Page 17 of 132 FirstFirst ... 71314151617181920212767117 ... LastLast
Results 161 to 170 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #161
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pervasive malware activity - SPAM ...

    FYI...

    - https://www.net-security.org/malware_news.php?id=2455
    4.04.2013 - "Malware activity has become so pervasive that organizations experience a malicious email file attachment or Web link as well as malware communication that evades legacy defenses up to once every three minutes, according to FireEye* ..."
    * http://www.fireeye.com/blog/technica...at-report.html

    > https://www.net-security.org/images/...e-042013-1.jpg
    ___

    Fake "Bill Me Later" SPAM / PP_BillMeLater_Receipe04032013_4283422.zip
    - http://blog.dynamoo.com/2013/04/bill...erreceipe.html
    4 Apr 2013 - "This fake "Bill Me Later" spam comes with a malicious attachment:
    Date: Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
    From: Bill Me Later [notification @billmelater .com]
    Subject: Thank you for scheduling a payment to Bill Me Later
    BillMeLater
    Log in here
    Your Bill Me Later� statement is now available!
    Dear Customer,
    Thank you for making a payment online! We've received your
    Bill Me Later® payment of $1644.03 and have applied it to your account.
    For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
    Here are the details:
    Your Bill Me Later Account Number Ending in: 0014
    You Paid: $1644.03
    Your Payment Date*: 04/03/2013
    Your Payment Confirmation Number: 228646660603545001
    Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
    BillMeLater
    *NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
    Log in at PayPal.com to make a payment
    Questions:
    Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
    Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
    PP10NDPP1


    Screenshot: https://lh3.ggpht.com/-55gUxujP5q4/U...l-me-later.png

    There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46*. The executable is resistant to automated analysis tools but has the following fingerprint:
    MD5: c93bd092c1e62e9401275289f25b4003
    SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29
    Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it."
    * https://www.virustotal.com/en/file/a...is/1365065866/
    File name: PP_BillMeLater_Receipe_04032013.exe
    Detection ratio: 26/46
    Analysis date: 2013-04-04
    ___

    Fiserv Money Transfer Spam
    - http://threattrack.tumblr.com/post/4...-transfer-spam
    4 April 2013 - "Subjects seen:
    Outgoing Money Transfer
    Typical e-mail details:
    An outgoing money transfer request has been received by your financial institution. In order to complete the money transfer please print and sign the attached form.
    To avoid delays or additional fees please be sure Beneficiary Information including name, branch name, address, city, state, country, and RTN or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
    Thank you,
    Joy_Farmer
    Senior Officer
    Cash Management Verification
    Phone : [removed]
    Email: [removed]


    Malicious URLs
    3ecompany .com:8080/ponyb/gate.php
    23.wellness-health2day .com/ponyb/gate.php
    23.ad-specialties .info/ponyb/gate.php
    23.advertisingspecialties .biz/ponyb/gate.php
    brightpacket .com/coS0GiKE .exe
    u16432594.onlinehome-server .com/d8dTEXk.exe
    thedryerventdude .com/2FKBSea .exe


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...rN91qz4rgp.png
    ___

    Bank of America Trusteer Spam
    - http://threattrack.tumblr.com/post/4...-trusteer-spam
    4 April 2013 - "Subjects seen:
    New Critical Update
    Typical e-mail details:
    Valued Customer:
    As part of our continued effort to enhance online banking safety, Bank of America announced late last year that it has partnered with Trusteer Rapport to add an additional layer of security to our eBusiness platform and we recommend that all of our online banking customers install the software.


    Malicious URLs
    23.proautorepairdenver .com/forum/viewtopic.php
    23.onqdenver .net/forum/viewtopic.php
    23.onqdenver .com/forum/viewtopic.php
    3ecompany .com:8080/forum/viewtopic.php
    dev2.americanvisionwindows .com/rthsWe.exe
    adr2009 .it/R4eFC.exe
    easy .com.gr/2YcB2jL.exe
    konyapalyaco .net/F6pKX68j.exe
    homepage.osewald .de/ynWx1.exe


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Mm31qz4rgp.png
    ___

    Fake "British Airways" SPAM / igionkialo .ru
    - http://blog.dynamoo.com/2013/04/brit...onkialoru.html
    4 Apr 2013 - "This fake British Airways spam leads to malware on igionkialo .ru:
    Date: Thu, 4 Apr 2013 10:19:48 +0330
    From: Marleen Camacho via LinkedIn [member @linkedin .com]
    Subject: British Airways E-ticket receipts
    Attachments: E-Receipt.htm
    e-ticket receipt
    Booking reference: UMA7760047
    Dear,
    Thank you for booking with British Airways.
    Ticket Type: e-ticket
    This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
    Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
    Yours sincerely,
    British Airways Customer Services
    British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
    British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
    How to contact us
    Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
    If you require further assistance you may contact us
    If you have received this email in error
    This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.


    The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo .ru:8080/forum/links/column.php (report here*) hosted on:
    93.187.200.250 (Netdirekt, Turkey)
    94.103.45.34 (ANKARAHOSTING, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    93.187.200.250
    94.103.45.34
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1805773
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
    ___

    Madi/Mahdi/Flashback OS X connected malware spreading through Skype
    - http://blog.webroot.com/2013/04/04/m...through-skype/
    April 4, 2013 - "Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable...
    Sample screenshot of the campaign in action:
    > https://webrootblog.files.wordpress....ngineering.png
    Sample redirection chain: hxxp ://www.goo .gl/aMrTD?image=IMG0540250-JPG -> hxxp ://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef * ... Gen:Variant.Symmi.17255.
    More malware is known to have been rotated on the same IP... Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp ://xlotxdxtorwfmvuzfuvtspel .com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103. What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/3...3b91/analysis/
    File name: reznechek.exe
    Detection ratio: 27/46
    Analysis date: 2013-04-03
    ___

    Legal Case Spam
    - http://threattrack.tumblr.com/post/4...egal-case-spam
    4 April 2013 - "Re: Our chances to win the case are better than ever.
    Typical e-mail details:
    We talked to the administration representatives, and if we acknowledge our minor defiance to improve their statistics, the major suit will be closed due to the lack of the government interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it seems unacceptable, let us know.
    Speech.doc 332kb
    With Best Wishes
    Erica Bermudez


    Malicious URLs
    3ecompany .com:8080/ponyb/gate.php
    lanos-info .ru/winadlor.htm


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...XcK1qz4rgp.png
    ___

    Pennie stock SPAM
    - https://isc.sans.edu/diary.html?storyid=15559
    Last Updated: 2013-04-05 00:25:54 UTC - "Most of you will remember the pennie stock SPAM messages from a few years ago. The main aim of the game is to buy a bunch of pennie stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock. They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable. Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. It looks however like it is becoming popular again...
    News!!!
    Date: Thursday, Apr 4th, 2013
    Name: Pac West Equities, Inc.
    To buy: P_WEI
    Current price: $.19
    Long Term Target: $.55
    OTC News Subscriber Reminder!!! Releases Breaking News This
    Morning!


    What is old is new again..."

    Last edited by AplusWebMaster; 2013-04-05 at 05:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #162
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Legal, Facebook SPAM ...

    FYI...

    Fake Legal SPAM / itriopea .ru
    - http://blog.dynamoo.com/2013/04/spee...triopearu.html
    5 Apr 2013 - "This fake legal spam leads to malware on itriopea .ru:
    Date: Thu, 4 Apr 2013 07:44:02 -0500
    From: Malaki Brown via LinkedIn [member @linkedin .com]
    Subject: Fwd: Our chances to gain a cause are better than ever.
    We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.
    Speech.doc 458kb
    With respect to you
    Malaki Brown
    ==============
    Date: Thu, 4 Apr 2013 05:37:47 -0600
    From: Talisha Sprague via LinkedIn [member @linkedin .com]
    Subject: Re: Fwd: Our chances to gain a suit are higher than ever.
    We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.
    Speech.doc 698kb
    With Best Regards
    Talisha Sprague


    The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea .ru:8080/forum/links/column.php (report here*) hosted on:
    91.191.170.26 (Netdirekt, Turkey)
    93.187.200.250 (Netdirekt, Turkey)
    208.94.108.238 (Fibrenoire, Turkey)
    Blocklist (including active nameservers):
    62.76.40.244
    62.76.41.245
    91.191.170.26
    93.187.200.250
    109.70.4.231
    188.65.178.27
    199.66.224.130
    199.191.59.60
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1824890
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 93.187.200.250
    ___

    Facebook Photo Share Spam
    - http://threattrack.tumblr.com/post/4...oto-share-spam
    5 Apr 2013 - "Subjects Seen:
    [removed] shared photo of you.
    Typical e-mail details:
    [removed] commented on Your photo.
    Reply to this email to comment on this photo.


    Malicious URLs
    barroj .info/images/cnnbrnews.html
    craftypidor .info/complaints/arrangement-select.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...G4I1qz4rgp.png
    ___

    Fake Invoice SPAM / ijsiokolo .ru
    - http://blog.dynamoo.com/2013/04/end-...siokoloru.html
    5 Apr 2013 - "This fake invoice spam leads to malware on ijsiokolo .ru:
    Date: Fri, 5 Apr 2013 07:57:37 +0300
    From: "Account Services ups" [upsdelivercompanyb @ups .com]
    Subject: Re: End of Aug. Statement Required
    Attachments: Invoice_AF146989113.htm
    Good morning,
    I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
    Regards
    DAYLE PRIEST
    ===========
    Date: Fri, 5 Apr 2013 07:56:53 -0300
    From: "Tracking" [ups-account-services @ups .com]
    Subject: Re: FW: End of Aug. Stat.
    Hallo,
    I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
    Regards
    Mariano LEE


    The .htm attachment in the email leads to malware at [donotclick]ijsiokolo .ru:8080/forum/links/column.php (report here*) hosted on:
    91.191.170.26 (Netdirekt, Turkey)
    208.94.108.238 (Fibrenoire, Germany)
    Blocklist:
    91.191.170.26
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1829725
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
    ___

    Fake "Copies of Policies" SPAM / ifikangloo .ru
    - http://blog.dynamoo.com/2013/04/copi...kanglooru.html
    5 April 2013 - "This spam leads to malware on ifikangloo .ru:
    From: KaelSaine @mail .com [mailto:KaelSaine @mail .com]
    Sent: 05 April 2013 11:43
    Subject: Fwd: LATONYA - Copies of Policies
    Unfortunately, I cannot obtain electronic copies of the SPII policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    LATONYA Richmond,


    The link in the email leads to a legitimate -hacked- site and then on to [donotclick]ifikangloo .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
    91.191.170.26 (Netdirekt, Turkey)
    208.94.108.238 (Fibrenoire, Germany)
    Blocklist:
    91.191.170.26
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1831322
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
    ** http://blog.dynamoo.com/2013/04/end-...siokoloru.html

    Variation - same theme: http://threattrack.tumblr.com/post/4...-policies-spam
    5 Apr 2013

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...KJT1qz4rgp.png
    ___

    Fake eFax Corpoprate Spam
    - http://threattrack.tumblr.com/post/4...orpoprate-spam
    5 April 2013 - "Subjects Seen:
    Corporate eFax message from Caller ID : “[removed]” - 3 page(s)
    Typical e-mail details:
    You have received a 3 page(s) fax at 2013-04-05 02:31:33 CST.
    * The reference number for this fax is [removed].
    View this fax using your PDF reader.
    Click here to view this message
    Please visit eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
    Thank you for using the eFax service!


    Malicious URLs
    estherashe .com/winching/index.html
    23.frameless-glass-shower-enclosures .com/forum/viewtopic.php
    23.frameless-glass-shower-enclosures .com/adobe/update_flash_player.exe
    23.garryowen .biz/adobe/
    albenden .com/F2SyzQtn.exe
    globalinfocomgroup .com/r18Lm7RJ.exe
    209.164.63.90 /otQw.exe


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Wsl1qz4rgp.png

    Last edited by AplusWebMaster; 2013-04-05 at 23:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #163
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake pharmacy, Facebook SPAM ...

    FYI...

    Fake pharmacy SPAM / accooma .org / classic-pharmacy .com
    - http://blog.dynamoo.com/2013/04/upda...ccoomaorg.html
    6 April 2013 - "This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:
    Date: Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
    From: "Account Info Change" [info @virtualregistrar .com]
    Subject: Updated information
    Updated information
    Hello,
    The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.
    If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.
    This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
    Thanks,
    Customer Support


    The link in the email goes to a landing page on accooma .org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy .com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block. There does not appear to be any malware involved (see here* and here**) and of course nobody has changed any details on your account. You can safely ignore these emails. A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party... fake pharma sites are active in this range..."
    (Long list at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1850413

    ** http://urlquery.net/report.php?id=1850445

    - https://www.google.com/safebrowsing/...?site=AS:21788
    "... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-06, and the last time suspicious content was found was on 2013-04-06... we found 227 site(s) on this network... that appeared to function as intermediaries for the infection of 981 other site(s)... We found 384 site(s)... that infected 1772 other site(s)..."
    ___

    Fake Facebook pwd reset SPAM / accooma .org
    - http://blog.dynamoo.com/2013/04/face...-password.html
    6 April 2013 - "Another very aggressive spam run promoting accooma .org which is a fake pharma site..
    Date: Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
    From: Facebook
    Subject: Reminder: Reset your password
    facebook
    You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
    This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
    If you have any other questions, please visit our Help Center.
    Thanks,
    The Facebook Team


    The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post* about another spam run for the same domain."
    * http://blog.dynamoo.com/2013/04/upda...ccoomaorg.html

    Last edited by AplusWebMaster; 2013-04-06 at 20:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #164
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Bank, obit SPAM...

    FYI...

    Fake Bank SPAM / ighjaooru .ru
    - http://blog.dynamoo.com/2013/04/m-ba...hjaooruru.html
    8 Apr 2013 - "I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru .ru:
    Date: Mon, 8 Apr 2013 -01:41:06 -0800
    From: Coral Randolph via LinkedIn [member @linkedin .com]
    Subject: Re: Fwd: M&I Bank bankruptcy
    Hi, bad news.
    M&I Bank bankruptcy


    The malicious payload is at [donotclick]ighjaooru .ru:8080/forum/links/column.php (report here*) hosted on a whole load of IPs:
    72.167.254.194 (GoDaddy, US)
    80.246.62.143 (Alfahosting, Germany)
    91.191.170.26 (Netdirekt, Turkey)
    93.187.200.250 (Netdirekt, Turkey)
    94.103.45.34 (ANKARAHOSTING, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    72.167.254.194
    80.246.62.143
    91.191.170.26
    93.187.200.250
    94.103.45.34
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1885773
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
    ___

    Fake obit SPAM / ighjaooru .ru
    - http://blog.dynamoo.com/2013/04/kiss...iefs-spam.html
    8 April 2013 - "It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Josefa Jimenez via LinkedIn
    Sent: 08 April 2013 05:41
    Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs
    Hi, bad news.
    Kissinger: Thatcher's strong beliefs...


    The payload and associated domains and IPs are exactly the same as used in this attack*."
    * http://blog.dynamoo.com/2013/04/m-ba...hjaooruru.html
    ___

    Malicious NASA Asteroid Spam
    - http://threattrack.tumblr.com/post/4...-asteroid-spam
    8 April 2013 - "Subjects Seen:
    Fwd: NASA plans to catch an asteroid
    Typical e-mail details:
    Hi, bad news.
    NASA plans to catch an asteroid..."


    Malicious URLs
    worldtennisstars .ru/gakmail.htm
    iztakor .ru:8080/forum/links/column.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...err1qz4rgp.png
    ___

    Bad News Spam
    - http://threattrack.tumblr.com/post/4.../bad-news-spam
    8 April 2013 - "Subjects Seen:

    Fwd: Re: War with N. Korea
    Re: Bank of America bankruptcy
    Re: Fwd: Tax havens busted
    Re: M&I Bank bankruptcy
    Re: Fwd: Shedding light on ‘dark matter’

    Typical e-mail details:
    Hi, bad news.

    <E-mail subject news story>


    Malicious URLs
    joanred.altervista .org/gakmail.htm
    vtoto .ru/gakmail.htm
    delta-mebel .by/gakmail.htm
    ghostsquad.altervista .org/gakmail.htm
    ighjaooru .ru:8080/forum/links/column.php
    iztakor .ru:8080/forum/links/column.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...sX41qz4rgp.png

    Last edited by AplusWebMaster; 2013-04-08 at 19:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #165
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake printer SPAM ...

    FYI...

    Fake HP ScanJet SPAM / jundaio .ru
    - http://blog.dynamoo.com/2013/04/hp-s...jundaioru.html
    9 Apr 2013 - "This fake printer spam leads to malware on jundaio .ru:
    Date: Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
    From: Scot Crump [ScotCrump @hotmail .com]
    Subject: Re: Scan from a Hewlett-Packard ScanJet #0437
    Attachment: HP-ScannedDoc.htm
    Attached document was scanned and sent
    to you using a HP HPAD-400812P.
    SENT BY : Scot S.
    PAGES : 9
    FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]


    The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio .ru:8080/forum/links/column.php (report here*) hosted on:
    91.191.170.26 (Netdirekt, Turkey)
    93.187.200.250 (Netdirekt, Turkey)
    94.103.45.34 (ANKARAHOSTING, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    91.191.170.26
    93.187.200.250
    94.103.45.34
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=1894750
    ... Detected live BlackHole v2.0 exploit kit 91.191.170.26

    - http://nakedsecurity.sophos.com/2013...-with-malware/
    April 4, 2013
    ___

    Fake BoA Bill Payment SPAM / BILL_04092013_Fail.exe
    - http://blog.dynamoo.com/2013/04/unab...cent-bill.html
    9 Apr 2013 - "This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe
    Date: Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
    From: Bank of America [bill.payment @bankofamerica .com]
    Subject: Unable to process your most recent Bill Payment
    You have a new e-Message from Bank of America
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
    Please check attached file for more detailed information on this transaction.
    Pay To Account Number: **********3454
    Due Date: 05/01/2013
    Amount Due: $ 508.60
    Statement Balance: $ 2,986.26
    IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
    If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
    We apologize for any inconvenience this may cause. .
    Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.
    Bank of America, N.A. Member FDIC. Equal Housing Lender
    Š2013 Bank of America Corporation. All rights reserved...


    VirusTotal results are only 11/46*.
    MD5: 3cb04da2747769460a7ac09d1be44fc6
    SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70
    ThreatExpert reports** that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger."
    * https://www.virustotal.com/en/file/1...is/1365522944/
    File name: BILL_04092013_Fail.exe
    Detection ratio: 11/46
    Analysis date: 2013-04-09
    ** http://www.threatexpert.com/report.a...7ac09d1be44fc6

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...YQ91qz4rgp.png
    ___

    Malicious American Airlines Spam
    - http://threattrack.tumblr.com/post/4...-airlines-spam
    April 9, 2013 - "Subjects Seen:
    Please download your ticket #[removed]
    Typical e-mail details:
    Customer Notification
    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should Download It .


    Malicious URLs
    bikemania .org/components/.5wl0rb.php?request=ss00_323


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Oy21qz4rgp.png
    ___

    Fake LinkedIn SPAM / jonahgkio .ru
    - http://blog.dynamoo.com/2013/04/link...nahgkioru.html
    9 Apr 2013 - "This fake LinkedIn spam leads to malware on jonahgkio .ru:
    Date: Tue, 9 Apr 2013 10:03:31 -0300
    From: "service @paypal .com" [service @paypal .com]
    Subject: Join my network on LinkedIn
    LinkedIn
    Marcelene Bruno has indicated you are a Friend
    I'd like to add you to my professional network on LinkedIn.
    - Marcelene Bruno
    Accept
    View invitation from Marcelene Bruno
    WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?
    Marcelene Bruno's connections could be useful to you
    After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
    © 2012, LinkedIn Corporation


    The link leads to a malicious payload on [donotclick]jonahgkio .ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
    91.191.170.26 (Netdirekt, Turkey)
    93.187.200.250 (Netdirekt, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    91.191.170.26
    93.187.200.250
    208.94.108.238
    ..."
    ___

    Fake Intuit SPAM / juhajuhaa .ru
    - http://blog.dynamoo.com/2013/04/intu...hajuhaaru.html
    9 Apr 2013 - "This fake Intuit spam leads to malware on juhajuhaa .ru:
    Date: Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
    From: Tagged [Tagged @taggedmail .com]
    Subject: Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.
    Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
    amount to be seceded: 4053 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
    Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa .ru:8080/forum/links/column.php (report here*) hosted on some familiar-looking IP addresses that we saw earlier:
    91.191.170.26 (Netdirekt, Turkey)
    93.187.200.250 (Netdirekt, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    91.191.170.26
    93.187.200.250
    208.94.108.238
    ...
    * http://urlquery.net/report.php?id=1900207
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 91.191.170.26

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Pus1qz4rgp.png
    ___

    Top porn sites lead to malware
    - http://blog.dynamoo.com/2013/04/top-...o-malware.html
    9 Apr 2013 - "... the greatest risk comes from external sites such as crakmedia .com (report*), trafficjunky .net (report**) and traffichaus .com (report***) plus several others. These too are intermediaries being abused by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss... If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched... and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential."
    (More detail at the dynamoo URL above.)
    * http://www.google.com/safebrowsing/d...=crakmedia.com
    ** http://www.google.com/safebrowsing/d...afficjunky.net
    *** http://www.google.com/safebrowsing/d...raffichaus.com

    ___

    "Your naked photos online" SPAM ...
    - https://www.net-security.org/malware_news.php?id=2460
    Apr 9, 2013 - "Malware peddlers continue to use the old "your naked photos online" lure to trick users into following malicious links or downloading malicious attachments, warns Total Defense's* Alex Polischuk. The attached EPS00348.zip file contains an executable of the same name, and sports an icon depicting a natural landscape in order to trick the user into opening it. Unfortunately for those who do, the file is actually a backdoor Trojan that also has the ability to download additional malware onto the compromised computer, allowing the attackers to have total control of it and using it for their own malicious purposes. As always, users are advised -never- to follow links or download files contained in unsolicited emails - no matter the claims they contain and how urgent they sound."
    * http://www.totaldefense.com/blogs/20...sA-Trojan.aspx

    Last edited by AplusWebMaster; 2013-04-10 at 13:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #166
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Google scam, Malware sites, BBB, credit line SPAM...

    FYI...

    Massive Google scam sent by email to Colombian domains
    - https://isc.sans.edu/diary.html?storyid=15586
    Last Updated: 2013-04-10 21:01:28 UTC - "... supposedly good news from a resume they sent to google looking for open positions:
    > https://isc.sans.edu/diaryimages/images/diary1.png
    ... The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection ratio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.com/virusinfo/vir...ey=153521#none and the backdoor description can be found at http://home.mcafee.com/virusinfo/vir...spx?key=100938 ... people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:
    - Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
    - Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
    - Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid performing actions that could materialize such risks like dealing with p2p software."
    ___

    Malware sites to block 10/4/13
    - http://blog.dynamoo.com/2013/04/malw...ock-10413.html
    10 April 2013 - "These domains and IPs are associated with the Amerika gang and are related to this spam run*. Blocking them would be prudent.
    46.4.150.96/27
    46.161.0.235
    93.170.130.241
    ..."
    (Long list at the dynamoo URL above.)
    * http://blog.dynamoo.com/2013/04/ican...ware-spam.html
    ___

    Fake credit line SPAM / judianko .ru
    - http://blog.dynamoo.com/2013/04/your...s-changed.html
    10 April 2013 - "I haven't seen this one before. It leads to malware on judianko.ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
    Sent: 10 April 2013 14:24
    Subject: Re: Your credit line percent was changed.
    We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.
    Under this link you can view a details about changing of contract


    The link goes through a legitimate but hacked site to [donotclick]judianko .ru:8080/forum/links/column.php (report here*) hosted on:
    185.5.185.129 (Far-Galaxy Networks, Germany)
    188.65.178.27 (Melbourne Server Hosting, UK)
    Blocklist:
    185.5.185.129
    188.65.178.27
    ..."
    * http://urlquery.net/report.php?id=1915010
    ... Detected suspicious URL pattern... Blackholev2 redirection successful 188.65.178.27

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...9cq1qz4rgp.png
    ___

    Fake BBB SPAM / jamiliean .ru
    - http://blog.dynamoo.com/2013/04/bbb-...milieanru.html
    10 April 2013 - "This fake BBB spam leads to malware on jamiliean .ru:
    From: Habbo Hotel [mailto:auto-contact @habbo .com]
    Sent: 10 April 2013 00:17
    Subject: Re: Better Business Bureau Complaint
    Good afternoon,
    Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
    from a customer of yours in regard to their dealership with you.
    Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)
    to view the details on this issue and suggest us about your position as soon as possible.
    We hope to hear from you shortly.
    Regards,
    CHRISTI REAGAN
    Dispute Counselor
    Better Business Bureau


    There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean .ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack* also running today."
    * http://blog.dynamoo.com/2013/04/your...s-changed.html

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Jcz1qz4rgp.png
    ___

    Fake Verizon Wireless SPAM / jamtientop .ru
    - http://blog.dynamoo.com/2013/04/veri...tientopru.html
    10 Apr 2013 - "This fake Verizon Wireless spam leads to malware on jamtientop .ru:
    Date: Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
    From: DorianBottom @hotmail .com
    Subject: Verizon Wireless
    IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
    Your acknowledgment message is issued.
    Your account No. ending in 1332
    Dear Client
    For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
    Please browse your informational message for more details relating to your new transaction.
    Open Information Message
    In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
    Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
    Viewing your utilization
    Upgrade your tariff
    Manage Account Members
    Pay for your bill
    And much, much more...
    © 2013 Verizon Wireless
    Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
    We respect your privacy. Please browse our policy for more information


    The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here*) hosted on:
    91.191.170.26 (Netdirekt, Turkey)
    185.5.185.129 (Far-Galaxy Networks, Germany)
    188.65.178.27 (Melbourne Server Hosting, UK)
    Blocklist:
    91.191.170.26
    185.5.185.129
    188.65.178.27
    ..."
    * http://urlquery.net/report.php?id=1919123
    ... Detected suspicious URL pattern... Blackholev2 redirection 185.5.185.129

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...aTS1qz4rgp.png

    Last edited by AplusWebMaster; 2013-04-11 at 18:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #167
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Changelog, Xanga SPAM ...

    FYI...

    Fake Changelog SPAM / juliaroberzs .ru
    - http://blog.dynamoo.com/2013/04/chan...roberzsru.html
    11 Apr 2013 - "This spam leads to malware on juliaroberzs .ru:
    Date: Thu, 11 Apr 2013 02:46:13 +0100
    From: Mayola Phipps via LinkedIn [member@linkedin.com]
    Subject: Re: changelog UPD.
    Attachments: changelog.htm
    Good morning,
    as promised changelog is attached (Internet Explorer format)


    The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs .ru:8080/forum/links/column.php (report here*) hosted on some familiar IPs**:
    91.191.170.26 (Netdirekt, Turkey)
    185.5.185.129 (Far-Galaxy Networks, Germany)
    188.65.178.27 (Melbourne Server Hosting, UK)
    Blocklist:
    91.191.170.26
    185.5.185.129
    188.65.178.27
    ..."
    * http://urlquery.net/report.php?id=1927055
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page
    ** http://blog.dynamoo.com/2013/04/veri...tientopru.html
    ___

    Malicious Xanga Spam
    - http://threattrack.tumblr.com/post/4...ous-xanga-spam
    11 Apr 2013 - "Subjects Seen:
    Gracelyn [removed] is your new friend!
    Typical e-mail details:
    Hey [removed]!
    Now that you are friends with Gracelyn, you can:
    • Share a memory of Gracelyn
    • Post on Gracelyn’s Chatboard
    • More…
    Have fun!
    The Xanga Team


    Malicious URLs
    degsme .lv/settingss.htm
    janasika .ru:8080/forum/links/column.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...AQw1qz4rgp.png
    ___

    Fake UPS SPAM / juliamanako .ru
    - http://blog.dynamoo.com/2013/04/ups-...amanakoru.html
    11 Apr 2013 - "This fake UPS spam leads to malware on juliamanako .ru:
    Date: Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
    From: Aida Tackett via LinkedIn [member@linkedin.com]
    Subject: United Postal Service Tracking Nr. H9544862721
    Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
    UPS - UPS Customer Services
    UPS UPS SUPPORT 56
    UPS - UPS MANAGER 67 >> UPS - UPS SUPPORT 501
    Already Have an Account?
    Enjoy all UPS has to offer by linking your My UPS profile to your account.
    Link Your Account Now >>
    UPS - UPS Customer Services
    Good day, [redacted].
    DEAR CONSUMER , We were not able to delivery the postal package
    Track your Shipment now!
    Pack it. Ship ip. No calculating , UPS .com Customer Services.
    Shipping Tracking Calculate Time & Cost Open an Account
    @ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
    trademarks of United Parcel Service of America, Inc. All rights reserved.
    This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
    USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
    USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
    Attn: Customer Communications Department


    The link goes through a legitimate -hacked- site to a malicious landing page at [donotclick]juliamanako .ru:8080/forum/links/column.php hosted on:
    91.191.170.26 (Netdirekt, Turkey)
    185.5.185.129 (Far-Galaxy Networks, Germany)
    188.65.178.27 (Melbourne Server Hosting, UK)
    Blocklist:
    91.191.170.26
    185.5.185.129
    188.65.178.27
    ..."
    ___

    Malicious QuickBooks Overdue Payment SPAM
    - http://threattrack.tumblr.com/post/4...e-payment-spam
    April 11, 2013 - "Subjects Seen:
    Please respond - overdue payment
    Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 04/11/2013 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Rusty Coffey


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...i9P1qz4rgp.png

    Also: http://security.intuit.com/alert.php?a=79
    Last updated 4/11/2013

    Last edited by AplusWebMaster; 2013-04-12 at 00:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #168
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Chase Bank, American Airlines emails lead to malware

    FYI...

    Fake American Airlines emails lead to malware
    - http://blog.webroot.com/2013/04/12/a...ad-to-malware/
    April 12, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails impersonating American Airlines in an attempt to trick its customers into thinking that they’ve received a download link for their E-ticket. Once they download and execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ngineering.png
    ... Detection rate for the malicious executable: MD5: f17ee7f9a0ec3d7577a148ae79955d6a * ... Mal/Weelsof-D..."
    (Long list of malware C&C IP's available at the webroot URL above.)
    * https://www.virustotal.com/en/file/c...d3ac/analysis/
    File name: f17ee7f9a0ec3d7577a148ae79955d6a
    Detection ratio: 27/46
    Analysis date: 2013-04-11
    ___

    Chase Bank Credentials Phish
    - http://threattrack.tumblr.com/post/4...dentials-phish
    April 12, 2013 - "Subjects Seen:
    Chase Online: Site Maintenance Notification
    Typical e-mail details:
    Dear Customer:
    As part of our commitment to protecting the security of your account, we routinely verify online profile details. We’re writing you to confirm your Chase account details.
    Your account security is important to us, so we appreciate your prompt attention to this matter. Attached is a form to help complete this process. Download the form and follow the instructions.
    We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
    Sincerely,
    Jennifer Myhre
    Senior Vice President
    Chase Consumer Banking


    Malicious URLs
    myasfalisi .gr/images/sampledata/chase.js


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...iGe1qz4rgp.png
    ___

    Malicious Wells Fargo Wire Transfer Spam
    - http://threattrack.tumblr.com/post/4...-transfer-spam
    April 12, 2013 - "Subjects Seen:
    International Wire Transfer File Not Processed
    Typical e-mail details:
    We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
    Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 04/12/2013 03:00 pm PT, the file may not be processed.
    Please view the attached file for more details on this transaction.
    Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
    Event Message ID: [removed]
    Date/Time Stamp: Fri, 12 Apr 2013 12:44:47 -0500


    Malicious URLs
    94.32.66.114 /ponyb/gate.php
    116.122.158.195 :8080/ponyb/gate.php
    embryo-india .com/24gwq.exe


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Qum1qz4rgp.png

    Last edited by AplusWebMaster; 2013-04-12 at 23:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #169
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious PayPal, USPS Spam, BoA phish...

    FYI...

    Malicious PayPal Receipt Spam
    - http://threattrack.tumblr.com/post/4...al-recipt-spam
    April 15, 2013 - "Subjects Seen:
    Receipt for your PayPal payment to [removed]
    Typical e-mail details:
    Hello,
    You sent a payment of $149.49 USD to [removed] ([removed])
    Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
    It may take a few moments for this transaction to appear in your account.


    Malicious URLs
    matsum .info/wp-content/plugins/akismet/wp-status.php?1HJN2KC56FN7C
    lacunanotifies .net/closest/incomming_message.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...1Ce1qz4rgp.png
    ___

    Malicious USPS Delivery Failure Spam
    - http://threattrack.tumblr.com/post/4...y-failure-spam
    April 15, 2013 - "Subjects Seen:
    USPS delivery failure report
    Typical e-mail details:
    Notification
    Our company’s courier couldn’t make the delivery of package.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: [removed]
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    USPS Global.


    Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    serw.myroitracking .com/24gwq.exe

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Dsw1qz4rgp.png
    ___

    Bank of America Credentials Phish
    - http://threattrack.tumblr.com/post/4...dentials-phish
    April 15, 2013 - "Subjects Seen:
    Please confirm your information
    Typical e-mail details:
    We have decided to put an extra verification process to ensure your identity and your account security.
    Please click here to continue the verification process and ensure your account security.


    Malicious URLs
    safe.bankofamerica .logon.canadapenfund.ca/
    - 216.227.221.247*

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...oUs1qz4rgp.png

    * http://urlquery.net/report.php?id=2023194

    Diagnostic page for AS15244 (ADDD2NET)
    - https://www.google.com/safebrowsing/...?site=AS:15244
    "Of the 23067 site(s) we tested on this network over the past 90 days, 1138 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-15, and the last time suspicious content was found was on 2013-04-15... Over the past 90 days, we found 173 site(s) on this network... that appeared to function as intermediaries for the infection of 516 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 157 site(s)... that infected 602 other site(s)..."
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake USPS Delivery Failure Notification E-mail Messages - 2013 Apr 15
    Fake Tax Refund Notification E-mail Messages - 2013 Apr 15
    Fake Product Quotation Document E-mail Messages - 2013 Apr 15
    Fake Product Inquiry With Attached Sample Design E-mail Messages - 2013 Apr 15
    Fake Portuguese Account Regularization Notification E-mail Messages - 2013 Apr 15
    Fake Wire Transfer Notification E-mail Messages - 2013 Apr 15
    Fake Western Union Money Compensation Notification E-mail Messages - 2013 Apr 15
    Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Apr 15
    Fake Italian Malicious Link E-mail Messages - 2013 Apr 15
    Fake Tax Return Submission Notification E-mail Messages - 2013 Apr 15
    Fake Credentials Reset Notification E-mail - 2013 Apr 15
    Fake Purchase Order Notification E-mail Messages - 2013 Apr 15
    Fake Bill Notification E-mail Messages - 2013 Apr 15
    Fake Document Sharing E-mail Messages - 2013 Apr 15
    (Links and more detail at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-04-16 at 12:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #170
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Fiserv, American Airlines, NACHA, ACH Transfer SPAM

    FYI...

    Fake "Fiserv Secure Email Notification" spam
    - http://blog.dynamoo.com/2013/04/fise...tion-spam.html
    April 16, 2013 - "This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.
    From: Fiserv Secure Notification [mailto:secure.notificationi@fiservi.com]
    Sent: Tue 16/04/2013 14:02
    Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5
    You have received a secure message
    Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password - KsUs3Z921mA
    To read the encrypted message, complete the following steps:
    - Double-click the encrypted message file attachment to download the file to your computer.
    - Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    - The message is password-protected, enter your password to open it.
    To access from a mobile device, forward this message to to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
    2000-2013 Fiserv Secure Systems, Inc. All rights reserved.


    In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
    At the time of writing, VirusTotal results are just 5/46*. The Comodo CAMAS report is here**, the ThreatExpert report here***... seems to be a Zbot variant.
    The bad IPs involved are:
    50.116.15.209 (Linode, US)
    62.103.27.242 (OTEnet, Greece)
    78.139.187.6 (Caucasus Online Ltd, Georgia)
    87.106.3.129 (1&1, Germany)
    108.94.154.77 (AT&T, US)
    117.212.83.248 (BSNL Internet, India)
    120.61.212.73 (MTNL, India)
    122.165.219.71 (ABTS Tamilnadu, India)
    123.237.187.126 (Reliance Communications, India)
    176.73.145.22 (Caucasus Online Ltd, Georgia)
    186.134.148.36 (Telefonica de Argentina, Argentina)
    190.39.197.150 (CANTV Servicios, Venezuela)
    195.77.194.130 (Telefonica, Spain)
    199.59.157.124 (Kyvon, US)
    201.211.224.46 (CANTV Servicios, Venezuela)
    212.58.4.13 (Doruknet, Turkey)
    Recommended blocklist:
    korbi.va-techniker .de
    mail.yaklasim .com
    phdsurvey .org
    vbzmiami .com
    user1557864.sites.myregisteredsite .com
    50.116.15.209
    62.103.27.242
    78.139.187.6
    87.106.3.129
    108.94.154.77
    117.212.83.248
    120.61.212.73
    122.165.219.71
    123.237.187.126
    176.73.145.22
    186.134.148.36
    190.39.197.150
    195.77.194.130
    199.59.157.124
    201.211.224.46
    212.58.4.13
    "
    * https://www.virustotal.com/en/file/3...is/1366120267/
    File name: Case_Fiserv_04162013.exe
    Detection ratio: 5/46
    Analysis date: 2013-04-16 13:51:07 UTC
    ** http://camas.comodo.com/cgi-bin/subm...2e921c5b071764
    *** http://www.threatexpert.com/report.a...e7562d7b0564f9
    ___

    Malicious American Airlines Spam Continues
    - http://threattrack.tumblr.com/post/4...spam-continues
    April 16, 2013 - "Subjects Seen:
    Your order has been completed
    Order #[removed]

    Typical e-mail details:
    Customer Notification
    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should Download It .


    Malicious URLs
    caprica-toysncomics .com/components/.a9iifi.php?request=ss00_323
    caprica-toysncomics .com/components/.a9iifi.php?ticket=844_220641690


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...TUq1qz4rgp.png
    ___

    Malicious NACHA, ACH Transfer Spam
    - http://threattrack.tumblr.com/post/4...-trasnfer-spam
    April 16, 2013 - "Subjects Seen:
    Your ACH transfer
    Typical e-mail details:
    The ACH process (ID: [removed]), recently requested from your checking account (by you), was rejected by the recepient’s bank.

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...xuS1qz4rgp.png
    ___

    Fake Boston Marathon Scams - Update
    - https://isc.sans.edu/diary.html?storyid=15617
    2013-04-16

    Last edited by daemon; 2014-04-22 at 15:38. Reason: Webmaster requested removal of links, websites were fixed in the meantime.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •