Page 22 of 132 FirstFirst ... 121819202122232425263272122 ... LastLast
Results 211 to 220 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #211
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 85.214.64.153

    FYI...

    Something evil on 85.214.64.153
    - http://blog.dynamoo.com/2013/06/some...521464153.html
    17 June 2013 - "85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example*) which is being injected into -hacked- websites (specifically, malicious code is being appended to legitimate .js files on those sites)... Dynamic DNS domains are being abused in this attack... These sites are mostly flagged as malicious by Google, you can see some indicators of badness here** and here***..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=3112582

    ** https://www.virustotal.com/en/ip-add...3/information/

    *** http://urlquery.net/search.php?q=85....3-06-17&max=50

    Diagnostic page for AS6724 (STRATO)
    - https://www.google.com/safebrowsing/...c?site=AS:6724
    "... over the past 90 days, 7173 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-17, and the last time suspicious content was found was on 2013-06-17... we found 909 site(s) on this network... that appeared to function as intermediaries for the infection of 7496 other site(s)... We found 1434 site(s)... that infected 14549 other site(s)..."
    ___

    Account takeover attempts nearly double ...
    - https://net-security.org/secworld.php?id=15077
    17 June 2013 - "ThreatMetrix* announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events. In a recent six-month snapshot ending March 31, ThreatMetrix determined that attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud...
    > http://www.threatmetrix.com/wp-conte...me-Index1.jpeg
    Based on data taken from October 2012 through March 2013, they saw account takeover attempts nearly double (168%). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and SaaS companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites..."
    * http://www.threatmetrix.com/threatme...over-6-months/
    ___

    Rogue ads target EU users - Win32/Toolbar.SearchSuite through the KingTranslate PUA
    - http://blog.webroot.com/2013/06/17/r...translate-pua/
    June 17, 2013 - "... Tens of thousands of socially engineered European ads, who continue getting exposed to the rogue ads served through Yieldmanager’s network, are promoting more Potentially Unwanted Applications (PUAs) courtesy of Bandoo Media Inc and their subsidiary Koyote-Lab Inc...
    Sample screenshots of the rogue KingTranslate PUA landing/download page:
    1) https://webrootblog.files.wordpress....ng?w=659&h=496
    2) https://webrootblog.files.wordpress....ng?w=592&h=550
    ... Rogue URL: kingtranslate .com – 109.201.151.95
    Detection rate for the PUA: KingTranslateSetup-r133-n-bc.exe – MD5: 51d98879782d176ababcd8d47050f89f * ... Win32/Toolbar.SearchSuite...
    We advise users to avoid using this application and to consider other free, legitimate translation services such as, for instance, Google Translate or Bing’s Translator."
    * https://www.virustotal.com/en/file/3...7d00/analysis/
    File name: KingTranslateSetup-r120-n-bu.exe
    Detection ratio: 3/46
    Analysis date: 2013-06-16
    ___

    Dun & Bradstreet Complaint Spam
    - http://threattrack.tumblr.com/post/5...complaint-spam
    June 17, 2013 - "Subjects Seen:
    FW : Complaint - [removed]
    Typical e-mail details:
    Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
    The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
    We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.


    Malicious URLs
    iguttersupply .com/ponyb/gate.php
    micromeshleafguard .com/ponyb/gate.php
    ornamentalgutters .com/ponyb/gate.php
    radiantcarbonheat .com/ponyb/gate.php
    sistersnstyle .co/4bnsSjBb.exe
    destinationgreece .com/7tW.exe
    backup.hellaswebnews .com/8P6j4.exe
    elenaseller .net/jKK1NMDt.exe


    Malicious File Name and MD5:
    Case_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
    Case_<random>.exe (9c862af9a540563488cdc1c61b9ef5f8)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...osN1qz4rgp.png
    ___

    Fake NewEgg .com SPAM / profurnituree .com
    - http://blog.dynamoo.com/2013/06/newe...itureecom.html
    17 June 2013 - "This fake NewEgg .com spam leads to malware on profurnituree .com:
    Date: Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
    From: Newegg Auto-Notification [indeedskahu02 @services.neweg .com]
    Subject: Newegg.com - Payment Charged ...


    Screenshot: https://lh3.ggpht.com/-aC2D_mxMnTE/U...00/newegg3.png

    The link goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]profurnituree .com/news/posts_applied_deem.php (report here*) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:
    124.232.165.112 (China Telecom, China)
    186.215.126.52 (Global Village Telecom, Brazil)
    190.93.23.10 (Greendot, Trinidad and Tobago)
    202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
    The domain registration details are fake... Below is a partial blocklist which I recommend you use in conjunction with this list.
    124.232.165.112
    186.215.126.52
    190.93.23.10
    202.147.169.211
    ..."
    * http://urlquery.net/report.php?id=3180371

    Last edited by AplusWebMaster; 2013-06-17 at 21:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #212
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake UPS, Wells Fargo SPAM...

    FYI...

    Fake UPS SPAM / rmacstolp .net
    - http://blog.dynamoo.com/2013/06/ups-...cstolpnet.html
    18 June 2013 - "This fake UPS spam leads to malware on rmacstolp .net:
    Date: Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
    From: UPSBillingCenter @upsmail .net
    Subject: Your UPS Invoice is Ready
    UPS Billing Center
    This is an automatically generated email. Please do not reply to this email address.
    Dear UPS Customer,
    Thank you for your business.
    New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
    Please visit the UPS Billing Center to view your paid invoice.
    Questions about your charges? To get a better understanding of surcharges on your invoice, click here.
    Discover more about UPS:
    Visit ups .com
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online
    © 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.
    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS


    The link in the email goes through a legitimate -hacked- site but then ends up on a malicious payload at [donotclick]rmacstolp .net/news/fishs_grands.php (report here* and here**). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis. If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
    [donotclick]shop.babeta .ru/ftyxsem.php
    [donotclick]kontra-antiabzocker .net/cpdedlp.php
    [donotclick]www.cyprusivf .net/iabsvkc.php
    [donotclick]clubempire .ru/ayrwoxt.php
    [donotclick]artstroydom .com/rwlqqtq.php
    [donotclick]www.masthotels .gr/ysmaols.php
    rmacstolp .net is hosted on the following IPs:
    186.215.126.52 (Global Village Telecom, Brazil)
    190.93.23.10 (Greendot, Trinidad and Tobago)
    193.254.231.51 (Universitatea Transilvania Brasov, Romania)
    202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
    Recommended blocklist:
    186.215.126.52
    190.93.23.10
    193.254.231.51
    202.147.169.211
    ..."
    * http://wepawet.iseclab.org/view.php?...562967&type=js

    ** http://urlquery.net/report.php?id=3197446
    ___

    Fake - Wells Fargo attachment Spam
    - http://threattrack.tumblr.com/post/5...ttachment-spam
    June 18, 2013 - "Subjects Seen:
    IMPORTANT Documents- WellsFargo
    Typical e-mail details:
    Please check attached documents.
    Chuck_Vega
    Wells Fargo Advisors
    817-889-5857 office
    817-353-6685 cell Chuck_Vega @wellsfargo.com
    ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
    To unsubscribe from marketing e-mails from:
    · An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
    · Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
    Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
    For additional information regarding our electronic communication policies, visit wellsfargoadvisors .com/disclosures/email-disclosure.html .
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103


    Malicious URLs
    thinkgreensupply .com/ponyb/gate.php
    pacificcontractsources .com/ponyb/gate.php
    tpi-ny.com/ponyb/gate .php
    50shadesofshades .com/ponyb/gate.php
    sistersnstyle .co/4bnsSjBb.exe
    destinationgreece .com/7tW.exe
    backup.hellaswebnews .com/8P6j4.exe
    elenaseller .net/jKK1NMDt.exe


    Malicious File Name and MD5:
    WellsFargo_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
    WellsFargo_<random>.exe (3c671b9f969a7ba0a9d9b532840c4ea2)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...lxa1qz4rgp.png

    Last edited by AplusWebMaster; 2013-06-18 at 19:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #213
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 205.234.139.169

    FYI...

    Something evil on 205.234.139.169
    - http://blog.dynamoo.com/2013/06/some...234139169.html
    19 June 2013 - "205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:
    [donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/applet.jnlp
    [donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/contact.php
    [donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
    [donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
    [donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/jfygZbFu
    URLquery* and VirusTotal** are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.
    The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google ..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/search.php?q=205...3-06-19&max=50

    ** https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake HP Digital Device Spam
    - http://threattrack.tumblr.com/post/5...al-device-spam
    June 19, 2013 - "Subjects Seen:
    Scanned Copy
    Typical e-mail details:
    Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
    To view this document you need to use the Adobe Acrobat Reader.


    Malicious URLs
    bagdup .com/ponyb/gate.php
    baggagereviews .com/ponyb/gate.php
    bagpreview .com/ponyb/gate.php
    mpricecs .com .au/ceAZfkX6.exe
    serw.myroitracking .com/nokxk.exe
    omnicomer .com/qT6DM.exe
    sweethomesorrento .it/kNH827.exe


    Malicious File Name and MD5:
    HP_Scan_<random>.zip (d17aab950060319ea41b038638375268)
    HP_Scan_<random>.exe (eab3a43d077661ca1c9549df49477ddb)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...dIV1qz4rgp.png

    HP Spam / HP_Scan_06292013_398.zip FAIL
    - http://blog.dynamoo.com/2013/06/hp-s...8zip-fail.html
    June 19, 2013 - "I've been seeing these spams for a couple of days now..
    Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
    From: HP Digital Device [HP.Digital0 @victimdomain ]
    Subject: Scanned Copy
    Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
    To view this document you need to use the Adobe Acrobat Reader...


    The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
    12 BA E8 AC 16 AC 7B AE
    Another sample version looks like this, with just 6 bytes:
    12 BA E8 AC 16 AC
    Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it)..."
    ___

    65+ websites compromised to deliver malvertising
    - https://net-security.org/malware_news.php?id=2519
    June 19, 2013 - "At least 65 different sites serving ads that ultimately led to malware have been spotted by Zscaler researchers*. The massive malvertising campaign started with injected code into the ads served on the sites, and were delivered from several domains, all resolving to the following IP address: 89.45.14.87... The compromised sites were an assortment of random small and medium-sized sites, and among them was the official site for Government Security News..."
    * http://research.zscaler.com/2013/06/...vertising.html
    June 18, 2013 - "On Monday, Government Security News (GSN), reported that their website had been compromised during a mass infection. While in the case of the GSN infection, the injected content was delivered from googlecodehosting.com, we have determined that the same content was also delivered from googlecodehosting.org and googlecodehosting.net, all of which resolve to 89.45.14.87 and are now offline. In reviewing our logs for sites with the aforementioned referrers, indicating that they too were/are compromised, we have thus far identified 65 different sites... Referers for the GSN site appeared as early as Jun 14th, suggesting that the site was likely compromised for a couple of days before they became aware of the situation and took steps to clean the site..."

    Last edited by AplusWebMaster; 2013-06-19 at 21:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #214
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Linkedin DNS Hijack, Fake ADP, WalMart Spam...

    FYI...

    Linkedin DNS Hijack
    - https://isc.sans.edu/diary.html?storyid=16037
    Last Updated: 2013-06-20 - "LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromising the account used to manage DNS servers... so far, no details are available so this could be just a simple misconfiguration. The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache. It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromised). Your best bet to make sure you connect to the correct site is SSL... "owning" the domain may allow the attacker to create a new certificate rather quickly... other sites are affected as well... The fact that multiple site's NS records are affected implies that this may not be a simple compromised registrar account... According to:
    - http://blog.escanav.com/2013/06/20/dns-hijack/ , the bad IP address is 204.11.56.17* ..."

    Diagnostic page for AS40034 (CONFLUENCE)
    * https://www.google.com/safebrowsing/...?site=AS:40034
    "... over the past 90 days, 413 site(s).. served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-20, and the last time suspicious content was found was on 2013-06-20... we found 45 site(s) on this network... that appeared to function as intermediaries for the infection of 82 other site(s)... We found 347 site(s)... that infected 4358 other site(s)..."

    - http://technet.microsoft.com/en-us/l...=WS.10%29.aspx
    "... Open Command Prompt. Type: ipconfig /flushdns ..."

    - https://atlas.arbor.net/briefs/
    Elevated Severity
    June 20, 2013
    An emergent issue involving what's been called "domain hijacking" has taken place involving a number of prominent web properties. Some concern has been expressed that the problem may be part of an attack campaign, despite statements to the contrary.
    Analysis: Any type of traffic headed towards any web property that is pointing to an unexpected location - due to a DNS hijack, a hosts file hijack, man-in-the-middle, man-in-the-browser, phishing, pharming, or whatever other technique - carries some risk of delivering sensitive information, credentials, mail contents, or other data to an unexpected party, that may be malicious. Indicators suggest that some type of error was involved in this incident, however there are larger concerns at play that will likely emerge in a more widespread manner in the near future.
    Source: http://isc.sans.edu/diary/Linkedin+DNS+Hijack/16037
    ___

    Fake ADP SPAM / planete-meuble-pikin .com
    - http://blog.dynamoo.com/2013/06/adp-...-pikincom.html
    20 June 2013 - "This fake ADP spam leads to malware on planete-meuble-pikin .com:
    Date: Thu, 20 Jun 2013 07:12:28 -0600
    From: EasyNetDoNotReply @clients.adpmail .org
    Subject: ADP EasyNet: Bank Account Change Alert
    Dear Valued ADP Client,
    As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
    ** Dominic Johnson **
    ** Ayden Campbell **
    Use this links to: Review or Decline this changes.
    If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
    This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
    Sincerely,
    Your ADP Service Team
    This e-mail comes from an unattended mailbox. Please do not reply.


    The link in the email goes through a legitimate but -hacked- site and end up on a malware landing page at [donotclick]planete-meuble-pikin .com/news/network-watching.php (report here*) hosted on:
    173.254.254.110 (Quadranet, US)
    190.93.23.10 (Greendot, Trinidad and Tobago)
    193.147.61.250 (Universidad Rey Juan Carlos, Spain)
    193.254.231.51 (Universitatea Transilvania Brasov, Romania)
    202.147.169.211 (LINKdotNET, Pakistan)
    Recommended blocklist:
    173.254.254.110
    190.93.23.10
    193.147.61.250
    193.254.231.51
    202.147.169.211
    ..."
    * http://urlquery.net/report.php?id=3236122

    - http://threattrack.tumblr.com/post/5...p-easynet-spam
    June 20, 2013 - "Subjects Seen:
    ADP EasyNet: Bank Account Change Alert
    Typical e-mail details:
    Dear Valued ADP Client,
    As part of ADP’s commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
    [Removed]
    Use this links to: Review or Revert this changes.
    If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
    This security precaution is another reason why so many businesses like yours choose ADP, the world’s leading payroll provider for over 60 years, to handle their payroll.
    Sincerely,
    Your ADP Service Team


    Malicious URLs
    support.mega-f .ru/easynet.html?view_id=6L9IRMQH
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?jnlp=4248af38de
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?otfjbgzd=mekpsr&lmbcq=snfip
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?lf=1i:1f:32:33:2v&fe=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&fo=a&jb=m&jopa=5634202


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...y9H1qz4rgp.png
    ___

    Fake QuickBooks Overdue Payment Spam
    - http://threattrack.tumblr.com/post/5...e-payment-spam
    20 June 2013 - "Subjects Seen:
    Please respond - overdue payment
    Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 06/25/2013 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Ginger Mccall


    Malicious URLs
    checkpoint-friendly-bag .com/ponyb/gate.php
    checkpoint-friendly-bags .com/ponyb/gate.php
    checkpoint-friendly-laptopcases .com/ponyb/gate.php
    checkpoint-friendly-luggage .com/ponyb/gate.php
    backup.hellaswebnews .com/8P6j4.exe
    powermusicstudio .it/Ckq.exe
    gpbit .com/MACnU.exe
    sedi .ch/XDHMsu.exe


    Malicious File Name and MD5:
    <name>_Invoice.zip (eef2fd603a9412d3e5b99264d20a7155)
    <name>_Invoice.exe (eb362fe45a54707d5c796e36975e88a5)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Vz51qz4rgp.png
    ___

    Fake WalMart Order Spam
    - http://threattrack.tumblr.com/post/5...com-order-spam
    June 19, 2013 - "Subjects Seen:
    Thanks for your Walmart.com Order [removed]
    Typical e-mail details:
    Thanks for ordering from Walmart.com. We’re currently processing your order.
    You’ll receive another email, with tracking information, when your order ships.
    If you’re paying by credit card or Bill Me Later®, your account will not be charged until your order ships.
    If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available.
    All other forms of payment are charged at the time the order is placed...


    Malicious URLs
    culinare .tv/wp-content/plugins/customize-admin/walmart.html
    ssl.beautysupplyeast .com/indication/primary-processor_cost.php
    ssl.beautysupplyeast .com/indication/primary-processor_cost.php?jnlp=4248af38de
    ssl.beautysupplyeast .com/indication/primary-processor_cost.php?ef=1i:1f:32:33:2v&le=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&ol=r&gq=m&jopa=4794157


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...X111qz4rgp.png

    Last edited by AplusWebMaster; 2013-06-23 at 17:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #215
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Flash spoof leads to infectious audio ads

    FYI...

    Flash spoof leads to infectious audio ads
    - http://blog.webroot.com/2013/06/21/a...ous-audio-ads/
    June 21, 2013 - "We’ve seen quite a few audio ads infecting users recently... As you can see in this first picture, this is another Adobe Flash spoof that launches its signature update window.
    > https://webrootblog.files.wordpress....ads1.jpg?w=869
    ... It doesn’t matter what option you check; once you click “NEXT” you’ll get this next window.
    > https://webrootblog.files.wordpress....ads2.jpg?w=869
    So far this seems completely official and harmless. It even takes it’s time progressing the loading bar. However, once you click “Finish” everything closes down and the computer reboots. The command force quits all applications so you won’t have time to save anything or cancel the shutdown. Once the computer reboots there is no final closing message from “Adobe”, but everything seems normal for a few minutes. After about three to five minutes the computer slows down to a crawl and Audio ads start playing in the background... The audio streams are not being run by an audio application or an internet browser session, but instead a hijacked “svchost.exe” that’s using 88.25% CPU. If we take a look at its network communication we find that it’s establishing and closing over a hundred different connections at once. This is why the audio ads aren’t coherent and are basically just multiple advertisement streams all at once which makes for quite an annoying sound... Software Modem and Utility Suite are the culprit. If you read the full command they are located in appdata and point to two randomly named DLLs called “qogrpr.dll” and “ntrti.dll” This is extremely suspicious. All you need to do is delete the files in appdata and then remove the run keys from startup. The full registry key and directory location from are below.
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    “qogrpr”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\qogrpr.dll\”,GetGlobals”
    “ntrti”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\ntrti.dll\”,NewMember”
    ... That’s it for this variant of the Audio ads. There are also other variants that use rootkits to infect the MBR..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #216
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake LexisNexis, Visa SPAM...

    FYI...

    Fake LexisNexis SPAM ...
    - http://blog.dynamoo.com/2013/06/lexi...spam-fail.html
    21 Jun 2013 - "This -fake- LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one.
    Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
    From: LexisNexis [einvoice.notification @lexisnexis .com]Book
    Subject: Invoice Notification for June 2013 ...


    Screenshot: https://lh3.ggpht.com/-O31Ed0UEqAk/U...lexisnexis.png

    // ... Of note, the only link in the email goes to [donotclick]https ://server.nepplelaw .com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe .com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw .com ..."
    * https://www.virustotal.com/en/file/8...88bc/analysis/
    File name: LexisNexis_Invoice_06212013.zip
    Detection ratio: 15/47
    Analysis date: 2013-06-21
    ___

    "Unusual Visa card activity" SPAM / anygus .com
    - http://blog.dynamoo.com/2013/06/unus...vity-spam.html
    21 Jun 2013 - "... this FAIL of a Visa spam leads to malware on anygus .com. Note the bits in {braces} that should have content..
    From: Visa Anti-Fraud [upbringingve @visabusiness .com]
    Date: 21 June 2013 17:36
    Subject: Unusual Visa card activity
    we {l1} detected {l2} activity in your business visa account.
    please click here to view {l4}
    your case id is: {symbol}{dig}
    look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
    this added security is to prevent any additional fraudulent charges from taking place on your account.
    notice: this visa communication is furnished to you solely in your capacity as a customer of visa inc. (or its authorized agent) or a participant in the visa payments system. by accepting this visa communication, you acknowledge that the information contained herein (the "information") is confidential and subject to the confidentiality restrictions contained in visa's operating regulations, which limit your use of the information. you agree to keep the information confidential and not to use the information for any purpose other than in your capacity as a customer of visa inc. or a participant in the visa payments system. the information may only be disseminated within your organization on a need-to-know basis to enable your participation in the visa payments system.
    please be advised that the information may constitute material nonpublic information under u.s. federal securities laws and that purchasing or selling securities of visa inc. while being aware of material nonpublic information would constitute a violation of applicable u.s. federal securities laws. this information may change from time to time. please contact your visa representative to verify current information. visa is not responsible for errors in this publication. the visa non-disclosure agreement can be obtained from your visa account manager or the nearest visa office.
    this message was sent to you by visa, p.o. box 8999, san francisco, ca 94128. please click here to unsubscribe.


    Despite the errors in the email it still ends up going through a -hacked- legitimate site to a Blackhole Exploit kit at [donotclick]anygus .com/news/fewer_tedious_mentioning.php (report here*) hosted on the following IPs:
    193.254.231.51 (Universitatea Transilvania Brasov, Romania)
    202.147.169.211 (LINKdotNET Telecom, Pakistan)
    Recommended blocklist:
    193.254.231.51
    202.147.169.211
    ..."
    * http://urlquery.net/report.php?id=3262435
    "... Detected BlackHole v2.0 exploit kit URL pattern ..."
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Product Purchase Email Messages - 2013 Jun 21
    Fake Claims Invoice Email Messages - 2013 Jun 21
    Fake Bill Payment Notification Email Messages - 2013 Jun 21
    Fake Christmas Greeting Email Messages - 2013 Jun 21
    Fake Bill Payment Request Email Messages - 2013 Jun 21
    Fake Payment Notification Email Messages - 2013 Jun 21
    Fake Portuguese Bank Deposit Delivery Notification Email Messages - 2013 Jun 21
    Malicious Attachment Email Messages - 2013 Jun 21
    Fake Xerox Scan Attachment Email Messages - 2013 Jun 21
    Fake German Invoice Delivery Email Messages - 2013 Jun 21
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-06-23 at 16:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #217
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook SPAM, PayPal Phish - more...

    FYI...

    Fake Facebook SPAM / chinadollars .net
    - http://blog.dynamoo.com/2013/06/face...ollarsnet.html
    24 June 2013 - "This fake Facebook spam leads to malware on chinadollars .net:
    Date: Mon, 24 Jun 2013 09:18:12 -0500
    From: Facebook [notification+SCCRJ42M8P @facebookmail .com]
    Subject: You have 1 friend request ...
    You have new notifications.
    A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
    1 friend request
    View Notifications
    Go to Facebook
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
    Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303


    The link in the email goes through a legitimate but -hacked- site and then leads to a malware landing page at [donotclick]chinadollars .net/news/inputted-ties.php (report here*) hosted on:
    119.147.137.31 (China Telecom, China)
    202.147.169.211 (LINKdotNET, Pakistan)
    203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
    210.42.103.141 (Wuhan Urban Construction Institute, China)
    Recommended blocklist:
    119.147.137.31
    202.147.169.211
    203.80.17.155
    210.42.103.141
    ..."
    * http://urlquery.net/report.php?id=3303350
    ___

    Fake Fiserv SPAM - / SecureMessage_TBTATU41DMJDT5B.zip
    - http://blog.dynamoo.com/2013/06/fise...ification.html
    24 June 2013 - "This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:
    Date: Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
    From: Fiserv Secure Notification [secure.notification @fiserv .com]
    Subject: Fiserv Secure Email Notification - TBTATU41DMJDT5B
    Part(s):
    2 SecureMessage_TBTATU41DMJDT5B.zip [application/zip] 104 KB
    You have received a secure message
    Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password - SUgDu07dn
    To read the encrypted message, complete the following steps:
    - Double-click the encrypted message file attachment to download the file to your computer.
    - Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    - The message is password-protected, enter your password to open it.
    To access from a mobile device, forward this message to mobile @res .fiserv .com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.
    2000-2013 Fiserv Secure Systems, Inc. All rights reserved.


    Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46*.
    Other analysis is pending, the malware has the following checksums:
    Size 117248
    MD5 fdd154360854e2d9fee47a557b296519
    SHA1 d3de7f5514944807eadb641353ac9380f0c64607
    SHA256 1ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59
    * https://www.virustotal.com/en/file/1...is/1372086208/
    File name: SecureMessage.exe
    Detection ratio: 8/46
    Analysis date: 2013-06-24

    - http://threattrack.tumblr.com/post/5...ttachment-spam
    24 June 2013 - "Subjects Seen:
    Please respond - overdue payment
    Typical e-mail details:
    You have received a secure message ...

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Z5Q1qz4rgp.png
    ___

    PayPal Credentials Phish
    - http://threattrack.tumblr.com/post/5...dentials-phish
    24 June 2013 - "Subjects Seen:
    Important Message
    Typical e-mail details:
    Dear PayPal Manager Customer,
    We regret to inform you that your merchant account has been locked.
    Te re-activate it please download the file attached to this e-mail and update your login information.


    Malicious URLs
    bellt .es/CSS/confirm.php


    Malicious File Name and MD5:
    vtextloginpage.html (06c12f594dc7a558510cb9d9c402ed8f)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...E4u1qz4rgp.png
    ___

    Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ PUA...
    - http://blog.webroot.com/2013/06/24/r...plication-pua/
    June 24, 2013 - "Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore...
    Sample screenshot of the landing page:
    > https://webrootblog.files.wordpress....ng?w=609&h=567
    Rogue download URL:
    hxxp ://www.ez-download .com/mozilla-firefox
    Detection rate for the Potentially Unwanted Application (PUA) – MD5: * ... Win32/InstallCore.BL; InstallCore (fs).
    The rogue sample is digitally signed by ‘Secure Installer’.
    Once executed, it phones back to:
    media.ez-download .com – 54.230.12.193
    os.downloadster2cdn .com – 54.245.235.34
    cdn.secureinstaller .com – 54.230.12.162
    img.downloadster2cdn .com – 199.58.87.151
    ...
    We advise users to avoid interacting with ads enticing them into downloading well known software applications, and to always visit their official Web sites in order to obtain the latest versions..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/e...34b9/analysis/
    File name: Firefox_Setup_21.0.exe
    Detection ratio: 4/47
    Analysis date: 2013-06-21

    Last edited by AplusWebMaster; 2013-06-24 at 22:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #218
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Southwest Airlines SPAM, more...

    FYI...

    Fake Southwest Airlines SPAM / meynerlandislaw .net
    - http://blog.dynamoo.com/2013/06/sout...on-kqr101.html
    25 June 2013 - "This fake Southwest Airlines spam leads to malware on meynerlandislaw .net:
    from: Southwest Airlines [information @luv.southwest .com]
    reply-to: Southwest Airlines [no-reply@ emalsrv.southwestmail .com]
    date: 25 June 2013 17:09
    subject: Southwest Airlines Confirmation: KQR101
    [redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM
    You're all set for your travel!
    Southwest Airlines
    My Account | Review My Itinerary Online ...


    The link goes through a legimate -hacked- site and end up on a malicious payload at [donotclick]meynerlandislaw .net/news/possibility-redundant.php (report here*) hosted on the following IPs:
    119.147.137.31 (China Telecom, China)
    203.80.17.155 (MYREN, Malaysia)
    Recommended blocklist:
    119.147.137.31
    203.80.17.155
    ..."
    * http://urlquery.net/report.php?id=3323617
    ... Detected BlackHole v2.0 exploit kit URL pattern..."
    ___

    Something evil on 173.246.104.154
    - http://blog.dynamoo.com/2013/06/some...246104154.html
    24 June 2013 - "173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]..."
    1] http://urlquery.net/search.php?q=173...3-06-24&max=50

    2] https://www.virustotal.com/en/ip-add...4/information/

    Diagnostic page for AS29169 (GANDI)
    - https://www.google.com/safebrowsing/...?site=AS:29169
    "... over the past 90 days, 318 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-25, and the last time suspicious content was found was on 2013-06-25... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 103 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 153 site(s)... that infected 843 other site(s)..."
    ___

    FedEx Delivery Notification Spam
    - http://threattrack.tumblr.com/post/5...ification-spam
    June 25, 2013 - "Subjects Seen:
    Delivery Notification
    Delivery Notification ID#<random>

    Typical e-mail details:
    Dear Client,
    Your parcel has arrived at June 13. Courier was unable to deliver the parcel to you.
    To receive your parcel, print this label and go to the nearest office.


    Malicious URLs
    txwebsolutions .com/main.php?d_info=899_549892719
    ehagency .com/main.php?g_info=ss00_323
    eup-ecodesign .com/main.php?g_info=ss00_323
    roccoracingmotors .com/main.php?g_info=ss00_323
    bebmorena .com/main.php?g_info=ss00_323
    metrocomoptimist .org/img/info.php?g_info=ss00_323


    Malicious File Name and MD5:
    Shipment_Label.zip (a95ef37d4d992ac63cbb81e116Ca6d07)
    Shipment_Label.exe (fcd9314b644d86eee71cd67c44935fc8)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...owG1qz4rgp.png
    ___

    Fake ADP SPAM / spanishafair .com
    - http://blog.dynamoo.com/2013/06/adp-...hafaircom.html
    25 June 2013 - "This fake ADP spam leads to malware on spanishafair .com:
    Date: Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
    From: Run Do Not Reply [RunDoNotReply @ipn.adp .net]
    Subject: Your Biweekly payroll is accepted
    Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.
    Client ID: [redacted]
    View Details: Review
    Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
    Please do not reply to this message. auto informer system not configured to accept incoming messages.


    The malicious payload is at [donotclick]spanishafair .com/news/possibility-redundant.php hosted on:
    119.147.137.31 (China Telecom, China)
    210.42.103.141 (Wuhan Urban Construction Institute, China)
    203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
    Related evil domains and IP addresses to block can be found here* and here**."
    * http://blog.dynamoo.com/2013/06/face...ollarsnet.html

    ** http://blog.dynamoo.com/2013/06/sout...on-kqr101.html
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Bill Payment Notification Email Messages - 2013 Jun 25
    Malicious Personal Pictures Attachment Email Messages - 2013 Jun 25
    Fake Bank Deposit Confirmation Email Messages - 2013 Jun 25
    Fake Legal Contract Form Email Messages - 2013 Jun 25
    Fake Customer Complaint Attachment Email Messages - 2013 Jun 25
    Fake Mobile Phone Credit Notification Email Messages - 2013 Jun 25
    Fake Unpaid Debt Invoice Email Messages - 2013 Jun 25
    Email Messages with Malicious Attachments - 2013 Jun 25
    Fake Sample Product Purchase Order Email Messages - 2013 Jun 25
    Fake Bank Payment Transfer Notification Email Messages - 2013 Jun 25
    Fake Personal Photo Sharing Email Messages - 2013 Jun 25
    Fake Product Order Inquiry Email Messages - 2013 Jun 25
    Fake Authorization Letter Email Messages - 2013 Jun 25
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-06-26 at 03:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #219
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake UPS, Xerox SPAM...

    FYI...

    Fake UPS Parcel Pickup Spam
    - http://threattrack.tumblr.com/post/5...el-pickup-spam
    June 26, 2013 - "Subjects Seen:
    UPS - Your package is available for pickup ( Parcel <random> )
    Typical e-mail details:
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.


    Malicious URLs
    nichebiznetwork .com/ponyb/gate.php
    watertreecapital .com/ponyb/gate.php
    attentivetodetails .com/ponyb/gate.php
    furnishedfloorplans .com/ponyb/gate.php
    casailtiglio .com/NY19N.exe
    casevacanzeversilia .com/9jW.exe
    72.52.164.246 /FDKwgvdt.exe
    scenografiesacs .com/mvNaxR.exe


    Malicious File Name and MD5:
    Label_<random>.zip (d17aab950060319ea41b038638375268)
    Label_<random>.exe (347cbf0c41a978e601b00d39928506aa)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Z7e1qz4rgp.png
    ___

    Xerox WorkCentre Scan Spam
    - http://threattrack.tumblr.com/post/5...ntre-scan-spam
    June 26, 2013 - "Subjects Seen:
    Scanned Image from a Xerox WorkCentre
    Typical e-mail details:
    Tlease open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
    Sent by: [removed]
    Number of Images: 5
    Attachment File Type: ZIP [PDF]
    WorkCentre Pro Location: Machine location not set
    Device Name: [removed]
    Attached file is scanned image in PDF format.


    Malicious URLs
    attentivetodetails .com/ponyb/gate.php
    watertreecapital .com/ponyb/gate.php
    helisovertidewater .com/ponyb/gate.php
    mcqbuildersllc-1 .com/ponyb/gate.php
    casailtiglio .com/NY19N.exe
    ftp(DOT)vickibettger .com/oEoASW64.exe
    72.52.164.246 /FDKwgvdt.exe
    scenografiesacs .com/mvNaxR.exe


    Malicious File Name and MD5:
    Scan_<random>.zip (d8d8bf4a0890c937d501b78cdfd7de13)
    Scan_<random>.exe (40378c0d43dd8c135f90a704911024bd)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...h591qz4rgp.png

    Last edited by AplusWebMaster; 2013-06-26 at 22:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #220
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBB, OfficeWorld SPAM...

    FYI...

    BBB Compliant Spam
    - http://threattrack.tumblr.com/post/5...compliant-spam
    June 27, 2013 - "Subjects Seen:
    FW: Complaint Case <removed>
    Typical e-mail details:
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
    In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
    The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
    We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.
    Sincerely,
    BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region


    Malicious URLs
    ammscanada .com/ponyb/gate.php
    ammschicago .com/ponyb/gate.php
    ammsdallas .com/ponyb/gate.php
    ammsdirectors .com/ponyb/gate.php
    casailtiglio .com/NY19N.exe
    ftp(DOT)vickibettger .com/oEoASW64.exe
    72.52.164.246 /FDKwgvdt.exe
    scenografiesacs .com/mvNaxR.exe


    Malicious File Name and MD5:
    Case_<random>.zip (0ed9dd827d557d3e20818ab50c7d930b)
    Case_<random>.exe (f317d215a672a209cbdcba452e5e84d8)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...SVn1qz4rgp.png
    __

    Fake OfficeWorld .com SPAM / sartorilaw .net
    - http://blog.dynamoo.com/2013/06/offi...orilawnet.html
    27 June 2013 - "This fake OfficeWorld spam leads to malware on sartorilaw .net:
    Date: Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
    From: customerservice @emalsrv.officeworldmail .net
    Subject: Confirmation notification for order 1265953
    Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!
    Please review your order details below. If you have any questions, please Contact Us
    Helpful Tips:
    - Please SAVE or PRINT this confirmation for your records.
    - ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
    - If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
    Order: 1265953
    Date: 6/27/2013
    Ship To: My Default
    Credit Card: MasterCard
    Product Qty Price Unit Extended
    HEWCC392A 1 $9703.09 EA $15.15
    AVE5366 1 $27.49 BX $27.49
    SAF3081 2 $56.29 EA $112.58
    Product Total: $9855.22
    Total: $9855.22
    OfficeWorld.com values your business!


    The link in the email goes through a legitimate -hacked- site and then on to [donotclick]sartorilaw .net/news/source_fishs.php (report here*) hosted on the following IPs:
    77.240.118.69 (Acens Technologies, Spain)
    78.108.86.169 (Majordomo LLC, Russia)
    89.248.161.148 (Ecatel, Netherlands)
    108.177.140.2 (Nobis Technology Group, US)
    Recommended blocklist:
    77.240.118.69
    78.108.86.169
    89.248.161.148
    108.177.140.2
    ..."
    * http://urlquery.net/report.php?id=3362472
    ... Detected BlackHole v2.0 exploit kit URL pattern...

    Last edited by AplusWebMaster; 2013-06-27 at 21:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •