 at 06:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #158
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook Security Check Page

    FYI...

    Fake Facebook Security Check Page
    - http://blog.trendmicro.com/trendlabs...ty-check-page/
    Mar 31, 2013 - "Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception. We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to -redirect- users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”. It does this by redirecting all traffic to facebook .com and www .facebook .com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site. Users eager to log into Facebook may fall victim to this ruse, taking the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration... we also discovered that that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information. To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification..."

    Screenshot: https://www.net-security.org/images/...-sec-check.jpg
    ___

    Fake Last Month Remit Spam
    - http://threattrack.tumblr.com/post/4...nth-remit-spam
    Apr 1, 2013 - "Subjects seen:
    FW: Last Month Remit
    Typical e-mail details:
    File Validity: 04/05/2013
    Company : [removed]
    File Format: Office - Excel
    Internal Name: Remit File
    Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
    Original Filename: Last month remit file.xls


    Malicious URLs:
    3ecompany .com:8080/ponyb/gate.php
    24.chiaplasticsurgery .com/ponyb/gate.php
    24.chicagobodysculpt .com/ponyb/gate.php
    brightpacket .com/coS0GiKE.exe
    extremeengineering .co.in/Vh3a9601.exe
    CornwallCommuter .com/TLJrtcxA.exe

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...vth1qz4rgp.png

    Last edited by AplusWebMaster; 2013-04-02 at 16:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #159
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Changelog, Sendspace... emails lead to malware

    FYI...

    Fake Changelog emails lead to malware
    - http://blog.webroot.com/2013/04/02/s...ad-to-malware/
    April 2, 2013 - "... recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....elog.png?w=869
    Detection rate for the malicious attachment:
    MD5: e01ea945b8d055c5c115ab58749ac502 * ... Worm:Win32/Cridex.E.
    Upon execution, the sample creates the following processess on the affected hosts:
    C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
    C:\Documents and Settings\<USER>\Application Data\KB00927107.exe
    The following Registry Keys:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B ...
    It then phones back to hxxp://85.214.143.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92 :8080/AJtw/UCyqrDAA/Ud+asDAA/
    We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/f...is/1364475932/
    File name: LLSMGR.EXE
    Detection ratio: 35/46
    Analysis date: 2013-04-01

    - https://www.google.com/safebrowsing/...c?site=AS:6724 - 85.214.143.90

    - https://www.google.com/safebrowsing/...?site=AS:16276 - 91.121.90.92
    ___

    Fake Sendspace SPAM / imbrigilia .ru
    - http://blog.dynamoo.com/2013/04/send...rigiliaru.html
    2 Apr 2013 - "This fake Sendspace spam leads to malware on imbrigilia .ru:
    Date: Tue, 2 Apr 2013 03:57:26 +0000
    From: "JOSIE HARMON" [HARMON_JOSIE @hotmail .com]
    Subject: You have been sent a file (Filename: [redacted]-7191.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
    sendspace - The best free file sharing service...


    The malicious payload is at [donotclick]imbrigilia .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
    80.246.62.143 (Alfahosting GmbH, Germany)
    94.103.45.34 (ANKARAHOSTING, Turkey)
    Blocklist:
    80.246.62.143
    94.103.45.34
    ..."
    * http://urlquery.net/report.php?id=1757102
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
    ** http://blog.dynamoo.com/2013/04/end-...ired-spam.html

    Also: http://threattrack.tumblr.com/post/4...sendspace-spam
    2 Apr 2013
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...WUN1qz4rgp.png
    ___

    Fake "End of Aug. Statement Required" SPAM / ivanovoposel .ru
    - http://blog.dynamoo.com/2013/04/end-...ired-spam.html
    2 April 2013 - "This spam leads to malware on ivanovoposel .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn
    Sent: 02 April 2013 10:15
    Subject: Re: FW: End of Aug. Statement Reqiured
    Hallo,
    as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
    Regards
    SHONTA SCHMITT


    Alternate names:
    NORIKO Richmond
    Raiden MORRISON
    Attachments:
    Invoice_U13726798 .htm
    Invoice_U453718 .htm
    Invoice_U913687 .htm
    The attachment leads to malware on [donotclick]ivanovoposel .ru:8080/forum/links/column.php (report here*) hosted on:
    80.246.62.143 (Alfahosting GmbH, Germany)
    94.103.45.34 (ANKARAHOSTING, Turkey)
    Blocklist:
    80.246.62.143
    94.103.45.34
    ..."
    * http://urlquery.net/report.php?id=1751267
    ... Detected live BlackHole v2.0 exploit kit 94.103.45.34

    Last edited by AplusWebMaster; 2013-04-02 at 23:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #160
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 151.248.123.170

    FYI...

    Something evil on 151.248.123.170
    - http://blog.dynamoo.com/2013/04/some...248123170.html
    3 April 2013 - "151.248.123.170 (Reg .ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain .com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame .com/xlawr/next/requirements_anonymous_ordinary.php (report here*) which from the URL looks very much like a BlackHole Exploit kit. This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach..."
    (Long list of recommended blocks at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1778882
    ___

    Fake eFax SPAM / ivanikako .ru
    - http://blog.dynamoo.com/2013/04/efax...anikakoru.html
    3 April 2013 - "This fake eFax spam leads to malware on ivanikako .ru:
    From: Global Express UPS [mailto:admin @ups .com]
    Sent: 02 April 2013 21:12
    Subject: Efax Corporate
    Fax Message [Caller-ID: 189609656]
    You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.
    * The reference number for this fax is [eFAX-698329221].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax Ž is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax Ž Customer Agreement.


    The malicious payload is at [donotclick]ivanikako .ru:8080/forum/links/column.php (report here*) hosted on:
    93.187.200.250 (Netdirekt, Turkey)
    94.103.45.34 (ANKARAHOSTING, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    93.187.200.250
    94.103.45.34
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1786247
    ... Detected suspicious URL pattern... Blackholev2 redirection 94.103.45.34

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...N8o1qz4rgp.png
    ___

    APT malware monitors mouse clicks to evade detection
    - https://www.computerworld.com/s/arti...esearchers_say
    April 2, 2013 - "... Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to "Islamic Jihad.doc." "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post*. The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there's any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click... The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network... The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers..."
    * http://www.fireeye.com/blog/technica...se-clicks.html
    April 1, 2013
    ___

    Fake Wire Transfer e-mails
    - http://tools.cisco.com/security/cent...?alertId=28112
    2013 April 03 - "... significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the final confirmation notice. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID5193 and RuleID5193KVR) may contain the following files:
    out going wire. pdf.zip
    npxo.scr
    Sales Contract Order.zip
    DEDE.scr

    The npxo.scr file in the out going wire. pdf.zip attachment has a file size of 509,199 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2A41A06A00F4CF58485AF938F01B128D
    The DEDE.scr file in the Sales Contract Order.zip attachment has a file size of 221,696 bytes. The MD5 checksum is the following string: 0x79274D0CFAC51906FAF8334952AF2734
    The following text is a sample of the e-mail message that is associated with this threat outbreak:
    Subject: Re: Out going wire transfer (High Priority)
    Message Body:
    We have just received instruction to process a wire transfer of $6,780 from your account. Please download/view the attachment for final confirmation and respond as quickly as possible.
    Bank Wire Transfer Department.

    -Or-
    Subject: New Order
    Message Body:
    Dear Sir,We are currently running out of stock and would need urgent attentionEnclosed please find a new Order. Please send the delivery as quickly
    as possible.Meanwhile, please send us the Invoice for endorsement.Best regards Krystyna
    ..."

    Last edited by AplusWebMaster; 2013-04-04 at 01:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •