FYI...
Something evil on 50.116.28.24
- http://blog.dynamoo.com/2013/05/some...501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)
* http://www.f-secure.com/weblog/archives/00002554.html
** http://forums.macrumors.com/showthread.php?t=1583233
___
Wells Fargo Credentials Phish
- http://threattrack.tumblr.com/post/5...dentials-phish
20 May 2013 - "Subjects Seen:
Account Update
Typical e-mail details:
In order to safeguard your account, we require that you confirm your details.
To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
To get started, visit the link below:
Wells Fargo Online Confirmation
Malicious URLs
update.id5027-wellsfargo .com/index.php?id=586616
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Vzo1qz4rgp.png
___
Malicious Invoice Attachment Spam
- http://threattrack.tumblr.com/post/5...ttachment-spam
20 May 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker
Spam contains malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019...1qo1qz4rgp.png
___
Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/5...dentials-phish
20 May 2013 - "Subjects Seen:
Billing Code:[removed]
Typical e-mail details:
During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
This might be due to either of the following reasons:
1. A recent change in your personal information ( i.e. change of address).
2. Submitting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
Click on the guide-link below and follow the directions or please call our Online Helpdesk.
Regards,
Chase Online
Billing Department
Thanks for your co-operation.
Malicious URLs
goodnickfitness .com.au/hnav.html
diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019...itt1qz4rgp.png
___
Blackhole Spam Run evades detection using Punycode
- http://blog.trendmicro.com/trendlabs...sing-punycode/
May 20, 2013 - "... we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmicro.com/trendlabs...EK-walmart.jpg
... some of the URLs lead to Cyrillic domain names. These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt