SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake Fox News-themed malicious email campaign
- http://community.websense.com/blogs/...-campaign.aspx
28 Jun 2013 - "Websense... discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th, featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to 'click' on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.
... Screenshot:
> http://community.websense.com/cfs-fi...2D00_550x0.png
Intercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria. Example email subjects include:
- U.S. Military Action in Syria - is it WW3 start?
- US deploys 19,000 troops in Syria
- Obama Sending US Forces to Syria
Malicious Email Analysis: The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF. Once opened, the malicious PDF executes embedded and obfuscated JavaScript code which delivers an exploit (CVE-2010-0188). In the event the exploit is successful, the shellcode downloads a malicious component from: hxxp ://sartorilaw .net/news/source_fishs.php?kxdtlz=1l:1g:1i:1o:1j&mbtdi=1k:33:1f:32:2w:30:1h:1o:1h:1g&swlpwu=1i&doko=vaif&wgnrppva=xoti
The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.
Malicious component:
https://www.virustotal.com/en/file/2...1ef9/analysis/
About the PDF file:
https://www.virustotal.com/en/file/f...243b/analysis/
... Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads..."
(More detail available at the websense URL above.)
___

Fake jConnect SPAM / FAX_281_3927981981_283.zip
- http://blog.dynamoo.com/2013/06/jcon...981283zip.html
28 June 2013 - "This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:
Date: Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From: jConnect [message @inbound .j2 .com]
Subject: jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967
Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http ://www.j2 .com/downloadsPlease visit http ://www.j2 .com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home
Contact Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.

Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run*). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous."
* http://blog.dynamoo.com/2013/06/lexi...spam-fail.html
___

- http://threattrack.tumblr.com/post/5...nnect-fax-spam
June 28, 2013 - "Subjects Seen:
jConnect fax from "[removed]" - 26 page(s), Caller-ID: [removed]
Typical e-mail details:
You have received a 26 page(s) fax at 2012-12-17 05:25:42 EST.
* The reference number for this fax is [removed].
This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2 .com/downloads
Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!

Malicious URLs
ammsseattle .com/ponyb/gate.php
ammsstlouis .com/ponyb/gate.php
ammstestimonials .com/ponyb/gate.php
common.karsak .com .tr/FzPfH6.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
printex-gmbh .de/kbo.exe
sraclinic.netarama .com/2aeDdDTW.exe

Malicious File Name and MD5:
Fax_<random>.zip (05c33cfcf22c5736c4a162f6d7c2eeac)
Fax_<random>.exe (f9a80dbb13546e235617f5b21d64cad8)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...L5Z1qz4rgp.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Faxed Document Delivery Email Message - 2013 Jun 28
Fake Product Availability Request Email Messages - 2013 Jun 28
Fake Banking News Report Email Messages - 2013 Jun 28
Fake Purchase Order Invoice Email Messages - 2013 Jun 28
Fake Photo Sharing Email Messages - 2013 Jun 28
Fake Bank Deposit Confirmation Notice Email Messages - 2013 Jun 28
Fake Portuguese Photo Sharing link Email Messages - 2013 Jun 28
Fake Confidential Business Request Email Messages - 2013 Jun 28
Fake Product Purchase Order Request Email Messages - 2013 Jun 28
Fake Scanned Document Attachment Email Messages - 2013 Jun 28
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jun 28
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Instagram "Fruit" SPAM
- https://isc.sans.edu/diary.html?storyid=16087
Last Updated: 2013-06-29 20:28:25 UTC - "Currently, Instagram appears to be -flooded- with images of various fruits, pointing to a site that advertises a "miracle fruit diet". The spam attack links to a fake BBC page, typically via a bit.ly link. The "BBC" page features an article touting the power of the advertised diet scheme. It appears that compromised Instagram accounts are the source of the spam. The accounts were compromised using -phishing- e-mails as some reports indicate. In addition to posting the images, the users profile URL is also changed to the spam website."

[AplusWebMaster]

FYI...

Adware sites to block - 1 July 2013
- http://blog.dynamoo.com/2013/07/adwa...lock-1713.html
1 July 2013 - "Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs...
cdnsrv .com
tracksrv .com
cdnloader .com
secure-content-delivery .com
mydatasrv .com
Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address."
___

Email credentials - Phish
- http://threattrack.tumblr.com/post/5...dentials-phish
July 1, 2013 - "Subjects Seen:
Email Deactivation Notice
Typical e-mail details:
An automatic security update has been carried out on your Email Account.
Click here to Login and complete update
Please note that you have within 24 hours to complete this update, because you might lose access to your Email Account

Malicious URLs
190.6.206.173 /~radioxge/updated/index.html

Screenshot: https://gs1.wac.edgecastcdn.net/8019...z3B1qz4rgp.png
___

Fake Pinterest SPAM / pinterest .com.reports0701.net
- http://blog.dynamoo.com/2013/07/pint...orts0701n.html
1 July 2013 - "This fake Pinterest spam leads to malware on pinterest .com.reports0701.net:
Date: Mon, 1 Jul 2013 21:04:36 +0530
From: "Pinterest" [naughtinessw5 @newsletters .pinterest .net]
To: [redacted]
Subject: Your password on Pinterest Successfully changed!
[redacted]
Yor password was reset. Request New Password.
See Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].
Don?t want activity notifications? Change your email preferences.
�2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

The link goes through a legitimate -hacked- site to end up on a malicious payload at [donotclick]pinterest .com.reports0701.net/news/pay-notices.php (report here* and here**) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:
June Parker parker @mail .com
740-456-7887 fax: 740-456-7844
4427 Irving Road
New Boston OH 45663
us
The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)
Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252 ..."
* http://urlquery.net/report.php?id=3454469

** http://urlquery.net/report.php?id=3454450

[AplusWebMaster]

FYI...

Adware sites to block 2/7/13
- http://blog.dynamoo.com/2013/07/adwa...lock-2713.html
2 July 2013 - "Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details... Given the amount of adware* on this server, I would recommend blocking it... "
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/ip-add...1/information/
___

Malware sites to block 2/7/13
- http://blog.dynamoo.com/2013/07/malw...lock-2713.html
2 July 2013 - "These sites belong to this gang* and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block..."
(Long lists at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___

Babylon and the 3954 Trojans...
- http://blog.dynamoo.com/2013/07/baby...-whore-of.html
2 July 2013 - ""Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild... At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons... and installs a load of crapware onto your computer when it does so... system administrators keep finding the product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry* covering malware issues. Do you really want your users to go anywhere near this site? As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to -block- (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91 ..."
(More detail at the dynamoo URL above.)
* http://en.wikipedia.org/wiki/Babylon...Malware_issues

> https://www.virustotal.com/en/domain...m/information/

Diagnostic page for AS32475 (SINGLEHOP)
- https://www.google.com/safebrowsing/...?site=AS:32475

- https://www.google.com/safebrowsing/...te=babylon.com
"... Malicious software includes 3954 trojan(s)..."
___

DHL Shipment Notification Spam
- http://threattrack.tumblr.com/post/5...ification-spam
July 2, 2013 - "Subjects Seen:
Delivery Status Notification ID#[removed]
Typical e-mail details:
DHL Ship Shipment Notification
On June 23, 2013 a shipment label was printed for delivery.
The shipment number of this package is [removed].
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
Get Shipment Info
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.

Malicious URLs
ah-nanas .se/main.php?inf=ss00_323
unitedcricketclub .co.za/main.php?inf=ss00_323
dsfstore .ro/main.php?inf=ss00_323

Malicious File Name and MD5:
Delivery_Information.zip (6ea731d13579040c20208dfbc7bddb0f)
Delivery_Information_ID-<random>.exe (560f37022593bf13c4071f4c5dc3b48c)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...Khv1qz4rgp.png

[AplusWebMaster]

FYI...

Blackhole Exploit Kit SPAM campaign hits Pinterest
- http://blog.trendmicro.com/trendlabs...its-pinterest/
July 3, 2013 - "... we are now seeing a BHEK spam campaign targeting social networking website -Pinterest- and its users. Prior to this campaign, the website has also been the target of other threats, such as survey scams and spammed mails that lead to malicious websites.
> https://blog.trendmicro.com/trendlab...terestbhek.jpg
We received a sample of the messages being spammed, and upon analysis, discovered how its infection chain goes. Here is the entire infection chain, as follows:
• The user receives the spammed mail in his inbox. It is tailored to resemble a legitimate mail from Pinterest, and notifies the user about a successful password change. It also presents a link that would allow him to see his new password.
• Should the user click on the link, he is put through a series of website redirects. This redirection is detected as HTML_IFRAME.USR.
• HTML_IFRAME.USR then downloads another malware onto the system, TROJ_PIDIEF.USR, which in turn drops BKDR_KRIDEX.KA. This final payload, being backdoor malware, has the ability to perform commands from a remote malicious user, and therefore can compromise a system’s security.
While there is nothing new in this routine, users are still advised to always perform account-related changes only the websites they subscribe to. We also point towards the usage of CRIDEX as a final payload – a malware family that we’ve written about as one of the two families used in BHEK attacks. Like ZBOT, CRIDEX is used mainly to steal online banking information. To further protect themselves from these sort of threats, users should ensure that all software in their systems are updated and patched (namely Java, Adobe Acrobat, Adobe Reader, and Flash). This is because BHEK operates by exploiting vulnerabilities in popular software, and having those software plus their browser of choice can help prevent them from becoming victims. Avoiding links presented in suspicious mails and verifying the mail’s content first by contacting the supposed sender through other means (phone call, visitation) can also go a long way..."

[AplusWebMaster]

FYI...

Fake EBC Password Reset Confirmation SPAM / paynotice07 .net
- http://blog.dynamoo.com/2013/07/ebc-...tion-spam.html
5 July 2013 - "This fake password reset spam leads to malware on paynotice07 .net:
From: EBC_EBC1961Registration@ebank6 .secureaps .com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation
Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.
Support is available Monday - Friday, 8 AM to 8 PM CST.
This is an automated message, please do not reply. Your message will not be received...

The link goes through a legitimate -hacked- site and ends up on a payload at [donotclick]paynotice07 .net/news/must-producing.php (report here*) hosted on the following IPs:
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)
Blocklist:
189.84.25.188
202.28.69.195 ..."
* http://urlquery.net/report.php?id=3554479
___

Invoice Export License Spam
- http://threattrack.tumblr.com/post/5...t-license-spam
July 5, 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker

Malicious File Name and MD5:
invoice copy.zip (5e58effccB7dfbe81910fefaf17766d9)
invoice copy (2).exe (d70ab58ee9fffd968c3e7327adbb550e)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...alW1qz4rgp.png

[AplusWebMaster]

FYI...

Fake AMEX SPAM - americanexpress .com.krasalco .com
- http://blog.dynamoo.com/2013/07/amex...asalcocom.html
8 July 2013 - "This fake Amex spam leads to malware on americanexpress .com.krasalco .com:
From: American Express [mailto:AmericanExpress @emalsrv.aexpmail .org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received
Check your account balance online at any time
Hello, [redacted]
View Account
Make a Payment
Manage Alerts Preferences
Payment Received
Check Balance
We received a payment for your Card account.
Date Received:
Mon, Jul 08, 2013
Payment Amount:
$2,511.92
Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.
Thank you for your Cardmembership.
American Express Customer Care
Was this e-mail helpful? Please click here to give us your feedback...

Screenshot: https://lh3.ggpht.com/-7XFKs5MUprk/U.../s400/amex.png

The link in the email goes through a legitimate -hacked- site to end up on a malicious landing page at [donoclick]americanexpress .com.krasalco .com/news/slightly_some_movie.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)
Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195 ..."
* http://urlquery.net/report.php?id=3606244
___

Fake Xerox WorkCentre Pro Spam
- http://threattrack.tumblr.com/post/5...entre-pro-spam
July 8, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [removed]
Number of Images: 6
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: [removed]
Attached file is scanned image in PDF format.

Malicious URLs
2ndtimearoundweddingphotography .com/ponyb/gate.php
bobkahnvideo .com/ponyb/gate.php
gfpmenusonline .com/ponyb/gate.php
gfponlineordering .com/ponyb/gate.php
lacasadelmovilusado .com/bts1.exe
common.karsak .com.tr/FzPfH6.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
qualitydoorblog .com/qbSTq.exe

Malicious File Name and MD5:
SCAN_<random>.zip (da8f4d5dc27dd81c6e3eff217a6501ec)
SCAN_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...fuK1qz4rgp.png
___

Man of Steel, Fast and Furious 6 Among Online Fraudsters’ Most Used Lures
- http://blog.trendmicro.com/trendlabs...st-used-lures/
July 8, 2013 - "... Fraudsters are relentless in creating fake streaming sites, not just on the screening date of these movies, but also before the release of movies in theaters... attackers use various social media sites like Facebook, Google+, Youtube, LinkedIn, and many others to drive users to the fake streaming pages. These are hosted on blogging services like Tumblr, WordPress, and Blogger. Most pages on these blogs have shortened URLs that lead to the final sites... Because they used the services of URL shorteners, we were able to view the number of visits per selected movie. It appears that Man of Steel, Fast and the Furious 6 and Iron Man 3 got the highest number of viewers. This data is for a two-month period from late April up to the end of June.
> http://blog.trendmicro.com/trendlabs...iews-chart.jpg
Total pageviews of fake streaming sites (per movie titles)
To lure in users, attackers use key phrases like “watch movie title online” or “download movie title free”. Using Blackhat Search Engine Optimization or BHSEO, users looking for the above pages are lured to visit the -fake- streaming sites. This is also known as one of the manipulation of search engine indexes in -spamdexing. Many of the common keywords used are what you’d expect: “watch”, “online”, “free”, etcetera. One of the more surprising keywords is “putlocker”, which refers to a UK-based file locker. In terms of countries involved, while the United States accounts for more than two-thirds of the traffic to these sites, other countries were also represented. Users are advised to stream and subscribe to -legitimate- sites and -not- from these fake streaming sites. Be wary of sharing posts and clicking links that could propagate these scams. In addition, there might be no such thing as online streaming or movie download except for pirated copies, which in itself can be risky..."
___

sendgrid .me / amazonaws .com SPAM
- http://blog.dynamoo.com/2013/07/send...scom-spam.html
8 July 2013 - "This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid .me) and leads to malware hosted on Amazon's cloud service, amazonaws .com. There is no body text in the spam, just an image designed to look like a downloadable document.
from: [victim] via sendgrid .me
date: 8 July 2013 19:08
subject: Urgent 6:08 PM 244999
Signed by: sendgrid .me

Screenshot: https://lh3.ggpht.com/-w5tfHokyzRw/U.../pic848755.jpg

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid .net)
The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws .com/ft556/Document_948357853____.exe [https] (VirusTotal report*) which then downloads a further executable from [donotclick]s3.amazonaws .com/mik49/ss32.exe [http] (VirusTotal report**) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe. ThreatExpert reports*** that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine)... The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost .net 177.185.196.130 (IPV6 Internet Ltda, Brazil)... VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.
Recommended blocklist:
177.185.196.130 ..."
* https://www.virustotal.com/en/file/8...is/1373309007/
File name: Document_948357853____.exe
Detection ratio: 15/46
Analysis date: 2013-07-08
** https://www.virustotal.com/en/file/c...is/1373315068/
File name: ss32.exe
Detection ratio: 8/44
Analysis date: 2013-07-08
*** http://www.threatexpert.com/report.a...afe6928fa84c89

**** https://www.virustotal.com/en/ip-add...0/information/

[AplusWebMaster]

FYI...

Malware sites to block 9/7/13
- http://blog.dynamoo.com/2013/07/malw...lock-9713.html
9 July 2013 - "These are the current IPs and domains that appear to be in use by this gang*. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting (blocking)..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___

Fake "Payment File Successfully Processed" SPAM / autorize .net.models-and-kits .net
- http://blog.dynamoo.com/2013/07/paym...processed.html
9 July 2013 - "This spam leads to malware on autorize.net.models-and-kits .net:
Date: Tue, 9 Jul 2013 15:36:42 -0500
From: batchprovider @eftps .gov
Subject: Payment File Successfully Processed
*** PLEASE DO NOT REPLY TO THIS MESSAGE***
Dear Batch Provider,
This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358
Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS
Contact Us: EFTPS Batch Provider Customer Service
at this link

A sender's email address of batchprovider @email.eftpsmail .gov is seen in another sample. The link goes through a legitimate -hacked- site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits .net/news/shortest-caused-race.php (report here**) hosted on:
77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)
All these IPs and more can be found in this recommended blocklist*. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195 ..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/07/malw...lock-9713.html

** http://wepawet.iseclab.org/view.php?...400740&type=js

[AplusWebMaster]

FYI...

Something evil on 199.231.93.182
- http://blog.dynamoo.com/2013/07/some...923193182.html
10 July 2013 - "199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia .com possibly through a traffic exchanger. The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=199...3-07-10&max=50

2) https://www.virustotal.com/en/ip-add...2/information/
___

Fake Booking Reservation themed emails serve malware
- http://blog.webroot.com/2013/07/10/c...serve-malware/
July 10, 2013 - "Cybercriminals are currently mass mailing tens of thousands of fake emails impersonating the Westminster Hotel, in an attempt to trick users into thinking that they’ve received a legitimate booking confirmation. In reality through, once the socially engineered users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ng?w=465&h=587
Detection rate for the malicious attachment – MD5: 7eed403cfd09ea301c4e10ba5ed5148a * ... Trojan-PSW.Win32.Tepfer.nprd.
The UPX compressed executable creates an Alternate Data Stream (ADS), starts at Windows startup... It then phones back to the following C&C server:
hxxp :// 62.76.178.178 /fexco/com/index.php
We’ve already seen the same C&C directory structure in the previous profiled ‘Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild‘ campaign... While we were investigating this campaign, we also found out that, apparently, the Westerminster Hotel in Rhyl, Denbighshire, did not renew their primarily domain name (westminster-rhyl.com – 64.74.223.31), allowing opportunistic ‘domainers’ to quickly snatch it. Not surprisingly, we also detected malicious activity with multiple malicious software phoning back to the current hosting IP of the Web site of the Westerminster Hotel in Rhyl, Denbighshire...
> https://webrootblog.files.wordpress....maps.png?w=869
... MD5s known to have phoned back to the same IP (64.74.223.31) ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b...is/1373366558/
File name: Document.pdf .exe
Detection ratio: 6/47
Analysis date: 2013-07-09
___

Fake Visa SPAM / estateandpropertty.com and clik-kids .com
- http://blog.dynamoo.com/2013/07/visa...tycom-and.html
10 July 2013 - "This fake Visa spam attempts to lead to malware on estateandpropertty .com:
Date: Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From: Visa [policemank3 @newsletters.visabusinessnewsmail .org]
Reply-To: flintierv34 @complains .visabusinessnewsmail .org
Subject: Update Your Business Visa Card Information
Your Visa Business card has been limited. Please update your information to reactivate your account.
Please proceed the link: http ://visabusiness .com/ fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497
Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
This added security is to prevent any additional fraudulent charges from taking place on your account...
Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.
This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe.

The link in the email goes through a legitimate -hacked- site and then attemped to go to a malware page at [donotclick]estateandpropertty .com/news/visa-report.php (report here*) but it appears the registrar has -nuked- the domain, so the spammers have switched the link to [donotclick]clik-kids .com/news/visa-report.php (report here**) instead. IPs involved are:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3651712

** http://urlquery.net/report.php?id=3653370

[AplusWebMaster]

FYI...

Fake "WTX Media INC" SPAM / dajizzum .com
- http://blog.dynamoo.com/2013/07/wtx-...jizzumcom.html
11 July 2013 - "This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum .com:
From: Rebecca Media [mailto:support @rebeccacella .com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details
We hereby inform you that your subscription has been activated, your login information is as follows:
Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384
Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".
If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:
[donotclick]www.rebeccacella .com/wp-content/plugins/subscribe/
Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team

The link in the email goes through a legitimate but -hacked- website (rebeccacella .com) and lands on a malware landing page at [donotclick]dajizzum .com/team/administration/admin4_colon/fedora.php?view=44 (report here*) which contains an exploit kit. dajizzum .com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a -hijacked- server. At the moment I can only see that one site hosted on this box, but -blacklisting- the IP as a precaution may be wise. The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider."
* http://urlquery.net/report.php?id=3664350
___

Malware sites to block 11/7/13
- http://blog.dynamoo.com/2013/07/malw...ock-11713.html
11 July 2013 - "I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run* using a -hijacked- 1&1 account, and VirusTotal thinks that the server is pretty darned evil**. A quick poke at this box shows that has a number of multihomed malicious and C&C domains. Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability***. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.
37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)
Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154 ..."
* http://blog.dynamoo.com/2013/07/wtx-...jizzumcom.html

** https://www.virustotal.com/en/ip-add...6/information/

*** http://threatpost.com/irc-botnet-lev...-vulnerability
___

Facebook Phish leads to Fake Flash and Mining
- http://www.threattracksecurity.com/i...sh-and-mining/
July 10, 2013 - "... A new scam has emerged, this time using Tumblr as the launchpad to redirect end-users to a Facebook credential phish (including the collection of the answer to a secret question). At the end of the journey, victims will come across a fake Flash Player install touting the same fake landing page the old attack made use of, while adding a fresh sting in the tail. There’s a message which has been seen on some Facebook profiles doing the rounds at the moment, which reads as follows:
> http://www.threattracksecurity.com/i.../minespam1.jpg
With a link to...
> http://www.threattracksecurity.com/i...m2-300x226.jpg
The spamblog Tumblr will attempt to redirect end-users to a -fake- Facebook login:
> http://www.threattracksecurity.com/i.../minespam3.jpg
After handing over their login, the end-user is then asked to surrender the answer to a security question of their own choosing:
> http://www.threattracksecurity.com/i.../minespam4.jpg
Finally, they will arrive at the fake Flash player page – identical to the ones used in the 2012 spam runs on Twitter. While the message is the same:
“An update for Youtube player is needed
The Flash player update 10.1 includes
* Smoother video with hardware accelleration support
* Enhanced performance and memory management
* Support for multi-touch and gesture-enabled content
* Private browsing support and security enhancements”

…the downloaded file and intent are rather different.
> http://www.threattracksecurity.com/i.../minespam5.jpg
Here’s what it looks like on the desktop, along with information from the Properties tab:
> http://www.threattracksecurity.com/i.../minespam7.jpg
... It appears that once they’re done redirecting you to fake Facebook pages, stealing your login / security question information and loading up a fake video page they then want your PC to go mining (most likely Bitcoin, though the files aren’t displaying much activity at time of writing). The domain involved contains numerous files, some of which are password protected and won’t be downloadable unless the infected PC is following the correct “steps”. A compromised machine will attempt to download a proxy and a miner..."
> http://www.threattracksecurity.com/i.../minespam8.jpg