Page 20 of 132 FirstFirst ... 101617181920212223243070120 ... LastLast
Results 191 to 200 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #191
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 50.116.28.24 ...

    FYI...

    Something evil on 50.116.28.24
    - http://blog.dynamoo.com/2013/05/some...501162824.html
    19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
    (More detail at the dynamoo URL above.)

    * http://www.f-secure.com/weblog/archives/00002554.html

    ** http://forums.macrumors.com/showthread.php?t=1583233
    ___

    Wells Fargo Credentials Phish
    - http://threattrack.tumblr.com/post/5...dentials-phish
    20 May 2013 - "Subjects Seen:
    Account Update
    Typical e-mail details:
    In order to safeguard your account, we require that you confirm your details.
    To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
    To get started, visit the link below:
    Wells Fargo Online Confirmation


    Malicious URLs
    update.id5027-wellsfargo .com/index.php?id=586616


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Vzo1qz4rgp.png
    ___

    Malicious Invoice Attachment Spam
    - http://threattrack.tumblr.com/post/5...ttachment-spam
    20 May 2013 - "Subjects Seen:
    invoice copy
    Typical e-mail details:
    Kindly open to see export License and payment invoice attached,
    meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if
    there is any problem.
    Thanks
    Karen parker


    Spam contains malicious attachment.

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...1qo1qz4rgp.png
    ___

    Chase Bank Credentials Phish
    - http://threattrack.tumblr.com/post/5...dentials-phish
    20 May 2013 - "Subjects Seen:
    Billing Code:[removed]
    Typical e-mail details:
    During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
    This might be due to either of the following reasons:
    1. A recent change in your personal information ( i.e. change of address).
    2. Submitting invalid information during the initial sign up process.
    3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
    Click on the guide-link below and follow the directions or please call our Online Helpdesk.
    Regards,
    Chase Online
    Billing Department
    Thanks for your co-operation.


    Malicious URLs
    goodnickfitness .com.au/hnav.html
    diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...itt1qz4rgp.png
    ___

    Blackhole Spam Run evades detection using Punycode
    - http://blog.trendmicro.com/trendlabs...sing-punycode/
    May 20, 2013 - "... we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
    > http://blog.trendmicro.com/trendlabs...EK-walmart.jpg
    ... some of the URLs lead to Cyrillic domain names. These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
    * http://www.ietf.org/rfc/rfc3492.txt

    Last edited by AplusWebMaster; 2013-05-21 at 01:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #192
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NATO jobs SPAM, Delivery_Information ...

    FYI...

    Fake NATO jobs SPAM ...
    - http://blog.webroot.com/2013/05/21/c...rsonates-nato/
    May 21, 2013 - "Want to join the North Atlantic Treaty Organization (NATO)?... you’d be involuntarily sharing your information with what looks like an intelligence gathering operation...
    Sample screenshot of the -fake- NATO Employment Application Form:
    > https://webrootblog.files.wordpress....pplication.png
    A copy of the -fake- NATO Employment Application Form
    > http://webrootblog.files.wordpress.c...ation-form.pdf
    A copy of the -fake- NATO Interview Form
    > http://webrootblog.files.wordpress.c...rview-form.pdf
    ... NATO impersonating domain name reconnaissance:
    nspa-nato.int.tf – 188.40.117.12; 188.40.70.27; 188.40.70.29
    Name server: ns1.idnscan .net
    Name server: ns2.idnscan .net
    usnato-hr.org – 208.91.198.24
    Name Server: DNS1.SPIRITDOMAINS .COM
    Name Server: DNS2.SPIRITDOMAINS .COM
    ... We know that on 2013-05-10 07:01:46 CET, responding to the same IP (188.40.117.12) was also the following Black Hole Exploit Kit redirecting URLs...
    Always watch where you apply and be aware of offers which sound too good to be true."
    (More detail at the webroot URL above.)
    ___

    Fake Delivery_Information_ID-000512430489234.zip
    - http://blog.dynamoo.com/2013/05/deli...489234zip.html
    21 May 2013 - "The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German)... best guess is that it is a fake package delivery report. So far I have identified three download locations for the malicious ZIP file:
    [donotclick]www.interapptive .de/get/Delivery_Information_ID-000512453420234.zip
    [donotclick]www.vankallen .de/get/Delivery_Information_ID-000512453420234.zip
    [donotclick]www.haarfashion .de/get/Delivery_Information_ID-000512430489234.zip
    The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47* and has the following checksums:
    MD5: 791a8d50acfea465868dfe89cdadc1fc
    SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
    SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7
    The Anubis report is pretty inconclusive but ThreatTrack reports** [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB)."
    * https://www.virustotal.com/en/file/9...is/1369127051/
    File name: Delivery_Information_ID-000512453420234.Pdf______________________...
    Detection ratio: 23/47
    Analysis date: 2013-05-21
    ** http://www.dynamoo.com/files/analysi...89cdadc1fc.pdf
    ___

    Malicious eFax Corporate Spam
    - http://threattrack.tumblr.com/post/5...corporate-spam
    21 May 2013 - "Subjects Seen:
    Corporate eFax message from [removed]
    Typical e-mail details:
    You have received a 3 fax at 2013-05-07 10:24:18 CST.
    * The reference number for this fax is [removed].
    Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail.efax.com.
    Thank you for using the eFax Corporate service!


    Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    debthelpsmart .org/ponyb/gate.php
    debtsmartretirement .com/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...2PH1qz4rgp.png
    ___

    prospectdirect .org SPAM
    - http://blog.dynamoo.com/2013/05/pros...torg-spam.html
    21 May 2013 - "Everything that this spammer says is a lie:
    From: Emily Norton [emily.norton @prospectdirect .org]
    To: [redacted]
    Date: 21 May 2013 16:33
    Subject: Cater to your email marketing needs
    Signed by: prospectdirect .org
    Hello,
    I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.
    The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.
    If you would like a quote please complete this form: http ://prospectdirect .org/email-marketing-strategy
    Leave your details at the link above or reply with any requirements.
    Kind Regards,
    Emily Norton
    75 Glandovey Terrace, Newquay, Cornwall TR8 4QD
    Tel: 0843 289 4698
    This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http ://www.prospectdirect .org/landing/page.php?jq=[snip]


    Firstly, the email was sent to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does -not- exist, and the telephone number of 0843 289 4698 appears to belong to a completely -unrelated- company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct". The website prospectdirect .org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.
    > https://lh3.ggpht.com/-t6eWqUjKl84/U...ect-direct.png
    I would recommend giving these spammers a wide berth given their catalogue of lies."

    Last edited by AplusWebMaster; 2013-05-21 at 22:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #193
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious ADP SPAM...

    FYI...

    Malicious ADP Spam
    - http://threattrack.tumblr.com/post/5...p-invoice-spam
    22 May 2013 - "Subjects Seen:
    Invoice #[removed] - Remit file
    Typical e-mail details:
    Attached is the invoice (ADP_Invoice_[removed].zip) received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices @adp .com.
    For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you ,
    Automatic Data Processing, Inc...


    Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    10healthynails .com/ponyb/gate.php
    advprintgraphics .com/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe

    Malicious File Name and MD5:
    ADP_Invoice_[removed].zip (638d32dc80678f17609fe21dF73c6f6d)
    ADP_Invoice_[removed].exe (a8aab9bcd389348823b77b090fb0afcc)
    uszyly.vxe (707423e64a6ab41d694a9e1d8e823d292)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...MJg1qz4rgp.png
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Purchase Order E-mail Messages - 2013 May 22
    Fake Xerox Scan Attachment E-mail Messages - 2013 May 22
    Fake Product Order Quote Request E-mail Messages - 2013 May 22
    Fake Document Sharing E-mail Messages - 2013 May 22
    Fake Facebook Voice Comment E-mail Message - 2013 May 22
    Fake DHL Order Tracking Notification E-mail Messages - 2013 May 22
    Fake Product Order Quote Request E-mail Messages - 2013 May 22
    Fake Check Return Notification E-mail Messages - 2013 May 22
    Fake Picture Link E-mail Messages - 2013 May 22
    Fake Money Transfer Notification E-mail Messages - 2013 May 22
    Fake Invoice Statement Attachment E-mail Messages - 2013 May 22
    Fake Product Order E-mail Messages - 2013 May 22
    Fake Holiday Photo Sharing Request E-mail Messages - 2013 May 22
    Fake Scanned Document Attachment E-mail Messages - 2013 May 22
    Fake Payment Request Notification E-mail Messages - 2013 May 22
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-05-22 at 23:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #194
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Spear-phish, Fake Invoice emails, Fake FBI Ransomware ...

    FYI...

    Spear-phish e-mails lead to APT
    - https://atlas.arbor.net/briefs/index#-1950400672
    Elevated Severity
    May 22, 2013
    Yet another targeted attack is dissected. Password theft was one of the motivating factors in the campaign.
    Analysis: Well-crafted spear-phish e-mails were sent to the victim organizations. These spear phish included exploit code for patched vulnerabilities in Microsoft Office and also delivered bait files of interest to the target. In some cases, the bait files contain exploit code and in other cases they merely serve as a distraction. This is a tried-and-true method in wide use by cybercriminals and nation-state espionage actors. Once the malware is installed, credential theft applications can be used. The document provided by trend includes various Indicators of Compromise (IOCs) that organizations can use to help detect if they have been or are currently a victim. Additionally, domains used for malicious purposes are sometimes re-used at a later time, so keeping an eye on DNS logs and HTTP activity can help spot a new campaign re-using older infrastructure.
    Source: http://www.trendmicro.com/cloud-cont...ted-threat.pdf

    - http://blog.trendmicro.com/trendlabs...-apt-campaign/
    "... The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158*)..."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-0158 - 9.3 (HIGH) - MS12-027

    - https://www.net-security.org/malware_news.php?id=2500
    May 20, 2013 - "... Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures..."
    ___

    Fake ‘Export License/Payment Invoice’ emails lead to malware
    - http://blog.webroot.com/2013/05/23/f...ad-to-malware/
    May 23, 2013 - "... just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details:
    Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 * ... Trojan.Win32.Inject.foiq; Trojan.Zbot.
    Once executed, the sample starts listening on port 28723...
    It then phones back to the following C&C servers:
    213.230.101.174 :11137
    87.203.65.0 :12721
    180.241.97.79 :16114
    83.7.104.50 :13647
    84.59.222.81 :10378
    194.94.127.98 :25549
    98.201.143.22 :19595
    78.139.187.6 :14384
    180.183.178.134 :20898

    We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns... As well as 78.139.187.6 ... We’re aware of more MD5s that phoned back to the same IPs over the last couple of days..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/d...is/1369151297/
    File name: invoice copy.exe
    Detection ratio: 33/47
    Analysis date: 2013-05-21
    ___

    Fake FBI Ransomware - spikes...
    - http://blog.webroot.com/2013/05/23/r...ing-worldwide/
    May 23, 2013 - "Recently we have seen a spike of this ransomware in the wild as it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you -pay- to unblock your computer. Once infected, a warning similar to the one below* will take up your entire screen in such a way that you can’t get around it, thus effectively blocking you from accessing your files, programs or anything else on your computer. To further scare you into believing that you’ve been caught in illegal activity, your IP address, rough location, internet service provider, operating system and webcam image may be displayed.
    * https://webrootblog.files.wordpress....rdiv.png?w=869
    To ensure maximum profits, the malware writers made sure that everyone understood their warning and payment instructions by localizing the infection around the world... there are variants of this infection that will encrypt your files so even after the infection is removed, documents, pictures and many other files on the hard drive will be inaccessible. Once the files are encrypted it can be very difficult or impossible to restore the original unencrypted versions. To avoid data loss, we strongly suggest periodically backing up your data...The infection executable may be located in the AppData, Temp, or User Profile directories and typically loads by adding itself to the Run keys or by modifying the Winlogon Shell entry. In some cases it may load using only a shortcut that’s placed in the Startup folder..."

    Last edited by AplusWebMaster; 2013-05-23 at 20:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #195
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious UPS SPAM, BoA phish...

    FYI...

    Malicious UPS Spam
    - http://threattrack.tumblr.com/post/5...cious-ups-spam
    24 May 2013 - "Subjects Seen:
    UPS - Your package is available for pickup ( Parcel [removed] )
    Typical e-mail details:
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.


    Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe

    Malicious File Name and MD5:
    UPS_Label_[removed].zip (667cf9590337d47f8c23053a8b2480a1)
    UPS_Label_[removed].exe (1ef1438e2f2273ddbaf543dcdbaea5b1)
    73036718.exe (c7e0c3d8b14e8755d32e27051d0e6477)

    ThreatAnalyzer Report: http://db.tt/gTlNJnGy

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...aHb1qz4rgp.png
    ___

    Bank of America Credentials Phish
    - http://threattrack.tumblr.com/post/5...dentials-phish
    24 May 2013 - "Subjects Seen:
    Bank of America alert: Your account has been locked
    Typical e-mail details:
    There are a number of invalid login attempts on your account. We had to believe that, there might be some security problems on your account. So we have decided to put an extra verification process to ensure your identity and your account security.
    Please click here to continue the verification process and ensure your account security.


    Malicious URLs
    radiojetaislame .com/images/safe5


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...cwo1qz4rgp.png
    ___

    Fake Chase "Incoming Wire Transfer" SPAM / incoming_wire_05242013.zip
    - http://blog.dynamoo.com/2013/05/chas...sfer-spam.html
    24 May 2013 - "This fake Chase "Incoming Wire Transfer" email has a malicious attachment...
    Date: Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
    From: Chase [Chase @emailinfo.chase .com]
    Subject: Incoming Wire Transfer
    Note: This is a service message with information related to your Chase account(s)...


    Screenshot: https://lh3.ggpht.com/-ofvJxQkPoeA/U...1600/chase.png

    The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal*. The ThreatTrack report** [pdf] and ThreatExpert report*** show various characteristics of this malware, in particular a callback to the following IPs and domains:
    116.122.158.195
    188.93.230.115
    199.168.184.197
    talentos.clicken1 .com

    Checksums are as follows:
    MD5 f9182e5f13271cefc2695baa11926fab
    SHA1 b3cff6332f2773cecb2f5037937bb89c6125ec15
    SHA256 0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d
    * https://www.virustotal.com/en/file/0...is/1369405971/
    File name: incoming_wire_05242013.exe
    Detection ratio: 9/47
    Analysis date: 2013-05-24

    ** http://www.dynamoo.com/files/analysi...aa11926fab.pdf

    *** http://www.threatexpert.com/report.a...695baa11926fab
    ___

    Compromised Indian gov't Web site leads to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/05/24/c...e-exploit-kit/
    May 24, 2013 - "Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns...
    Sample screenshot of the affected Web site:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    Sample compromised URLs:
    hxxp ://sisijaipur .gov.in/cluster_developement.html
    hxxp ://msmedijaipur .gov.in/cluster_developement.html
    Detection rate for the malicious script: MD5: 44a8c0b8d281f17b7218a0fe09840ce9 * ... Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf.
    Malicious domain names/redirectors reconnaissance:
    888-move-stuff .com – 50.63.202.21 – Email: van2move @yahoo .com
    888movestuff .com – 208.109.181.190 – Email: van2move @yahoo .com
    jobbelts .com (redirector/C&C) – 98.124.198.1 – Email: aanelli @yahoo .com
    More malicious domains are known to have been responding to the same IP in the past (98.124.198.1)... MD5s are also known to have phoned back to the same (redirector/C&C) IP in the past... phoning back to vnclimitedrun .in:443 (199.59.166.86). In 2012, the same IP was also seen in a malvertising campaign..."
    * https://www.virustotal.com/en/file/e...is/1369337259/
    File name: Indian.html
    Detection ratio: 24/47
    Analysis date: 2013-05-23

    Last edited by AplusWebMaster; 2013-05-24 at 20:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #196
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Citibank SPAM ...

    FYI...

    Fake Citibank SPAM / Statement 57-27-05-2013.zip
    - http://blog.dynamoo.com/2013/05/citi...5-2013zip.html
    27 May 2013 - "This fake Citibank email has a malicious attachment:
    Date: Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
    From: Millard Hinton [leftoverss75 @gmail .com]
    Subject: Merchant Statement
    Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
    If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
    PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
    Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly...


    The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46*. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report** [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis*** is that this is a Zbot variant. For the record, these are the checksums involved:
    MD5 0bbf809dc46ed5d6c9f1774b13521e72
    SHA1 9a50fa08e71711d26d86f34d8179f87757a88fa8
    SHA256 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
    * https://www.virustotal.com/en/file/0...is/1369679734/
    File name: Statement 57-27-05-2013.exe
    Detection ratio: 12/47
    Analysis date: 2013-05-27
    ** http://www.dynamoo.com/files/analysi...4b13521e72.pdf

    *** http://www.simseer.com/webservices/S...f1774b13521e72

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #197
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil - malware, fab .com SPAM, Malicious Flash updates ...

    FYI...

    Something evil on 158.255.212.96 and 158.255.212.97
    - http://blog.dynamoo.com/2013/05/some...21296-and.html
    28 May 2013 - "The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example* for fussball-gsv .de). These two** examples*** report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware... In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so... I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
    158.255.212.96
    158.255.212.97
    193.102.11.3
    205.178.182.1
    ..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=2705726

    ** http://urlquery.net/report.php?id=2705607

    *** http://urlquery.net/report.php?id=2515019
    ___

    fab .com SPAM
    [Via the WeAreSpammers blog]
    - http://blog.dynamoo.com/2013/05/fabcom-spam.html
    28 May 2013 - "I've never heard of fab .com before, but online comments are very negative*. Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab .com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab .com on 184.73.196.153 (Amazon .com, US). Avoid."
    From: Fab [info@eu.fab .com]
    To: donotemail @wearespammers .com
    Date: 27 May 2013 17:26
    Subject: Invite from jenotsxx @gmail .com to Fab
    Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru .com
    Signed by: eu.fab .com
    * https://www.google.co.uk/search?&q=%22fab.com%22+spam
    ___

    BANKER Malware hosted in compromised Brazilian gov't sites
    - http://blog.trendmicro.com/trendlabs...ernment-sites/
    28 May 2013 - "Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof. Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers... 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.
    > http://blog.trendmicro.com/trendlabs...percountry.jpg
    The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder. The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file. The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others. The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif... Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game..."

    Last edited by AplusWebMaster; 2013-05-28 at 17:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #198
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ruby on Rails attack, Fake Citibank emails serve malware...

    FYI...

    Ruby on Rails attack installs bot ...
    - http://h-online.com/-1872588
    29 May 2013 - "Over the past few days, criminals have increasingly attempted to compromise servers via a security hole in the Ruby on Rails (RoR) web application framework. Successful intruders install a bot that waits for further instructions on an IRC channel. On his blog*, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE-2013-0156**. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby... The bot appears in the process list as "– bash". When launched, it also creates a file called /tmp/tan.pid to ensure that only one instance of the bot will be executed. Those who run a server with Ruby on Rails should always make sure to have the current RoR version installed. The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18."
    * http://jarmoc.com/blog/2013/05/28/ro...6-in-the-wild/
    "... Exploit activity is reportedly sourcing from * 88.198.20.247 * 95.138.186.181 * 188.190.126.105..."

    ** https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0156 - 7.5 (HIGH)

    *** http://rubyonrails.org/download

    - http://weblog.rubyonrails.org/releases/

    - http://atlas.arbor.net/briefs/index#-789014484
    Elevated Severity
    May 30, 2013 - "... Monitoring for outbound connections to IRC ports on cvv4you .ru, 188.190.124.120, 188.190.124.81 is recommended to find compromised systems that may still be at risk..."
    ___

    Fake Citibank emails serve malware ...
    - http://blog.webroot.com/2013/05/29/c...serve-malware/
    May 29, 2013 - "Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....nt_malware.png
    Detection rate for the malicious executable – MD5: 0bbf809dc46ed5d6c9f1774b13521e72 * ... Trojan-Spy.Win32.Zbot.lvpo.
    Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:
    MD5: 6044cc337b5dbf82f8746251a13f0bb2
    MD5: d20d915dbdcb0cca634810744b668c70
    MD5: 758498d6b275e58e3c83494ad6080ac2 ...
    It then phones back to the following C&C servers:
    78.161.154.194 :25633
    186.29.77.250 :18647
    190.37.115.43 :29609
    187.131.8.1 :13957
    181.67.50.91 :27916
    8.161.154.194
    186.29.77.250
    190.37.115.43
    187.131.8.1
    181.67.50.91
    84.59.222.81
    211.209.241.213
    108.215.44.142
    122.163.41.96
    99.231.187.238
    89.122.155.200
    79.31.232.136
    142.136.161.103
    63.85.81.254
    98.201.143.22
    110.164.140.144
    195.169.125.228
    190.83.222.173
    96.29.242.234
    178.251.75.50
    199.21.164.167
    180.92.159.2
    213.43.242.145
    94.240.224.115
    2.187.51.145
    208.101.114.115
    50.97.98.134
    41.99.119.243
    197.187.33.59
    79.106.11.64
    178.89.68.255
    190.62.162.200
    165.98.119.94
    94.94.211.18
    ..."
    (More details at the webroot URL above.)
    * https://www.virustotal.com/en/file/0...6400/analysis/
    File name: Statement 57-27-05-2013.exe
    Detection ratio: 32/47
    Analysis date: 2013-05-29
    ___

    University of Illinois CS department compromised
    - http://blog.dynamoo.com/2013/05/univ...epartment.html
    29 May 2013 - "There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc .edu, croft.cs.illinois .edu, tsvi-pc.cs.uiuc .edu, mirco.cs.uiuc .edu, ytu-laptop.cs.uiuc .edu, node3-3105.cs.uiuc .edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):
    128.174.240.37 ...
    128.174.240.52 ...
    128.174.240.53 ...
    128.174.240.74 ...
    128.174.240.153 ...
    128.174.240.213
    ..."

    (More domains listed at the dynamoo URL above.)

    Update: the University says that this was a single machine on the network which has now been cleaned up.
    ___

    Malware sites to block 29/5/13
    - http://blog.dynamoo.com/2013/05/malw...ock-29513.html
    29 May 2013 - "These domains and IP addresses are connected to this malware spam run* and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian). It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting... You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm...
    Recommended IP blocklist:
    5.175.155.183
    37.131.214.69
    41.89.6.179
    42.62.29.4
    50.193.197.178
    54.214.22.177
    62.109.28.0/22
    77.237.190.0/24
    82.50.45.42
    91.93.151.127
    91.193.75.0/24
    94.249.208.228
    95.43.161.50
    99.61.57.201
    103.7.251.36
    109.169.64.170
    112.196.2.39
    114.4.27.219
    114.247.121.139
    115.28.35.163
    122.160.51.9
    128.174.240.0/24
    140.117.164.154
    151.1.224.118
    159.253.18.0/24
    162.209.12.86
    166.78.136.235
    177.5.244.236
    178.20.231.214
    178.209.126.87
    181.52.237.17
    183.82.221.13
    186.215.126.52
    188.32.153.31
    190.106.207.25
    192.154.103.81
    192.210.216.53
    197.246.3.196
    201.65.23.153
    201.170.148.171
    204.45.7.213
    208.68.36.11
    210.61.8.50
    212.179.221.31
    213.113.120.211
    217.174.211.1
    222.200.187.83
    ..."
    (More detail at the dynamoo URL above.)
    * http://blog.dynamoo.com/2013/05/amaz...-unioncom.html
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Scanned Document Attachment E-mail Messages - 2013 May 29
    Malicious Personal Pictures Attachment E-mail Messages - 2013 May 29
    Fake Electronic Payment Cancellation E-mail Messages - 2013 May 29
    Fake Invoice Statement Attachment E-mail Messages - 2013 May 29
    Fake Sample Product Offering E-mail Messages - 2013 May 29
    Fake Bank Account Statement E-mail Messages - 2013 May 29
    Fake Order Invoice Notification E-mail Messages - 2013 May 29
    Fake Billing Statement E-mail Messages - 2013 May 29
    Fake Credit Card Fraud Alert E-mail Messages - 2013 May 29
    Fake Bank Deposit Notification E-mail Messages - 2013 May 29
    Fake Payment Transfer Notification E-mail Messages - 2013 May 29
    Fake Purchase Order Request E-mail Messages - 2013 May 29
    Fake Product Quote Inquiry E-mail Messages - 2013 May 29
    (Links with more detail available at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-06-02 at 22:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #199
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP Funding Notification, Ironport Threat Outbreak Alerts ...

    FYI...

    Fake ADP Funding Notification - Debit Draft
    - http://threattrack.tumblr.com/post/5...on-debit-draft
    May 30, 2013 - "Subjects Seen:
    ADP Funding Notification - Debit Draft
    ADP Invoice Reminder

    Typical e-mail details:
    Your Transaction Report(s) have been uploaded to the web site:
    https :/ /www.flexdirect. adp .com/client/login.aspx
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    Thank You,
    ADP Benefit Services


    Malicious URLs
    www .primolevi .gov.it/andromeda/index.html
    annbrauner .com/yeltsin/index.html
    www. omegaservice .it/ulcerate/index.html
    www. sweethomesorrento .it/unwell/index.html
    www. italtrike .tv/tomboys/index.html
    kalimat.egyta .com/swearer/titan.js
    www. asitecsrl .com/servicemen/ethic.js
    www. mbbd .it/dzerzhinsky/bewilders.js
    4rentcoloradosprings .com/news/cross_destroy-sets-separate.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...bxv1qz4rgp.png
    ___

    Fake ADP SPAM / 4rentconnecticut .com and 174.140.171.233
    - http://blog.dynamoo.com/2013/05/adp-...utcom-and.html
    30 May 2013 - "These fake ADP spams lead to malware on 4rentconnecticut .com:
    Date: Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
    From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
    Subject: ADP Funding Notification - Debit Draft
    Your Transaction Report(s) have been uploaded to the web site:
    https ://www.flexdirect .adp.com/client/login.aspx
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    Thank You,
    ADP Benefit Services
    ====================
    Date: Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
    From: ADP Inc [ADP_FSA_Services @ADP .com]
    Subject: ADP Invoice Reminder
    Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
    To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
    Total amount due by May 31, 2013
    $26062.29
    If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
    Questions about your bill?
    Contact David Nieto by Secure Mail.
    Note: This is an automated email. Please do not reply.


    The link in the email goes to a legitimate -hacked- site and then tries to load three different scripts, currently:
    [donotclick]kalimat.egyta .com/swearer/titan.js
    [donotclick]www.asitecsrl .com/servicemen/ethic.js
    [donotclick]www.mbbd .it/dzerzhinsky/bewilders.js
    From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut .com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server* and VirusTotal also reports several malicious URLs**. It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem..."
    * http://urlquery.net/search.php?q=174...3-05-30&max=50
    ** https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake NewEgg .com SPAM / 174.140.171.233
    - http://blog.dynamoo.com/2013/05/newe...140171233.html
    30 May 2013 - "This fake NewEgg.com spam leads to malware on 174.140.171.233:
    Date: Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
    From: Newegg [info @newegg .com]
    Subject: Newegg.com - Payment Charged...


    Screenshot: https://lh3.ggpht.com/-m_EUbjfZItE/U...00/newegg2.png

    The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack*. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server."
    * http://blog.dynamoo.com/2013/05/adp-...utcom-and.html
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Bank Report Summary E-mail Messages - 2013 May 30
    Fake Scanned Document Attachment E-mail Messages - 2013 May 30
    Fake Contract Document Information E-mail Messages - 2013 May 30
    Fake Product Supply Quote E-mail Messages - 2013 May 30
    Fake Electronic Payment Cancellation E-mail Messages - 2013 May 30
    Malicious Attachment E-mail Messages - 2013 May 30
    Fake Business Complaint Notification E-mail Messages - 2013 May 30
    Fake Payroll Report E-mail Messages - 2013 May 30
    Fake Product Supply Request E-mail Messages - 2013 May 30
    (Links and more detail at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-05-31 at 02:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #200
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Vodafone SPAM, Medfos sites to block...

    FYI...

    Fake Vodafone SPAM serving malware in the wild ...
    - http://blog.webroot.com/2013/05/31/f...g-in-the-wild/
    May 31, 2013 - "We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K., in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal...
    Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 * ... VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.
    Once executed, the sample creates an Alternate Data Stream (ADS) –
    C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.
    It then creates the following files on the affected hosts:
    C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe
    C:\DOCUME~1\User\LOCALS~1\Temp\IMG.JPEG.exe
    C:\WINDOWS\Registration\R000000000007.clb
    C:\WINDOWS\system32\wbem\wbemdisp.TLB ...
    It then phones back to the following C&C server:
    hxxp ://85.143.166.158 /fexco/com/index.php ..."
    * https://www.virustotal.com/en/file/a...8678/analysis/
    File name: IMG 9857648740.JPEG.exe
    Detection ratio: 29/47
    Analysis date: 2013-05-29

    - http://centralops.net/co/DomainDossier.aspx
    85.143.166.158
    canonical name webcluster.oversun.clodo .ru.
    addresses 62.76.181.230 * 62.76.181.229
    inetnum: 85.143.164.0 - 85.143.167.255
    descr: 192012, St.Petersburg
    country: RU
    ___

    Medfos sites to block 31/5/13
    - http://blog.dynamoo.com/2013/05/medf...ock-31513.html
    31 May 2013 - "The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans* (this** one*** in particular):
    84.32.116.110
    85.25.132.55
    173.224.210.244
    184.82.62.16
    188.95.48.152
    ...
    The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here****."
    * http://www.microsoft.com/security/po...Win32%2fMedfos

    ** https://www.virustotal.com/en/file/9...b399/analysis/

    *** http://www.threatexpert.com/report.a...21cabf331d1e39

    **** http://pastebin.com/L9UuMAC7
    ___

    USSR old domain name attracts cybercriminals
    - https://www.nytimes.com/aponline/201...ker-haven.html
    May 31, 2013 AP - "... the .su Internet suffix assigned to the USSR in 1990 has turned into a haven for hackers who've flocked to the defunct superpower's domain space to send spam and steal money... other obscure areas of the Internet, such as the .tk domain associated with the South Pacific territory of Tokelau, have been used by opportunistic hackers... The most notorious site was Exposed .su, which purportedly published credit records belonging to President Barack Obama's wife, Michelle, Republican presidential challengers Mitt Romney and Donald Trump, and celebrities including Britney Spears, Jay Z, Beyonce and Tiger Woods. The site is now defunct. Other Soviet sites are used to control botnets — the name given to the networks of hijacked computers used by criminals to empty bank accounts, crank out spam, or launch attacks against rival websites. Internet hosting companies generally eliminate such sites as soon as they're identified. But Swiss security researcher Roman Huessy, whose abuse.ch blog* tracks botnet control sites, said hackers based in Soviet cyberspace can operate with impunity for months at a time. Asked for examples, he rattled off a series of sites actively involved in ransacking bank accounts or holding hard drives hostage in return for ransom — brazenly working in the online equivalent of broad daylight..."

    * https://www.abuse.ch/?p=3581

    Last edited by AplusWebMaster; 2013-05-31 at 19:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •