SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake email - Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification Email Message - 2013 Aug 27
Fake Money Transfer Notification Email Messages - 2013 Aug 27
Fake Bank Payment Notice Email Messages - 2013 Aug 27
Fake Account Payment Notification Email Messages - 2013 Aug 27
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 27
Fake Package Shipping Notification Email Messages - 2013 Aug 27
Fake Business Complaint Notification Email Messages - 2013 Aug 27
Fake Tax Return Information Email Messages - 2013 Aug 27
Email Messages with Malicious Attachments - 2013 Aug 27
Fake Product Purchase Order Request Email Messages - 2013 Aug 27
Fake Tax Documentation Email Messages - 2013 Aug 27
Fake Product Services Specification Request Email Messages - 2013 Aug 27
(More detail and links at the cisco URL above.)
___

UPS Email scam delivers Backdoor
- http://blog.trendmicro.com/trendlabs...vers-backdoor/
Aug 27, 2013 - "... most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate email notifications... We recently found an email sample spoofing the popular mail courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its true, malicious intent.
> https://blog.trendmicro.com/trendlab...pamrun_825.png
As seen in the email screenshot above, the malware-hosting site is hyperlinked to the legitimate UPS URL where the .PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however, when they clicked the URL it leads to the downloading of the malicious ZIP file. To further convince users of its legitimacy, the recipient’s email address were created to closely resemble the actual UPS email address. The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information in several FTP clients or file manager software. In addition, BKDR_VAWTRAK.A also steals email credentials from Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat! among others. In order to avoid detection on the system, this backdoor deletes certain registry keys related to Software Restriction Policies... this attack was moderate in number, constituting approximately 1 in every 300-400 thousand spam on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent Royal Baby spam outbreak consisted of 1 in every 200 spam on the days of that outbreak. This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes training like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering..."

[AplusWebMaster]

FYI...

High Profile Domains under Siege
- http://blog.opendns.com/2013/08/27/h...s-under-siege/
August 27, 2013 - "We are actively seeing several high profile domains being -hijacked- at the DNS level and are actively blocking all requests from the apparent attackers’ name servers. The attacker looks to have compromised domain name registrar MelbourneIT. Reported domains include Share This, Twitter, Huffington Post, and the New York Times. We’re not linking to those sites for obvious reasons. The IP addresses and domains that have been involved in -redirection- have been blocked by OpenDNS... We are now blocking all requests that are coming from the known bad name servers... screenshots show the bad name server, 141.105.64.37, which is currently hosting domains including malware and phishing along with the domains affected by today’s attack..."
(Screenshots at the opendns URL above.)

- https://www.virustotal.com/en/ip-add...7/information/

- https://isc.sans.edu/diary.html?storyid=16451
Last Updated: 2013-08-27 21:09:58 UTC

- http://www.theregister.co.uk/2013/08...domain_hijack/
27 August 2013

- http://arstechnica.com/security/2013...f-their-sites/
Aug 27 2013, 10:10pm EST

[AplusWebMaster]

FYI...

Sendori software update - malware...
- https://isc.sans.edu/diary.html?storyid=16466
Last Updated: 2013-08-29 04:27:07 UTC - "Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process. The URL path (to be considered hostile) is: hxxp ://upgrade.sendori .com/upgrade/2_0_16/sendori-win-upgrader.exe...
VirusTotal results currently nine malware hits (9/46*). Malwr results** are rather damning, and as Kevin stated, Zeus-like... Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe ...
Sendori replied to Kevin's notification with; they are engaged and investigating:
'Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks Sendori Support team' ...
Comment(1): I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support. My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it.
Kevin Branch..."

... sendori .com/consumer_problem.html
"Sendori software works in tandem with web browsers to dramatically speed access to tens of thousands of the most popular websites..."

* https://www.virustotal.com/en/file/1...441d/analysis/

** https://malwr.com/analysis/Y2E4ZDlkM...VlMDcyMjk2NGU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake eFax Message Notification Email Messages - 2013 Aug 29
Fake Account Payment Notification Email Messages - 2013 Aug 29
Fake Purchase Order Request Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Fake Payment Information Email Messages - 2013 Aug 29
Fake Shipping Information Email Messages - 2013 Aug 29
Fake Product Order Email Messages - 2013 Aug 29
Fake Account Information Request Email Messages - 2013 Aug 29
Fake Photo Sharing Email Messages - 2013 Aug 29
Fake Product Purchase Request Email Messages - 2013 Aug 29
Fake Invoice Notification Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Email Messages with Malicious Attachments - 2013 Aug 29
Fake Account Deposit Notification Email Messages - 2013 Aug 29
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 29
Fake Product Services Specification Request Email Messages - 2013 Aug 29
Fake Product Purchase Order Email Messages on August 28, 2013 - 2013 Aug 29
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 29
Fake Scanned Document Attachment Email Messages - 2013 Aug 29
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Visa/PayPal Spam
- http://threattrack.tumblr.com/post/5...sa-paypal-spam
Aug 30, 2013 - "Subjects Seen:
Resolution of case #PP<random>
Typical e-mail details:
Dear Visa card holder,
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details on the Usa.visa.com/personal/
Visa does not tolerate fraud or illegal activities. Your complaint has been noted in the record of the Visa card holder you reported. If we find this user has violated our policies, we will investigate and take appropriate action. If this occurs, you may be contacted in the future about the status of this complaint.
To make sure future transactions proceed smoothly, we suggest you visit the PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid fraudulent sellers in the “Fraud Prevention Tips for Buyers” section.

Malicious URLs
dp56148868.lolipop .jp/brassing/index.html
rossizertanna .it/occupancy/index.html
abesgrillnbar .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...xum1qz4rgp.png
___

Paychex Insurance Spam
- http://threattrack.tumblr.com/post/5...insurance-spam
Aug 30, 2013 - "Subjects Seen:
Paychex Insurance Agency
Typical e-mail details:
The security of your personal information is of the utmost importance to Paychex, so we have sent the attached as a secure electronic file.
For more details please see on the page. View all details »
Note: The attached file contains encrypted data. In order to view the file, you must have already installed the decryption software that was previously provided by Paychex.
If you have any question please call us at 800-472-0072, option 4. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
Paychex Insurance Agency

Malicious URLs
ftp(DOT)willetthofmann .com/logistically/index.html
ftp(DOT)willetthofmann .com/shadiest/index.html
abesonthego .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...zEx1qz4rgp.png
___

Federal Reserve Suspicious Activity Spam
- http://threattrack.tumblr.com/post/5...-activity-spam
Aug 30. 2013 - "Subjects Seen:
FW: IMPORTANT - Suspicious Activity <random>
Typical e-mail details:
Greetings, addressing you is Ariel Howe, Superior Accounting Officer at Federal Reserve. We have received an inquiry from your Financial Institution regarding an incoming money transfer from Harvey Norman Holdings Ltd. retail with concern on the company’s current activity which is valued as “High Risk Activity”. In order to release the funds to your account please complete the attached form “IIMT Form 401”.
Please note if no further action will be taken the funds will be remain locked in the Federal Reserve System or returned to the Money transfer initiator.
Ariel Howe
Superior Accounting Officer
Office of Inspector General
c/o Board of Governors of the Federal Reserve System

Malicious File Name and MD5:
Case_<random>.zip (35C95C02EB974CA2302D2BA3EB7E5322)
Case_<date>.exe (F9A37404F1150C48AEC238BAC44977FC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...9v51qz4rgp.png

[AplusWebMaster]

FYI...

Malware sites to block 2/9/13
- http://blog.dynamoo.com/2013/09/malw...lock-2913.html
2 Sep 2013 - "These IPs and domains are associated with this gang* and should all be considered as malicious. This list follows on from this earlier one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malw...ock-19813.html
___

Fake Facebook SPAM / london-leather .com
- http://blog.dynamoo.com/2013/09/face...eathercom.html
2 Sep 2013 - "This fake Facebook spam leads to malware on london-leather .com:
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: Victoria Carpenter commented on your status...
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute"
Go to comments
Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]...

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem .cz/5xxb8 then [donotclick]93.93.189.108 /exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj .com/mummifies/stabbed.js
[donotclick]mobileforprofit .net/affected/liberal.js
[donotclick]tuviking .com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy...
Recommended blocklist:
173.246.104.184
london-leather .com
kitchenwalla .com
kidswalla .com
jerseyluggage .com
jerseycitybags .com
kiddypals .com
kennethcolenyoutlet .com
codebluesecuritynj .com
mobileforprofit .net
tuviking .com"

- https://www.virustotal.com/en/ip-add...4/information/
___

MONK SPAM tries to profit from WAR threat
- http://blog.dynamoo.com/2013/09/monk...-from-war.html
2 Sep 2013 - "The MONK (Monarchy Resources Inc) pump-and-dump spam continues*. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:
From: belova04@ jeel .com
Date: 2 September 2013 17:32
Subject: This Stock just released Big News!
Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!...

As previously discussed*, the stock price for this company has tanked** and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me. Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.
It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares...

* http://blog.dynamoo.com/2013/08/monk...-pump-and.html

** http://www.nasdaq.com/symbol/monk/in...charttype=line

[AplusWebMaster]

FYI...

Fake PayPal SPAM / londonleatheronline .com
- http://blog.dynamoo.com/2013/09/payp...onlinecom.html
3 Sep 2013 - "This fake PayPal spam leads to malware on londonleatheronline .com:
Date: Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From: PayPal [service@ int .paypal .com]
Subject: Identity Issue #PP-716-472-864-836
We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@ paypal .com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details
Your case ID for this reason is PP-U3PR33YIL8AV
For your protection, we might limit your account access. We apologize for any inconvenience this may cause.
Thanks,
PayPal ...

The link in the email goes to a legitimate -hacked- site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni .com/liquids/pythias.js
[donotclick]tuviking .com/trillionth/began.js
[donotclick]walegion.comcastbiz .net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack* ...
Recommended blocklist:
173.246.104.184
jerseycitybags .com
jerseyluggage .com
kennethcolenyoutlet .com
kiddypals .com
kidswalla .com
kitchenwalla .com
london-leather .com
londonleatheronline .com
ftp.casacalderoni .com
tuviking .com
walegion.comcastbiz .net "
* http://blog.dynamoo.com/2013/09/face...eathercom.html

- https://www.virustotal.com/en/ip-add...4/information/
___

Breaking Bad Spam lurks - note pasting site
- http://www.threattracksecurity.com/i...-pasting-site/
Sep 3, 2013 - "... fresh links being dumped across a site designed to let users paste notes and images then share with their friends, in a similar manner to Pastebin... frantic posting of links galore... The site itself has Bidvertiser ads placed above and below the “watch now” graphic, which may cause end-users to think they’re related to the image. Not so – clicking the “Download” button took us to an internet speed test. Clicking the Breaking Bad image took us to a second Tumblr which is so excited about offering up ads that it ends up sliding a scroll ad right behind the survey splash.
> http://www.threattracksecurity.com/i...bbadpaste3.jpg
... They just can’t decide what they want you to click on first! Another link takes end-users to a video player install complete with various advertising related additions.
> http://www.threattracksecurity.com/i...bbadpaste4.jpg
...
> http://www.threattracksecurity.com/i...bbadpaste5.jpg
... As with all of these spam runs, you’re better off avoiding. At best, you’ll end up with some terrible grainy rip of a TV show on some free file host (after filling in a bunch of offers); at worst, you’ll end up with no TV show, unwanted installs and advert clickthroughs which lead to who-knows-where (after filling in a bunch of offers)."
___

Facebook News feed Suggestion Spam
- http://threattrack.tumblr.com/post/6...uggestion-spam
Sep 3, 2013 - "Subjects Seen:
Hi <name>, here are some Pages you may like
Typical e-mail details:
Like these Pages to get updates in your News Feed...

Malicious URLs
iecc .com .au/complying/index.html
pictondental .com .au/hilda/index.html
ladiscoteca .org/john/index.html
bonway-onza .com/thalami/index.html
watchfp .mobi/topic/able_disturb_planning.php
mvwebsites .com .au/bmSe4BN.exe
mystatesbororealestate .com/rhdkD6.exe
mit-stolz-vorbei-dollbergen .de/w8BDM.exe
petrasolutions .com/JpVsf.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019...k5B1qz4rgp.png

[AplusWebMaster]

FYI...

Facebook SPAM / watchfp .net
- http://blog.dynamoo.com/2013/09/face...atchfpnet.html
4 Sep 2013 - "All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp .net:
Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1 @facebookmail .com]
Subject: Blake Miranda tagged 5 photos of you on Facebook
facebook
Blake Miranda added 5 photos of you.
See photos
Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:
> https://lh3.ggpht.com/-qWsaS5oax8Y/U.../facebook4.png
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u .to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa .de/triassic/index.html which loads one of the following:
[donotclick]safbil .com/stashed/flout.js
[donotclick]ftp.spectrumnutrition .ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste .de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp .net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
watchfp .net
safbil .com
ftp.spectrumnutrition .ca
schornsteinfeger-helmste .de "
___

Something evil on 174.140.168.239
- http://blog.dynamoo.com/2013/09/some...140168239.html
4 Sep 2013 - "The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239 ..."
(More listed at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=174...-09-04&max=400

2) https://www.virustotal.com/en-gb/ip-...9/information/

3) http://blog.dynamoo.com/2013/06/hp-s...8zip-fail.html
___

Something very wrong with Gandi US (AS29169 / 173.246.96.0/20)
- http://blog.dynamoo.com/2013/09/some...-gandi-us.html
4 Sep 2013 - "Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago. The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites... the warnings I have given about this IP range just in this blog alone* (ignoring all external sources)... Google prognosis**... there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host. Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185 ..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Gandi

** http://www.google.com/safebrowsing/d...?site=AS:29169
___

Fake PayPal SPAM / dshapovalov .info
- http://blog.dynamoo.com/2013/09/payp...valovinfo.html
4 Sep 2013 - "This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov .info:
Date: Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From: PayPal [service@ int. paypal .com]
Subject: History of transactions #PP-011-538-446-067
ID
Transaction: { figure } {SYMBOL }
On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now
Sincerely, Services for protection
Department
PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.
To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.
Copyright © 1999-2013 PayPal. All rights reserved.
PPID PP {DIGIT } The history of monetary transactions

The link in the email goes through a URL shortening service at [donotclick]url7 .org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23 /observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169 /garrotting/rumples.js
[donotclick]northeastestateagency .co .uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro ,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack*. There are other hijacked GoDaddy domains on the same domain...
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
journeyacrossthesky .com
dshapovalov .info
watchfp .net
dshapovalov .info
mineralmizer.webpublishpro .com
northeastestateagency .co .uk
81.143.33.169 "
* http://blog.dynamoo.com/2013/09/face...atchfpnet.html

Current PayPal related Spam Ploys
- http://threattrack.tumblr.com/post/6...ted-spam-ploys
Sep 4, 2013 - "Subjects Seen:
Resolution of case #PP-<random>
With your balance was filmed - 500 $ -Resolution of case #PP-<random>
Identity Issue #PP-<random>
History of transactions #PP-<random>
Typical e-mail details:
Resolution of Case:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably. For more details please see on the page View all details
Sincerely,
Protection Services Department ..."

Malicious URLs
ervinscarpet .com/impartially/index.html
jp-intarsia .de/concurred/index.html
hadjis-law .com/creamy/index.html
taylorandgregory .co .uk/assent/index.html
shiing01.x-y .net/stopping/index.html
fonotape.com .ar/bosun/index.html
fonotape.com .ar/supplicate/index.html
dshapovalov .info/topic/able_disturb_planning.php
dshapovalov .info/forum/viewtopic.php
petrasolutions .com/JpVsf.exe
mystatesbororealestate .com/rhdkD6.exe
mvwebsites .com .au/bmSe4BN.exe

Screenshots: https://gs1.wac.edgecastcdn.net/8019...OF91qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019...vkm1qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019...H031qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019...OP01qz4rgp.png
___

Fake HSBC SPAM / Original Copy (Edited).zip
- http://blog.dynamoo.com/2013/09/hsbc...editedzip.html
4 Sep 2013 - "This fake HSBC spam links to a malicious ZIP file:
Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [wireservice@ hsbc .com .hk]
Reply-To: hsbcadviceref@ mail .com
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Yours faithfully,
Global Payments and Cash Management
HSBC ...

Screenshot: https://lh3.ggpht.com/-Oj2DePefzfQ/U...s1600/hsbc.png

The link in the email goes to a file sharing site at [donotclick]ge .tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16*. The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report** shows some network activity including a suspect connection to ftp.advice .yzi .me (185.28.21.26, Hostinger International US) which might be worth blocking."
* https://www.virustotal.com/en-gb/fil...is/1378306613/

** http://www.threatexpert.com/report.a...98215a282488de

- https://www.virustotal.com/en/ip-add...6/information/

[AplusWebMaster]

FYI...

More Fake Facebook SPAM / kapcotool .com
- http://blog.dynamoo.com/2013/09/face...cotoolcom.html
5 Sep 2013 - "This fake Facebook spam leads to malware on kapcotool.com:
From: Facebook [no-reply@ facebook .com]
Date: 5 September 2013 15:21
Subject: Michele Murdock wants to be friends with you on Facebook.
facebook
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request ...

The -link- in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa .com/97855 and then to [donotclick]magic-crystal .ch/normalized/index.html, and at this point it attempts to load the following three scripts:
[donotclick]00398d0.netsolhost .com/mcguire/forgiveness.js
[donotclick]202.212.131.8 /ruses/nonsmokers.js
[donotclick]japanesevehicles .us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains...
Recommended blocklist:
74.207.227.154
jgburgerlounge .ca
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
justcreature .com
justmonster .com
kalcodistributors .com
kapcotool.com00398d0.netsolhost .com
japanesevehicles .us
202.212.131.8 "

- https://www.virustotal.com/en/ip-add...4/information/
___

NACHA SPAM / nacha-ach-processor .com
- http://blog.dynamoo.com/2013/09/nach...cessorcom.html
5 Sep 2013 - "This fake NACHA spam... leads to malware on nacha-ach-processor .com:
From: The Electronic Payments Association - NACHA [leansz35@ inbound .nacha .com]
Date: 5 September 2013 17:55
Subject: Rejected ACH transfer
The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.
Cancelled transaction
ACH ID: 985284643257
Rejection Reason See additional info in the statement below
Transaction Detailed Report View Report 985284643257
About NACHA
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.
14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate -hacked- site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor .com/news/ach-report.php (report here**) which is hosted on the following IPs:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)
The IPs in use identify it as belonging to what I call the Amerika gang*. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains*.
Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60 ..."
(More listed at the dynamoo URL above.)

* http://blog.dynamoo.com/search/label/Amerika

** http://urlquery.net/report.php?id=4976262
___

Citizens Bank Issue File Processed Spam
- http://threattrack.tumblr.com/post/6...processed-spam
Sep 5, 2013 - "Subjects Seen:
Issue File <random> Processed
Typical e-mail details:
Regarding Issue File <random> -
Total Issue Items # 36 Total Issue Amount $38,043.98
This will confirm that your issue file has been processed. Please verify the information in attached report; if you find there are discrepancies in what you believe your totals should be and what we have reported, please contact the Reconciliation Department at 1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24 hours after you receive this notice.

Malicious File Name and MD5:
issue_report_<random>.zip (1189CEBD553088A94EC3BC2ECB89D34B)
issue_report_<date>.exe (6C66CAE230E0772B75A327AE925F648A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...9LQ1qz4rgp.png
___

Websense - Java/Flash research - Dangerous Update Gap...
- http://community.websense.com/blogs/...pdate-gap.aspx
5 Sep 2013 - "... Nearly 50 percent of -enterprise- traffic used a Java version that was more than two years out of date... Nearly 40 percent of users are not running the most up-to-date versions of Flash... nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old..."

[AplusWebMaster]

FYI...

Something evil on 37.59.164.209 (OVH)
- http://blog.dynamoo.com/2013/09/some...64209-ovh.html
6 Sep 2013 - "37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux..."
(Long list of URLs at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-add...9/information/
___

CNN Breaking News SPAM: “The United States began bombing!”
- http://threattrack.tumblr.com/post/6...d-states-began
Sep 6. 2013 - "Subjects Seen:
CNN: “The United States began bombing”
Typical e-mail details:
(CNN) — Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus. Full story »
Rescuing Hannah Anderson
*Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
*No one has claimed responsibility for her death, but police suspect militants
*Banerjee wrote “A Kabuliwala’s Bengali Wife” about her escape from the Taliban

Malicious URLs
nevisconservatories .co .uk/soupy/index.html
axsysfinancial .biz/mingle/index.html
holatorino .it/favor/index.html
luggagepoint .de/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...MT61qz4rgp.png

- http://blog.dynamoo.com/2013/09/cnn-...bing-spam.html
6 Sep 2013 - "This fake CNN spam leads to malware on luggagepreview .com:
Date: Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From: CNN [BreakingNews@ mail .cnn .com]
Subject: CNN: "The United States began bombing"
The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013 ...

Screenshot: https://lh3.ggpht.com/-BbuqrJRRbjc/U...nn-bombing.png

The link in the email is meant to go to [donotclick]senior-tek .com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo .it/disburse/ringmaster.js
[donotclick]stages2saturn .com/scrub/reproof.js
[donotclick]www.rundherum .at/rabbiting/irritate.js
From there the visitor is sent to a malicious payload at [donotclick]luggagepreview .com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains...
Recommended blocklist:
174.140.171.207 ..."

- https://www.virustotal.com/en/ip-add...7/information/

- http://www.symantec.com/connect/fr/b...argeted-attack
6 Sept 2013
___

"Scanned Document Attached" SPAM / FSEMC.06092013.exe
- http://blog.dynamoo.com/2013/09/scan...ched-spam.html
6 Sep 2013 - "This fake financial spam contains an encrypted attachment with a malicious file in it.
Date: Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From: Fiserv [Lawanda_Underwood@ fiserv .com]
Subject: FW: Scanned Document Attached
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Adam_Paul@ fiserv .com
To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.
This message will be available until Saturday Sep 07, 2013 at 17:50:42
EDT4
If you have any questions, please contact your Fiserv representative...

Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47*. The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data... What happens next is unclear, but you can guarantee that it is nothing good. Blocking access to ce-cloud .com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it."
* https://www.virustotal.com/en/file/6...is/1378501983/
___

More new Facebook SPAM / www .facebook.com.achrezervations .com
- http://blog.dynamoo.com/2013/09/face...hrezervat.html
6 Sep 2013 - "This fake Facebook spam leads to malware on www .facebook.com.achrezervations .com:
Date: Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From: Facebook [notification+puppies9@ mail .facebookmail .net]
Reply-To: noreply [noreply@ postmaster .facebookmail .org]
Subject: Cole Butler confirmed your Facebook friend request
facebook
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
Daren Douglas
1 mutual friends
Add Friend
Gertrude Souza
14 mutual friends
Add Friend
Brice Kelly
3 mutual friends
Add Friend ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe...

Screenshot: https://lh3.ggpht.com/-vdq1WhJkOzY/U...0/facebook.png

The link in the email goes to a legitimate -hacked- site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations .com/news/implement-circuit-false.php (report here*) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)
The following IPs and domains are all malicious and belong to this gang**, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60 ..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4996887

** http://blog.dynamoo.com/search/label/Amerika
___

Threat Outbreak Alerts cover the latest data regarding malicious email-based and web-based threats, including spam, phishing, viruses, malware, and botnet activity.
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Account Payment Notification Email Messages - 2013 Sep 06
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 06
Fake Product Quote Email Messages - 2013 Sep 06
Fake Order Payment Confirmation Email Messages - 2013 Sep 05
Fake Airline Ticket Order Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Link - 2013 Sep 05
Fake Photo Sharing Email Messages - 2013 Sep 05
Fake Money Transfer Notification Email Messages - 2013 Sep 05
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 05
Fake Product Order Confirmation Email Messages - 2013 Sep 05
Fake Invoice Notification Email Messages - 2013 Sep 05
Fake Document Attachment Email Messages - 2013 Sep 05
Fake Shipping Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Attachments - 2013 Sep 05
Fake Shipping Confirmation Email Messages - 2013 Sep 05
Fake Scanned Document Attachment Email Messages - 2013 Sep 05
Fake Product Purchase Request Email Messages - 2013 Sep 05
Fake Personal Picture Sharing Email Messages - 2013 Sep 05
Fake Product Order Email Messages - 2013 Sep 05
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 05
(More detail and links available at the cisco URL above.)

[AplusWebMaster]

FYI...

Quotation.zip SPAM with malicious VBS script
- http://blog.dynamoo.com/2013/09/deal...spam-with.html
7 Sep 2013 - "The website dealerbid.co .uk has been compromised and their servers -hacked- in order to send spam to their customer list. Something similar has happened before a few months ago*. In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:
From: Christopher Rawson [christopher.r@ kema .com]
Date: 7 September 2013 14:04
Subject: Quotation
Hello,
We have prepared a quotation, please see attached
With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability ...

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www .dealerbid .co .uk and mail.dealerbid .co .uk. The email is sent to an address ONLY used to register at dealerbid .co .uk. So, the upshot is that this domain is compromised and it is compromised right now. The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text... Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46**... it attempts to download further components from klonkino.no-ip .org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip .org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip .org
146.185.24.207 ... "

* http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html

** https://www.virustotal.com/en/file/4...is/1378571897/

- https://www.virustotal.com/en/ip-add...7/information/
___

Adware spread with Mevade variants ...
- http://blog.trendmicro.com/trendlabs...evade-malware/
Sep 6, 2013 - "... rise in the number of Tor users... directly attributed to the Mevade malware... The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different... The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication... The IP addresses that host these C&C servers are located in Russia. Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected... In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing -adware- and -toolbars- ... Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical... How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to -avoid- visiting and downloading files from unverified websites or links from email, social media etc..."