SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake TAX Return Reminder SPAM / cpa.state.tx .us.tax-returns.mattwaltererie .net
- http://blog.dynamoo.com/2013/07/tax-...tetxustax.html
12 July 2013 - "This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie .net:

--- Version 1 --------------------
Date: Fri, 12 Jul 2013 14:35:31 +0300
From: DO.NOT.REPLY @REMINDER.STATE .TX .US.GOV
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=035549412645
For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
--- Version 2 --------------------
Date: Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From: tax.help @STATE.TX .GOV .US
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.
A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=488702484517
For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.

Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate -hacked- site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie .net/news/tax_refund-caseid7436463593.php?[snip] (example 1*, example 2**) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).
cpa.state.tx.us.tax-returns.mattwaltererie .net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The domain mattwaltererie .net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from)...
Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=3689715

** http://urlquery.net/report.php?id=3688402

[AplusWebMaster]

FYI...

Spamvertised emails lead to Casino PUAs
- http://blog.webroot.com/2013/07/15/t...d-application/
July 15, 2013 - "... You may want to skip the rogue online casinos... Over the past few days, we intercepted multiple spam campaigns launched by the same party, enticing users into downloading -fake- online casinos most commonly known as the Win32/PrimeCasino/Win32/Casonline PUA (Potentially Unwanted Application)...
Sample screenshots of the landing pages:
> https://webrootblog.files.wordpress....ng?w=675&h=536
.
> https://webrootblog.files.wordpress....ng?w=711&h=532
.
> https://webrootblog.files.wordpress....ng?w=741&h=328
... (More screenshots shown at the first webroot URL above.) ...
Rogue domains reconnaissance:
royalvegascasino .com – 193.169.206.146
888casino .com – 213.52.252.59
spinpalace .com – 109.202.114.65
riverbelle1 .com – 193.169.206.233
alljackpotscasino .com – 64.34.230.122
luckynuggetcasino .com – 67.211.111.163
allslotscasino .com – 64.34.230.149; 205.251.192.125; 205.251.195.210; 205.251.196.131; 205.251.199.63 ...
Detection rates for the Potentially Unwanted Applications (PUAs):
AllJackpots.exe – MD5: fed4e5ba204f3b3034b882481a6ab002 ... Win32/PrimeCasino; W32/Casino.P.gen!Eldorado; PUP.PrimeCasino
luckynugget.exe – MD5: 1e97ddc0ed28f5256167bd93f56a46b2 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado;
Riverbelle.exe – MD5: 1828fc794652e653e6083c204d3b1f34 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
RoyalVegas.exe – MD5: 2dd87b67d4b7ca7a1bfae2192b09f8e6 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
Rogue casino domains... responded to 193.169.206.146 ..."
(More detail at the first webroot URL above.)
___

Half-Life 3 Fakeout...
- http://www.threattracksecurity.com/i...keout-roundup/
July 15, 2013 - "Half-Life 3: it doesn’t exist. This short, brutal truth doesn’t mean there aren’t a lot of Half Life 3 fakeouts doing the rounds. For example, here’s a fake Steam Store page located at store(dot)stearnpowered(dot)com... The real thing would be store(dot)steampowered(dot)com – they’re likely banking on end-users not noticing the join between the “r” and the “n”... There’s a lot of so-called “Half-Life 3 giveaway” sites online, and – amazingly enough – -none- of those sites are going to give you Half-Life 3... Halflife3beta(dot)com, which takes the tried and tested survey scam route (complete with fake “Downloads allowed” graphic at the bottom of the survey splash)... If and when Half-Life 3 ever arrives, the first you hear about it won’t be on some obscure domains serving up deals and offers. Keep your wits, your skepticism and your crowbar handy…"

Fake Wiki in the Wild Wild Web
- http://www.threattracksecurity.com/i...wild-wild-web/
July 15, 2013 - "If you happen to make a mess of typing up the Wikipedia domain, you could in theory wind up at the following address which is clearly hoping for some finger-related typo malfunction traffic: wikipeida(dot)org
As you can see, it isn’t far off from the real thing. What lurks there? This:
> http://www.threattracksecurity.com/i.../fakewiki1.jpg
... The end-user is presented with 3 meaningless questions then asked to choose their final “I’m being marketed to” destination... As far as typosquatting well known sites with the intention of driving traffic to surveys goes, this is a well worn trick and – one would hope – not something a person looking for Wikipedia would fall for..."
___

NOST (NOST.QB) / NSU Resources Inc Pump and Dump SPAM
- http://blog.dynamoo.com/2013/07/nost...-and-dump.html
15 July 2013 - "Over the weekend a pump-and-dump spam* run started for NSU Resources Inc trading as NOST.QB **. NSU Resources almost definitely have -nothing- to do with this spam run...
Subject: This Stock MOVED HARD...
Subject: This Stock Is The Hottest Stock In The Whole Market!...
Subject: They`ve got their rally caps on!...
Subject: Look for Another Push Higher...
... we can expect to see NOST spam for a while yet as the spammer - and perhaps whoever employed them - try to offload worthless shares onto unsuspecting investors. Avoid."
* http://en.wikipedia.org/wiki/Pump_and_dump

** http://www.nasdaq.com/symbol/nost
___

Bank of America Paymentech SPAM
- http://threattrack.tumblr.com/post/5...aymentech-spam
15 July 2013 - "Subjects Seen:
Merchant Statement
Typical e-mail details:
Attached (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.

Malicious File Name and MD5:
stid <random>.zip (d8f8701b9485f7a2215da9425c5af7d6)
stid <random>.exe (198385457408361504c7ccac9d67bd3e)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...rth1qz4rgp.png
___

Fake UPS SPAM / tvblips .net
- http://blog.dynamoo.com/2013/07/ups-...vblipsnet.html
15 July 2013 - "This fake UPS spam leads to malware on tvblips .net:
Date: Mon, 15 Jul 2013 10:20:13 -0500
From:
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
Thank you for your business.
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
Please visit the UPS Billing Center to view and pay your invoice.
Questions about your charges? To get a better understanding of surcharges on your invoice, click here..."

The link in the email goes to a legitimate -hacked- site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips .net/news/ups-information.php (report here*) hosted on:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3762051
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Bank Payment Information Email Message - 2013 Jul 15
Fake Shipping Invoice Notification Email Messages - 2013 Jul 15
Email Messages with Malicious Attachments - 2013 Jul 15
Fake Bank Payment Confirmation Email Messages - 2013 Jul 15
Fake Bank Deposit Confirmation Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Message - 2013 Jul 15
Fake Online Dating Proposal Email Messages - 2013 Jul 15
Fake Product Quote Request Email Messages - 2013 Jul 15
Fake Order Document Email Attachment Messages - 2013 Jul 15
Fake Photo Email Messages - 2013 Jul 15
Fake Canceled Electronic Payment Notification Email Message - 2013 Jul 15
Fake Telegraphic Transfer Notification Email Messages - 2013 Jul 15
Fake Receipt Attachment Email Messages - 2013 Jul 15
Fake Purchase Order Notification Email Messages - 2013 Jul 15
Fake Billing Statement Email Messages - 2013 Jul 15
Fake Financial Document Delivery Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jul 15
Fake Product Order Email Messages - 2013 Jul 15
Fake Money Transfer Notification Email Messages - 2013 Jul 15
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Malware sites to block 16/7/13
- http://blog.dynamoo.com/2013/07/malw...ock-16713.html
16 July 2013 - "These domains and IPs are associated with this gang*. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them -all- ..."
(Long list available at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___

Photo Attachment Spam
- http://threattrack.tumblr.com/post/5...ttachment-spam
July 16, 2013 - "Subjects Seen:
my undressed image is attached
Typical e-mail details:
zdjakinuii fgcaba rjgvsy
vyjxsvlsa luoans vnlfo
aovkq I R W Q G A L S C M R
caeqmjj W R P L P D A F

Malicious File Name and MD5:
mypic62.zip (f2845f8eeeb5e8b2985fdd2c7636bc39)
mypic.vcr (118980814772348b8e42a5166a4dc2a1)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...ZRB1qz4rgp.png
___

Fake Invoice SPAM / doc201307161139482.doc
- http://blog.dynamoo.com/2013/07/invo...139482doc.html
16 July 2013 - "This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.
From: Carlos Phillips [accounting @travidia .com]
Subject: Invoice 48920
Thanks !!
Greg
Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50 @travidia .com

Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47*. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this...
UPDATE: The ThreatTrack report [pdf**] shows similar characterstics, including an attempted download from [donotclick]mycanoweb .com/report/doc.exe which is a Zbot variant with a low detection rate***... Most of the IPs for mycanoweb .com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.
Recommended blocklist:
mycanoweb .com
classified.byethost11 .com
myhomes.netau .net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129
Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100 ..."

* https://www.virustotal.com/en-gb/fil...878c/analysis/

** http://www.dynamoo.com/files/analysi...1201a3e6ef.pdf

*** https://www.virustotal.com/en-gb/fil...is/1373989372/
___

Dun and Bradstreet Attachment Spam
- http://threattrack.tumblr.com/post/5...ttachment-spam
July 16, 2013 - "Subjects Seen:
FW : Complaint - <random>
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 8, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter...
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.

Malicious URLs
b-markenergy .com/ponyb/gate.php
arizonaenergysuppliers .com/ponyb/gate.php
alabamaenergysuppliers .com/ponyb/gate.php
bemarkenergy .com/ponyb/gate.php
costruzionimediterraneo .it/FP0gd6.exe
preview.vibration-trainers .com/V2YE.exe

Malicious File Name and MD5:
Case_<random>.zip (b3f17fd862e5e7C617240251be8de706)
Case_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...ea31qz4rgp.png
___

Spamvertised Payroll themed emails lead to malware
- http://blog.webroot.com/2013/07/16/s...tical-malware/
July 16, 2013 - "We’ve intercepted two, currently circulating, malicious spam campaigns enticing users into executing the malicious attachments found in the fake emails. This time the campaigns are impersonating Vodafone U.K or pretending to be a legitimate email generated by Sage 50's Payroll software...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....lip_sage50.png
... What’s particularly interesting about these two campaigns is the fact that they’ve both been launched by the same cybercriminal/gang of cybercriminals. Not only do the campaigns use an identical MD5 with two previously profiled malicious spam campaigns, but also, all the MD5s phone back to the same C&C server - hxxp:// 62.76.178.178 /fexco/com/index.php
Detection rate for the unique MD5 used in the fake Vodafone U.K MMS themed campaign: 4e9d834fcc239828919eaa7877af49dd * ... Backdoor.Win32.Androm.abrz; Troj/Agent-ACLZ..."
* https://www.virustotal.com/en/file/b...fd16/analysis/
File name: vt-upload-b6gNq
Detection ratio: 8/47
Analysis date: 2013-07-14
___

Fake Bank of America SPAM / stid 36618-22.zip
- http://blog.dynamoo.com/2013/07/bank...618-22zip.html
16 July 2013 - "This fake Bank of America spam comes with a malicious attachment:
Date: Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From: Joyce Bryson [legalsr @gmail .com]
Subject: Merchant Statement
Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech's or the Merchant's email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly...

Attached is a file called stid 36618-22.zip which in turn contains stid 36618-22.exe which is a variant of Zbot. VirusTotal detections are just 11/47*. Anubis reports** what appear to be several peer-to-peer connection attempts plus an attempted download from [donotclick]apsuart .com/741_out.exe that appears to fail..."
* https://www.virustotal.com/en/file/c...is/1374010738/

** http://anubis.iseclab.org/?action=re...32&format=html

[AplusWebMaster]

FYI...

Fake Reservation Confirmation SPAM / marriott .com.reservation.lookup.viperlair .net
- http://blog.dynamoo.com/2013/07/hous...servation.html
17 July 2013 - "This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair .net:
Date: Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
From: Marriott Hotels & Resorts Reservation [reservations @clients.marriottmail .org]
Reply-To: reservations @clients.marriottmail .org
Subject: Houston Marriott Westchase Reservation Confirmation #86903601
Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726
Reservation for [redacted]
Confirmation Number: 86903601
Check-in: Sunday, July 21, 2013 (03:00 PM)
Check-out: Wednesday, July 24, 2013 (12:00 PM)
Modify or Cancel reservation ...

The -link- in the email goes through a legitimate -hacked- site and lands on [donotclick]marriott.com.reservation.lookup.viperlair .net/news/marriott-ebill-order-confirmation.php (report here*) hosted on the following IPs:
(viperlair .net is registered with -fake- WHOIS details that mark it out as belonging to the Amerika gang...)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3804348
___

"PC Wizard" tech support SCAM
- http://blog.dynamoo.com/2013/07/0208...port-scam.html
17 July 2013 - "Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.
I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always errors), and then visit ammyy .com to run some remote control software. DO NOT LET THEM DO THIS!"

- http://centralops.net/co/DomainDossier.aspx
canonical name ammyy.com
addresses 70.38.40.185
OriginAS: AS32613 *
City: Moscow ...
Country: RU ...

* https://www.google.com/safebrowsing/...?site=AS:32613
"... over the past 90 days, 1721 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-17, and the last time suspicious content was found was on 2013-07-17... we found 313 site(s) on this network... that appeared to function as intermediaries for the infection of 794 other site(s)... We found 280 site(s)... that infected 1790 other site(s)..."

[AplusWebMaster]

FYI...

Site primrose .co .uk hacked, emails compromised
- http://blog.dynamoo.com/2013/07/prim...mpromised.html
18 July 2013 - "Garden accessory primroseb.co .uk has been -hacked- and email addresses stored in their system are being abused for phishing purposes:
From: paypal .co .uk [service @paypal .co .uk]
Date: 18 July 2013 11:01
Subject: We cannot process your payment at this time.
Dear,
We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ? It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.
Reference Number: PP-001-278-254-803
It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.
1. Download the attached document and open it in a browser window secure.
2. Confirm that you are the account holder and follow the instructions.
Yours sincerely,
PayPal
Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589

The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www. thesenddirect .com (62.149.142.113 - Aruba, Italy) and submitting the data to www .paypserv .com (62.149.142.152 - also Aruba). The WHOIS details are no doubt -fake- are are respectively:
Saunders, John Alan mahibarayanlol @gmail .com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455
----------
Clarke, Victoria johanjo1010 @gmail .com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064
Primrose .co .uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything. Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose .co .uk it is impossible to say if any financial data has been compromised."
___

Fake KLWines .com SPAM / prysmm .net
- http://blog.dynamoo.com/2013/07/k-wi...scom-spam.html
18 July 2013 - "This fake K&L Wine Merchants spam email leads to malware on www. klwines.com.order.complete .prysmm.net:
Date: Thu, 18 Jul 2013 05:57:28 -0800
From: drowsedl04 @inbound.ups .net
Subject: Your K&L order #56920789 is complete
Hello from K&L Wine Merchants -- www. KLWines .com
Just wanted to let you know that your order (#56920789) is complete.
Additional comments for this order: Ship Fri. 7/19
The following items are included...
Item Subtotal: $247.91
Tax: $0.00
Shipping & Handling: $67.18
Total: $315.09
The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below.
To see the latest information about your order, visit "My Account"...

The link in the email goes through a legitimate -hacked- site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm .net/news/order-information.php (report here*) hosted on:
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The -fake- WHOIS details mark this out as belonging to the Amerika gang...
Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3833979
___

Fake QuickBooks Overdue Payment SPAM
- http://threattrack.tumblr.com/post/5...e-payment-spam
July 18, 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/18/2013 as outlines under our “Payment Terms" agreement.
Thank you for your business,
Sincerely,
Nathan Phipps

Malicious URLs
prospexleads .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
picaletter .com/ZDpczi37.exe
s268400504.onlinehome .us/v73.exe
wineoutleteventspace .com/7UNFVh.exe

Malicious File Name and MD5:
invoice_<random>.zip (9E2221D918E83ED2B264214F5DDAB9FF)
invoice_<random>.exe (06C3A27772C2552A28C32F82583B7645)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...iSE1qz4rgp.png
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/5...documents-spam
July 18, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Alyce_Granger
Wells Fargo Advisors

Malicious URLs
prospexleads .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
ciclografico .pt/9Up.exe
mdebra.o2switch .net/2ccVsM9z.exe
magusdev .com/YSQsWZVU.exe
splendidhonda .com/Hb3qCt.exe

Malicious File Name and MD5:
DOC_<name>.zip (44A3AFFC21D0BA3E4CA5ACE0732C6D65)
DOC_{_MAILTO_USERNAME}.exe (4A182976242CF4F65B6F219D649B0A98)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...lo31qz4rgp.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Video Sharing Email Messages - 2013 Jul 18
Fake Product Order Quotation Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Email Messages with Malicious Attachments - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Product Supply Request Email Messages - 2013 Jul 18
Malicious Personal Pictures Attachment Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Invoice Statement Attachment Email Messages - 2013 Jul 18
Fake Customer Complaint Attachment Email Messages - 2013 Jul 18
Fake Picture Link Email Messages - 2013 Jul 18
Fake Fund Transfer Confirmation Email Messages - 2013 Jul 18
Fake Order Information Email Messages - 2013 Jul 18
Fake Tax Report Documentation Email Messages - 2013 Jul 18
Fake Product Quote Request Email Messages - 2013 Jul 18
Fake Product Quotation Request Email Messages - 2013 Jul 18
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Who's Who SCAM
whoswhonetworkonline .com
- http://blog.dynamoo.com/2013/07/whos...ecom-spam.html
19 July 2013 - "This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam*.
* https://en.wikipedia.org/wiki/Who%27s_Who_scam
From: Who's Who [cpm2 @contactwhoswho .us]
Reply-To: databaseemailergroup @gmail .com
date: 19 July 2013 05:44
subject: You were recently nominated into Who's Who Amoung Executives
Who's Who Network Online
Hello,
As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory. You were contacted, but we did not receive any of your biographical information. We would like to give you another opportunity to do so...

Clicking on the link takes you to whoswhonetworkonline .com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.
Screenshot: https://lh3.ggpht.com/-LAZAcu9_sfE/U...workonline.png
There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities. However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam... The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2 @contactwhoswho .us sender's address...
Darin Delia appears to be the same person who was sending out Spotlite Radio spam**..."
** http://blog.dynamoo.com/2013/04/spot...3com-spam.html
___

Bank of America Transaction Completed Spam
- http://threattrack.tumblr.com/post/5...completed-spam
19 July 2013 - "Subjects Seen:
Your transaction is completed
Typical e-mail details:
Transaction is completed. $99479350 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

Malicious File Name and MD5:
payment receipt(copy).zip (F87DB429BED542ED6D26ACF8924280FB)
payment receipt(copy).exe (22C694FDA2FF8BECC447D1BE198A74DC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...0qX1qz4rgp.png
___

Fake Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports .com
- http://blog.dynamoo.com/2013/07/veri...e-overage.html
20 July 2013 - "This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports .com:
Date: Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From: Verizon Wireless [VZWMail @e-marketing. verizonwireless-mail .net]
Subject: Data Usage Overage Alert
Important Information About Your Account. View Online
verizon wireless Explore Shop My Verizon Support
Important Information About Your Data Usage
Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.
Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.
Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.
Details as of:
[redacted]
07/19/2013 02:15 AM EDT
We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.
This email was sent to [redacted];
ID: [redacted]

The -link- in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports .com/news/verizon-bill.php (report here*) hosted on:
172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)
The domain verizonwirelessreports .com is -fake- and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports .com
firerice .com
onemessage.verizonwireless .com.verizonwirelessreports.com
package.ups.com.shanghaiherald .net
epackage.ups.com.shanghaiherald .net
vitans .net
www. klwines .com.order.complete.prysmm .net
prysmm .net
shanghaiherald .net"
* http://urlquery.net/report.php?id=3863421

[AplusWebMaster]

FYI...

Fake BBC website SPAM hits Twitter
- http://www.threattracksecurity.com/i...-hits-twitter/
July 19, 2013 - "There’s a spam-run doing the rounds right now which uses a -fake- BBC website to drive traffic to a diet pill website:
> http://www.threattracksecurity.com/i...mazingbbc1.jpg
... All of the posts use the hashtag “Amazing”, with a link to a fake BBC URL + 6 seemingly random numbers:
#amazing newslinkbbc(dot)co(dot)uk/??[6 digits]
The above URL was registered in August 2011. Additionally, there are more fake BBC sites located at mailbbc(dot)co(dot)uk (registered August 2011, on the same day as the URL currently being posted to Twitter) and securebbc(dot)co(dot)uk (registered August 2012). At least one other URL has been up for debate in years gone by in relation to the person claiming ownership of newslinkbbc and mailbbc. Clicking
newslinkbbc(dot)co(dot)uk takes end-users to world-bbc(dot)co(dot)uk (registered August 2012):
Fake BBC Spam site..
> http://www.threattracksecurity.com/i...mazingbbc2.jpg
... The above site advertises a weightloss diet designed to remove belly fat. The live link on the site leads to bbchost(dot)altervista(dot)org/news/health-21434875/try-garcinia-now which -redirects- to
pgc(dot)my-secure-orders(dot)com/?clickid=[ID removed]
> http://www.threattracksecurity.com/i...mazingbbc3.jpg
The site is promoting the formerly mentioned diet pills... We’ve seen 360+ of these links being spammed on Twitter... and no doubt the spam will continue to grow before Twitter gets a handle on the situation. For now, be very wary of any and all links being spammed with the #amazing hashtag, and if you find yourself spamming the same Tweets then change your password and remove any apps tied to your account that you don’t remember adding (or indeed, have added recently but don’t feel so confident about anymore)."

[AplusWebMaster]

FYI...

Malicious URLs in .lc zone
- https://www.securelist.com/en/blog/9...RLs_in_lc_zone
July 20, 2013 - "While analyzing suspicious URLs I found out that more and more malicious URLs are coming from .lc domain, which formally belongs to Santa Lucia* country located in in the eastern Caribbean Sea. Our statistics confirm this trend.
> https://www.securelist.com/en/images...lblog/9106.png
Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.
> https://www.securelist.com/en/images...lblog/9104.jpg
How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe it’s time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer."
* https://en.wikipedia.org/wiki/Saint_Lucia
___

PlugX malware factory revisited... Smoaler
- http://atlas.arbor.net/briefs/index#-1265345240
High Severity
July 19, 2013
The Smoaler malware has been uncovered and is involved in targeted attacks. Organizations that may have been targeted would benefit from careful analysis of this information and associated indicators.
Analysis: Targeted attack campaigns continue as usual. As actors are discovered, their techniques, tactics and procedures evolve. While the technique of running malware in memory is not new, it is put into practice here, and the final payload varies. While many targeted attacks still involve only the amount of force necessary to compromise the targeted, many other attack campaigns that have yet to be unmasked are surely in operation.
Source: http://nakedsecurity.sophos.com/2013...ucing-smoaler/

- https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-0158 - 9.3 (HIGH) / MS12-027
Last revised: 03/07/2013

[AplusWebMaster]

FYI...

Bitcoin mining tools in the wild...
- http://blog.webroot.com/2013/07/22/y...d-in-the-wild/
July 22, 2013 - "Cybercriminals continue releasing new, commercially available, stealth Bitcoin/Litecoin mining tools, empowering novice cybercriminals with the ability to start monetizing the malware-infected hosts part of their botnets, or the ones they have access to which they’ve purchased through a third-party malware-infected hosts selling service...
Sample screenshots of the stealth Bitcoin/Litecoin mining tool’s admin panel:
> https://webrootblog.files.wordpress....ining_tool.png
.
> https://webrootblog.files.wordpress....ng_tool_01.png
... the cybercriminal behind it released it in a way that would prevent its mass spreading, supposedly due to the fact that he doesn’t want to attract the attention of security vendors whose sensor networks would easily pick up any massive campaigns featuring the miner. Therefore, he’s currently offering a limited number of copies of this miner. Over the last couple of months we’ve been intercepting multiple subscription-based or DIY type of stealth Bitcoin/Litecoin miners, indicating that the international underground marketplace is busy responding to the demand for such type of tools. Despite the fact that Bitcoin is a ‘trendy’ E-currency, we believe that for the time being, Russian and Eastern European cybercrime gangs will continue to maintain a large market share of the underground’s market profitability metric, due to their utilization of mature, evasive, and efficient monetization tactics..."

Bitcoin Mining by Botnet...
- https://krebsonsecurity.com/2013/07/...ing-by-botnet/
July 18, 2013
___

Fake American Airlines SPAM / sai-uka-sai .com
- http://blog.dynamoo.com/2013/07/amer...saicom_22.html
22 July 2013 - "This fake American Airlines spam leads to malware on www .aa .com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com:
From: American.Airlines@aa .net
Date: 22 July 2013 17:22
Subject: AA.com Itinerary Summary On Hold
Dear customer,
Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.
To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www .aa .com.
left corners left corners
This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) ...

The link in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com/news/american-airlines-hold.php (report here*) hosted on the following IPs:
50.97.253.162 (Softlayer, US**)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)
The WHOIS details for that domain are the characteristically -fake- ones...
Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251 ..."
* http://urlquery.net/report.php?id=3928752

Diagnostic page for AS36351 (SOFTLAYER)
** https://www.google.com/safebrowsing/...?site=AS:36351
"... over the past 90 days, 5148 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-22, and the last time suspicious content was found was on 2013-07-22... Over the past 90 days, we found 662 site(s) on this network... that appeared to function as intermediaries for the infection of 2618 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 868 site(s)... that infected 6671 other site(s)..."
___

Fake BMW SPAM / pagebuoy .net
- http://blog.dynamoo.com/2013/07/bmw-...gebuoynet.html
22 July 2013 - "This convincing looking BMW spam leads to malware ...
Date: Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
From: BMW of North America [womanliere75 @postmaster.aa-mail .org]
Reply-To: [redacted]@m.aa-mail .com
Subject: The BMW 6-Series M Sport Edition, M Universe, and more.
BMW’s 6-Series M Sport Edition View Online
BMW
A 6 SERIES.
WITH M PANACHE.
Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
LEARN MORE
Efficient Dynamics
Table of Contents
» BMW M Universe
» BMW Wins Again
» BMW i3 Design
» BMW Superbike
» BMW Collections
WELCOME TO M’S NEW HOME.
In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.
» ENTER BMW M UNIVERSE
THE 3 SERIES WINS AGAIN
The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.
» BUILD YOUR OWN ...

Screenshot: https://lh3.ggpht.com/-NQsSlwUYaOI/U...0/bmw-spam.jpg

The link in the email goes through a legitimate -hacked- site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy .net/news/bmw-newmodel.php (report here*) which is hosted on the same IP addresses as this spam run**."
* http://urlquery.net/report.php?id=3929867

** http://blog.dynamoo.com/2013/07/amer...saicom_22.html
___

NY Better Business Bureau Spam
- http://threattrack.tumblr.com/post/5...ss-bureau-spam
July 22, 2013 - "Subjects Seen:
FW: Case <removed>
Typical e-mail details:
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely ...

Malicious URLs
yourprospexblog .com:8080/ponyb/gate.php
myimpactblog .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
prospexleads .com:8080/ponyb/gate.php
moneyinmarketing .com/dL1.exe
abbeyevents .co .uk/fNF1.exe
salsaconfuego .com/RCY.exe
fales .info/PwvextRo.exe

Malicious File Name and MD5:
Complaint_<date>.zip (B82478381DCECD63B81F64EDF7632D51)
Complaint_<date>.zip (95B542B1BCBD7D5AEE65F97E9125D90C)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...JgV1qz4rgp.png
___

Fake IRS "Complaint Case #488870383295" SPAM / Complaint_488870383295.zip
- http://blog.dynamoo.com/2013/07/irsg...3295-spam.html
22 July 2013 -"This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.
Date: Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From: "IRS.gov" [fraud .dep @irs. gov]
Subject: Complaint Case #488870383295
You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/
Case Number: 488870383295
Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.
Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.
The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47*... the Malwr analysis** seems to be the most comprehensive and shows traffic out the the following compromised sites:
prospexleads .com
phonebillssuck .com
moneyinmarketing .com
abbeyevents .co.uk
salsaconfuego .com
fales .info
The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed."
* https://www.virustotal.com/en/file/d...is/1374520022/

** https://malwr.com/analysis/MGIxNjJjY...E1YzE4Yzc0ZGI/

[AplusWebMaster]

FYI...

Fake Media Player - rogue video Downloader PUA
- http://blog.webroot.com/2013/07/23/d...plication-pua/
July 23, 2013 - "Our sensors continue picking up deceptive advertisements that expose gullible and socially engineered users to privacy-invading applications and toolbars, most commonly known as Potentially Unwanted Applications (PUAs). The latest detected campaign utilizes multiple legitimately looking banners in an attempt to trick users into thinking that their media player needs to be updated. Once users install the bogus ‘Media Player Update’, they introduce third-party privacy-invading software onto their PCs and directly contribute to the revenue flow of the cybercriminals behind the campaign...
Sample screenshots of multiple deceptive ads leading to the same Potentially Unwanted Application (PUA):
> https://webrootblog.files.wordpress....yer_update.png
> https://webrootblog.files.wordpress....e_01.png?w=869
> https://webrootblog.files.wordpress....e_03.png?w=869
... Sample screenshot of the landing page:
https://webrootblog.files.wordpress....ng?w=641&h=544
Rogue URL:
hxxp ://dkg.videodownloadonline .com/download/video_downloader – 107.14.36.160; 107.14.36.120
Detection rate for the PUA – MD5: 85387afff8e5e66e2d9cc5dc1c43c922 * ... Adware.Downware.925; Bundlore (fs). The sample is digitally signed by Bundlore LTD, which is yet another pay-per-install affiliate network.
Rogue URL: bundlore .com – 98.129.229.186 – Email: eldad.shaltiel @gmail .com
... MD5s... known to have interacted with the same IP (98.129.229.186)..."
(More detail at the first webroot URL above.)
* https://www.virustotal.com/en/file/f...4d3a/analysis/
___

Malware sites to block 23/7/13
- http://blog.dynamoo.com/2013/07/malw...ock-23713.html
23 July 2013 - "These malicious domains and IPs are associated with this prolific gang*. As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___

Linkedin Spam leads to Canadian Pharma sites
- http://www.threattracksecurity.com/i...-pharma-sites/
July 23, 2013 - "We’ve seen an email spam-run taking place over the last couple of days, involving what appear to be compromised websites redirecting end-users to Canadian pharmacy spam pages (and quite possibly other forms of medicinal spam content too). Here’s an example of one such email – at time of writing, -all- of them are Linkedin message imitations:
> http://www.threattracksecurity.com/i...7/sadtech1.jpg ...
> http://www.threattracksecurity.com/i...7/sadtech4.jpg
... Another redirect destination we’ve seen is ipadherbaltablet(dot)com – again, offline at time of writing. Campaigns such as the above tend to be fast moving, constantly shifting URLs as compromised sites get a handle on the hack and new spam domains are set up to replace the ones that are blacklisted / shut down... they have the direct, non-Linkedin URL right there in the Email body. The non-hidden URLs, combined with the seemingly short lifespan of the spam sites will hopefully mean this one isn’t clogging up mailboxes for too long."
___

“Click This Photo for Tumblr Fame” Turns Volume Up...
- http://www.threattracksecurity.com/i...-up-to-eleven/
July 23, 2013 - "... garish set of posts that have been doing the rounds on Tumblr over the last day or so. Here’s the most recent collection of archived posts on an affected blog..
> http://www.threattracksecurity.com/i...ckforfame1.jpg
... “Click this photo for Tumblr fame”, claims the animated .gif. Animated? You bet. It rotates through 3 different “promo” images, and by the time the image goes out of sync on the Archive page it ends up looking something like this with all of the second-long splash images rotating away and vying for attention... The bulk of the posts on the above blog have around 1,000+ reblogs / notes each, though some of them are reposts of the same content. In all cases, they use a shortened URL service to send users to their final destination... At time of writing, none of the apps appear to have done anything publicly – there’s certainly nothing posted to our test account – but we’ll continue to monitor and see what happens."
(More detail at the first URL above.)
___

Something evil on 91.233.244.102
- http://blog.dynamoo.com/2013/07/some...233244102.html
23 July 2013 - "These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors*, has several malware detections on VirusTotal** plus a few on URLquery***. Google has flagged several domains as being malicious... Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking the whole 91.233.244.0/23 block..."
(More detail at the dynamoo URL above.)
* http://malwaremustdie.blogspot.co.uk...truns-dga.html

** https://www.virustotal.com/en-gb/ip-...2/information/

*** http://urlquery.net/search.php?q=91....3-07-23&max=50
___

Incoming Money Transfer Spam
- http://threattrack.tumblr.com/post/5...-transfer-spam
July 23, 2013 - "Subjects Seen:
Important Notice - Incoming Money Transfer
Typical e-mail details:
please complete the “A136 Incoming Money Transfer Form".
Fax a copy of the completed “A136 Incoming Money Transfer Form" to +1 800 722 1934.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Lowell_Madden
Senior Officer
Cash Management Verification

Malicious URLs
yourprospexblog .com:8080/ponyb/gate.php
myimpactblog .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
prospexleads .com:8080/ponyb/gate.php
abbeyevents .co .uk/fNF1.exe
salsaconfuego .com/RCY.exe
aasportsacademy .com/FPzbn.exe
whiteheadst .com/JrN9Jv.exe

Malicious File Name and MD5:
A136_Incoming_Money_Transfer_Form.zip (9BD136876BD8B5796C30F1750983E764)
A136_Incoming_Money_Transfer_Form.exe (3CDA70F6B2628A6CD1F552F5FEB11F05)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...TvM1qz4rgp.png
___

Fake Incoming Money Transfer SPAM / A136_Incoming_Money_Transfer_Form.zip
- http://blog.dynamoo.com/2013/07/webc...-transfer.html
23 July 2013 - "This fake webcashmgmt .com spam comes with a malicious attachment:
Date: Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
From: WebCashmgmt [Alberto_Dotson @webcashmgmt .com]
Subject: Important Notice - Incoming Money Transfer
An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct account please complete the "A136 Incoming Money Transfer Form".
Fax a copy of the completed "A136 Incoming Money Transfer Form" to +1 800 722 5331...

There is an attachment A136_Incoming_Money_Transfer_Form.zip containing an executable file A136_Incoming_Money_Transfer_Form.exe. The VirusTotal detection rate is a miserable 6/47*.
This is a two stage pony/gate infection according to the Malwr report**. Functionally it looks very similar to the payload used in this spam run***."
* https://www.virustotal.com/en-gb/fil...is/1374594791/

** https://malwr.com/analysis/MDcyYmQ4N...EzMzliYmRhYjg/

*** http://blog.dynamoo.com/2013/07/irsg...3295-spam.html
___

Facebook Friend Spam
- http://threattrack.tumblr.com/post/5...ok-freind-spam
July 23, 2013 - "Subjects Seen:
[removed] wants to be friends with you on Facebook.
Typical e-mail details:
[removed] wants to be friends with you on Facebook.

Malicious URLs
dynamicservicesllc .com/neglectfully/index.html
discountprescriptions.pacificsocial .com/displeased/index.html
ic44 .com/ganglier/index.html
hi-defhooters .com/topic/accidentally-results-stay.php
hi-defhooters .com /topic/accidentally-results-stay.php?VwsYyU=opovyGaoS&NWnVfHBlqeCu=CAAbE
hi-defhooters .com /topic/accidentally-results-stay.php?xf=2e2g2j2h2g&be=57312h522j2h2g562f2j&X=2d&Rf=q&El=C
hi-defhooters .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019...Nae1qz4rgp.png