SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Malware sites to block 9/9/13
- http://blog.dynamoo.com/2013/09/malw...lock-9913.html
9 Sep 2013 - "These domains and IPs are associated with this gang*, this list supersedes (or complements) the one I made last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/09/malw...lock-2913.html
___

Malware sites to block 9/9/13, part II
- http://blog.dynamoo.com/2013/09/malw...3-part-ii.html
9 Sep 2013 - "Another set of IPs and domains related to this attack* detailed by Sophos, and overlapping slightly with the malicious servers documented here**. I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja .cc) to do evil things.
46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110 ..."
(Long list at the dynamoo URL above.)
* https://secure2.sophos.com/en-us/thr...-analysis.aspx

** http://blog.dynamoo.com/2013/09/malw...lock-9913.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Shipping Notification Email Messages - 2013 Sep 09
Fake Processed Payment Notification Email Messages - 2013 Sep 09
Fake Account Payment Notification Email Messages - 2013 Sep 09
Fake Important Documents Notification Email Messages - 2013 Sep 09
Fake Anti-Phishing Email Messages - 2013 Sep 09
Fake Product Order Email Messages - 2013 Sep 09
Fake Real Estate Inquiry Email Messages - 2013 Sep 09
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 09
Fake Shipping Confirmation Email Messages - 2013 Sep 09
Fake Bank Transfer Notice Email Message - 2013 Sep 09
Fake Invoice Statement Attachment Email Messages - 2013 Sep 09
Fake Product Order Quotation Email Messages - 2013 Sep 09
Fake Business Complaint Notification Email Messages - 2013 Sep 09
Fake Product Purchase Order Email Messages - 2013 Sep 09
Fake Product Order Request Email Messages - 2013 Sep 09
Fake Letter of Intent Attachment Email Messages - 2013 Sep 09
Fake Product List Attachment Email Messages - 2013 Sep 09
Fake Account Deposit Notification Email Messages - 2013 Sep 09
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 09
Fake Purchase Order Request Email Messages - 2013 Sep 09
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake FISC ACH SPAM / fiscdp.com.airfare-ticketscheap .com
- http://blog.dynamoo.com/2013/09/ach-...processed.html
10 Sep 2013 - "This fake FISC ACH spam leads to malware on www .fiscdp .com.airfare-ticketscheap .com:
Date: Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From: Financial Institution Service [improvehv89@ m.fiscdp .gov]
Subject: ACH file ID "999.107" has been processed successfully
Files FISC Processing Service
SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83 ...

Screenshot: https://lh3.ggpht.com/-Iz3whiN6ueg/U.../s400/fisc.png

The link in the email goes to a legitimate -hacked- site and then on to a malware landing page at [donotclick]www.fiscdp .com.airfare-ticketscheap .com/news/opens_heads_earlier.php (reports here* and here**) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)
The WHOIS details for airfare-ticketscheap .com are -fake- and the domain was registered just yesterday... The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89 ..."
(More URLS listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=5071327

** http://wepawet.iseclab.org/view.php?...821965&type=js

- https://www.virustotal.com/en/ip-add...9/information/
___

Fake BBB SPAM / Case_0938818_2818.exe
- http://blog.dynamoo.com/2013/09/bbb-...182818exe.html
10 Sep 2013 - "This fake BBB spam has a malicious attachment:
Date: Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From: Better Business Bureau [Aldo_Austin@ newyork .bbb .org]
Subject: FW: Case IN11A44X2WCP44M
The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.
In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.
We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201

Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46* at VirusTotal. Automated analysis of the malware is inconclusive... but it does generate outbound traffic to kwaggle .com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife .co .uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.
Recommended blocklist:
64.50.166.122
kwaggle .com
thisisyourwife .co .uk "
* https://www.virustotal.com/en-gb/fil...is/1378823569/

- https://www.virustotal.com/en/ip-add...2/information/

[AplusWebMaster]

FYI...

Threats - Online Bullying ...
- http://www.threattracksecurity.com/i...line-bullying/
Sep 11, 2013 - "Three weeks ago... co-founders of social networking site Ask.fm, released a statement regarding some changes on the site’s safety policy in an effort to curb the dramatic increase of cyberbullying occurrences within its platform. Ask.fm boasts at least 57 million registered users, majority of which are teens and tweens. The site’s anonymity feature has sadly become the means for some users to deliberately target and verbally assault others. The proposed changes are no quick fix, nor are they remedies to the deeper problems of what motivates one to bully someone online. However, I believe that it’s a good first step to achieve the objective. Giving users the option to opt out of accepting and entertaining anonymous questions and/or comments could be a big blow to trolls. Some victims of online bullying in Ask.fm have taken upon themselves to resolve the matter of anonymity by attempting to unmask who these people are. How? They look for tools online... that will lead to trouble... We have come across a number of sites hosting files that -pretend- to unmask Ask.fm users. Upon closer inspection, however, they’re malicious in nature at worse. These files can range from simple malware droppers to Bitcoin miners to PUPs bearing a gamified marketing tactic or something more dubious.
> http://www.threattracksecurity.com/i...DFA6ABA7AD.jpg
Sadly, such files like the above are easy to find. Users who find themselves installing -any- of these files on their computer will discover that they got something more than what they bargained for..."
___

Fake USPS SPAM / Label_FOHWXR30ZZ0LNB1.zip
- http://blog.dynamoo.com/2013/09/usps...z0lnb1zip.html
11 Sep 2013 - "This fake USPS spam has a malicious attachment:
Date: Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Missed package delivery
Priority: High Priority 1 (High)
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global...

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47*.... attempted connection to a -hijacked- GoDaddy domain drippingstrawberry .com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection, URLquery shows** some of the things going on with this server.
Recommended blocklist:
64.50.166.122 ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en/file/e...is/1378926663/

** http://urlquery.net/search.php?q=64....3-09-11&max=50

- https://www.virustotal.com/en/ip-add...2/information/
___

Xerox WorkCentre Pro SPAM
- http://threattrack.tumblr.com/post/6...entre-pro-spam
Sep 11, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: <e-mail domain>
Number of Images: 3
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name:
Attached file is scanned image in PDF format.

Malicious File Name and MD5:
Scan_<random>.zip (1BE34606E5B1D54C5E394982A3DD8965)
scanned_doc_<date>.exe (2E318671CEC024166586943AD04520C1)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...f951qz4rgp.png
___

Fake AVG Android Apps ...
- http://blogs.avg.com/mobile-2/exampl...-android-apps/
Sep 9, 2013 - "Our mobile security research team has found at least 33 applications that contain aggressive advertising components in the official Google Play store. The developers of these applications choose to imitate well-known companies like Google, Microsoft, Twitter, AVG among others. Here’s an example of some applications found in Google Play:
> http://blogs.avg.com/wp-content/uplo...9/Image-11.png
... Below you can see another example of a -fake- AVG anti-virus app that can be found in Google Play:
> http://blogs.avg.com/wp-content/uplo...09/Image-6.png
Remember, if you want to pay for a PRO version of an app, you absolutely must make sure that it is the legitimate version of the app you’re looking for... When you install one of these fake applications, it requests the user to change configurations related to the search options:
> http://blogs.avg.com/wp-content/uplo...9/Image-31.png
After the user accepts the conditions, commericals for adult services are shown:
> http://blogs.avg.com/wp-content/uplo...09/Image-4.png
Later, the app itself offers none of the functionality advertised (such as antivirus protection). This is a new advertising vector that takes advantage of people who might not be familiar with official company accounts... when you look for AVG’s Android solutions on Google Play you might find apps that are -not- released by AVG (the official developer is AVG Mobile) but from opportunistic scammers..."

- http://www.fireeye.com/blog/technica...d-malware.html
Sep 10, 2013 - "... Before the advent of advanced malware, we used to see a bunch of fake AV on the windows platform... the same thing will happen in the case of Android malware, where eventually we will start seeing more serious and advanced techniques being employed in mobility. To protect yourself from malicious Android applications, please follow these simple steps:
1. Disable the “Allow installation of apps from Unknown Sources” setting.
2. Always install apps from trusted app markets."

[AplusWebMaster]

FYI...

Fake QuickBooks SPAM / Invoice_20130912.zip
- http://blog.dynamoo.com/2013/09/quic...130912zip.html
12 Sep 2013 - "This fake QuickBooks spam has a malicious attachment:
Date: Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Quentin Sprague ...

The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46*... the file attempt to communicate with the domain leightongriffiths .com on an apparently compromised server at 64.50.166.122 which has been seen before. Given that there are now several domains serving malware on the same server**... it is probably safe to assume that all the domains on that server are malicious and should be blocked.
Recommended blocklist:
64.50.166.122 ..."
* https://www.virustotal.com/en/file/5...is/1379012535/

** https://www.virustotal.com/en/ip-add...2/information/
___

Fake Online Message - Mint Internet Banking
- http://security.intuit.com/alert.php?a=86
9/12/13 - "People are receiving fake emails with the title "Online Message from Mint Internet Banking' ...
> http://security.intuit.com/images/mint.jpg
... This is the end of the fake email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___

Fake AV and PRISM warning on hijacked website
- http://research.zscaler.com/2013/09/...-hijacked.html
Sep 9, 2013 - "While many individuals are concerned about privacy in light of PRISM, some malicious actors are using the program to scare naive users into installing ransomware. Since August 23rd, we have seen about 20 domains that carry FakeAV and Ransomware. These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:
kringpad.websiteanddomainauctions .com:972/lesser-assess_away-van.txt?e=20
miesurheilijaaantidiabetic.conferencesiq .com:972/realism_relinquish-umbrella-gasp.txt?e=21
squamipi.worldcupbasketball .net:972/duty_therefore.txt?e=21
The malicious files seem to be changing. It started with the classic FakeAV, then switched to a fake PRISM warning. In both cases, the goal is to scare the target into paying the attacker to "fix" their computer... FakeAV remains a popular technique to lure targets into paying attackers...
- FakeAV scan of the computer
> https://lh3.ggpht.com/-XH8fcTYMAPQ/U...av-2103-1.jpeg
- FakeAV claims to have found threats
> https://lh3.ggpht.com/-4jJX3X52nRw/U...av-2013-2.jpeg
The scan claims to have found 18 threats. Two have been cured, but the victim must -pay- to get the remaining 16 threats taken care of...
PRISM warning... The attacker uses the recent news about PRISM to claim that the victim's computer has been blocked because it accessed illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service...
- No less than 5 federal agencies are "blocking" your computer!
> https://lh3.ggpht.com/-_QJ4pSmyYqw/U...0/prism-1.jpeg
- Victim needs to pay up $300 to get his computer back.
> https://lh3.ggpht.com/-C4h73XCNJLM/U...0/prism-2.jpeg
Both malware connect to the same couple of IP addresses over ports 80 and 443 that include:
37.139.53.199
64.120.167.162
64.191.122.10
I expect attackers to take advantages of the upcoming UK laws on accessing adult content online to send new types of fake warnings to UK victims."

[AplusWebMaster]

FYI...

Fake Walls Fargo SPAM- / WellsFargo - Important Documents.zip
- http://blog.dynamoo.com/2013/09/wall...important.html
16 Sep 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]
From: Harrison_Walsh @ wellsfargo .com
Subject: IMPORTANT Documents - WellsFargo
Please review attached documents.
Harrison_Walsh
Wells Fargo Advisors
817-674-9414 office
817-593-0721 cell Harrison_Walsh @wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file called WellsFargo - Important Documents.zip which in turn contains a malicious executable WellsFargo - Important Documents.exe which has a very low VirusTotal rate of 2/47*. Automated analysis tools... detect network traffic to [donotclick]www .c3dsolutions .com hosted on 173.229.1.89 (5Nines LLC, US). At present I do not have any evidence of further malware sites on that server."
* https://www.virustotal.com/en/file/d...is/1379342203/
___

ZeuS/ZBOT: Most Distributed malware by Spam in August
- http://blog.trendmicro.com/trendlabs...pam-in-august/
Sep 16, 2013 - "... resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today. For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants. ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE...
Malware families spread by spam
> http://blog.trendmicro.com/trendlabs...percentage.jpg
... the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.
> http://blog.trendmicro.com/trendlabs...it-254x300.jpg
Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and tries to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market. FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT..."
___

Fake eFax SPAM / rockims .com
- http://blog.dynamoo.com/2013/09/efax...ockimscom.html
16 Sep 2013 - "This fake eFax spam leads to malware on rockims .com:
Date: Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Corporate eFax message - 1 pages
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.
Fax Message [Caller-ID: 854-349-9584]
You have received a 1 pages fax at 2013-16-09 01:11:11 CST.
* The reference number for this fax is latf1_did11-1237910785-2497583013-24.
View this fax using your PDF reader.
Click here to view this message ...
Thank you for using the eFax service! ...

Screenshot: https://lh3.ggpht.com/-g0-MrOF8Xvw/U...s1600/efax.png

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online .de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools .ac .cy/initials/casanovas.js
[donotclick]ade-data .com/exuded/midyear.js
These then lead to a malware payload at [donotclick]rockims .com/topic/seconds-exist-foot.php which is a -hijacked- GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains...
Recommended blocklist:
192.81.133.143 ..."
(More URLs listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-add...3/information/

[AplusWebMaster]

FYI...

Amazon Gift Card -phish- ...
- http://www.threattracksecurity.com/i...uri-technique/
Sep 17, 2013 - "Be wary of emails landing in mailboxes claiming to offer up “complimentary £50 gift cards” from Amazon. The mails, which claim to come from redeemATamazon(dot)co(dot)uk...
> http://www.threattracksecurity.com/i...nfakemail1.jpg
The mails are nice and professional looking, and the only real giveaway is that hovering over the “Redeem gift card” button displays a Tinyurl link -instead- of the expected Amazon URL... Clicking the Tinyurl link takes end-users to a very nice looking set of pages designed to offer up the so-called gift card, then extract personal information including cc number and name / address / dob... Once end-users have selected their card design, they’re suddenly informed that “Our constant security review has shown us that your account has been inactive. Please confirm your updated card information below. Once your details have been confirmed with our system, we will then post your free gift card to you” …along with a message that their card has expired and a billing information update is required... The concept of using this in a phish attack has been around for a while, but it isn’t too often you come across them... Amazon themselves list a lot of scam types on their Security & Privacy page* so you may want to familiarise yourselves with those. As always, if it sounds too good to be true then it probably is..."
* http://www.amazon.co.uk/gp/help/cust...0954895&sr=1-1
___

Fake ADP SPAM / ADP_831290760091.zip
- http://blog.dynamoo.com/2013/09/adp-...760091zip.html
17 Sep 2013 - "This fake ADP spam has a malicious attachment:
Date: Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From: ADP ClientServices
Subject: ADP - Reference #831290760091
Priority: High Priority 1 (High)
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #831290760091
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48*. Automated analysis [1] [2] [3] shows a connection attempt to awcoomer .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps.."
* https://www.virustotal.com/en-gb/fil...is/1379432239/

1) https://malwr.com/analysis/MDM2MmVmY...EyODIzZjE5YTI/

2) http://camas.comodo.com/cgi-bin/subm...22bd70bf2285ae

3) http://anubis.iseclab.org/?action=re...77&format=html
___

FedEx spam FAIL
- http://blog.dynamoo.com/2013/09/fedex-spam-fail.html
17 Sep 2013 - "This fake FedEx spam is presumably -meant- to have a malicious payload:
Date: Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From: webteam@ virginmedia .com
Subject: Your Rewards Order Has Shipped
Headers: Show All Headers
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Order Confirmation Number: 0410493
Order Date: 09/15/2013
Redemption Item Quantity Tracking Number
Paper, Document 16 <
fedex.com Follow FedEx:
You may receive separate e-mails with tracking information for reward ordered...

Screenshot: https://lh3.ggpht.com/--53hJkHQbuU/U...1600/fedex.png

Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care."
___

FDIC Spam
- http://threattrack.tumblr.com/post/6...9698/fdic-spam
Sep 17, 2013 - "Subjects Seen:
FDIC: About your business account
FDIC: Your business account
Typical e-mail details:
Dear Business Customer,
We have important information about your bank.
Please View to view detailed information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Malicious URLs
data.texosn .ru/insurance.problem.html
no-mice .ru/insurance.problem.html
fdic.gov.horse-mails .net/news/fdic-insurance.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...KjB1r6pupn.png

- http://blog.dynamoo.com/2013/09/fdic...-mailsnet.html
17 Sep 2013 - "This fake FDIC spam leads to malware on www .fdic.gov.horse-mails .net:
Date: Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From: insurance.coverage@ fdic .gov
Subject: FDIC: About your business account
Dear Business Customer,
We have important news regarding your financial institution.
Please View to see further details.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÌC Questions for FDÌC?
Contact Us...
Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 ...

Screenshot: https://lh3.ggpht.com/-YGld7C9xZtw/U...s1600/fdic.png

The link goes through a legitimate -hacked- site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails .net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs...:
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US) ...
new feature (pictured below)
> https://lh3.ggpht.com/-IXC9yHDKq48/U...-detection.png
Recommended blocklist...:
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55 ..."

[AplusWebMaster]

FYI...

Ajax Oracle Quotation Spam
- http://threattrack.tumblr.com/post/6...quotation-spam
Sep 20, 2013 - "Subjects Seen:
my subject
Typical e-mail details:
Dear Sir/Madam
I am the Purchase Manager of AJAX ORACLE TRADING COMPANY LTD.We are a
major trading company located in Ontario Canada.
We are interested in purchasing your products as exactly shown in the DATA
SHEET as attached in this mail. Please check and get back to us as soon as
possible with your last price, payment terms and delivery time.
Your response will be highly appreciated.
Sincerely Yours.
Danny Davies
Sales Department
Ajax Oracle Trading Co.Ltd

Malicious File Name and MD5:
Quotation.zip (85E02878328919ABE4BB01FDEBD90E6)
Quotation.scr (3B56864260399FBB0259F817749E959C)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...zKD1r6pupn.png
___

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127
- http://blog.dynamoo.com/2013/09/what...-spam-and.html
20 September 2013 - "I am indebted to Gary Warner for his analysis* of this malware... This malware is particularly cunning...
> https://lh3.ggpht.com/-b6Aj4avuPQc/U...0/whatsapp.png
... it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48**, but who runs anti-virus software on their Android?... the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before... Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe."
(More detail at the dynamoo URL above.)
* http://garwarner.blogspot.com/2013/0...s-android.html

** https://www.virustotal.com/en/file/1...is/1379711360/
___

Shylock Financial Malware Back and Targeting Two Dozen Major Banks
- https://atlas.arbor.net/briefs/index#-1822006250
Elevated Severity
September 20, 2013 21:24
The Shylock banking trojan malware, also known as Caphaw, is active and targeting at least twenty-four banking institutions.
Analysis: Shylock has "man in the browser" capabilities whereby it takes over the users system during banking transactions to commit fraud. As the fraud comes from the authorized user from the authorized system, the deviceprint is no longer a useful indicator of malicious activity. Shylock is increasing in popularity and is now aimed at more targets. Previously, it had a smaller number of regional targets.
Source: http://threatpost.com/shylock-financ...r-banks/102343
"... researchers provided the list of 24 banks being targeted..."
___

Beta Bot malware blocks users A/V ...
- http://www.ic3.gov/media/2013/130918.aspx
Sep 18, 2013 - "The FBI is aware of a new type of malware known as Beta Bot. Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise. Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it -redirects- the user to compromised websites...
> https://www.ic3.gov/images/130918.png
Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.
Remediation strategies for Beta Bot infection include running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware."
- https://atlas.arbor.net/briefs/index#64584071
Title: FBI Warning Users About Beta Bot Malware
Published: Fri, 20 Sep 2013 21:24:05 +0000
The Beta Bot malware has caught the attention of the FBI, who have issued a warning bulletin.
___

Backdoor installed via Java 6 exploit...
- http://blog.trendmicro.com/trendlabs...-java-exploit/
Sep 20, 2013 - "... this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. This affects unsupported Java 6 users, meaning they’re at -extreme- risk since no patch will be available. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey. Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected... we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493*, that has been exploited since February 2013. It was patched in March... The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up... it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report..."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-1493 - 10.0 (HIGH)
Last revised: 08/22/2013

[AplusWebMaster]

FYI...

Fake FDIC emails serve client-side exploits and malware ...
- http://www.webroot.com/blog/2013/09/...loits-malware/
Sep 23rd, 2013 - "Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...ngineering.png
Sample redirection chain: hxxp ://stranniki-music .ru/insurance.problem.html (62.173.142.30) -> hxxp ://www.fdic .gov.horse-mails .net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@ writeme .com ... MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9*. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c**. Once executed, the sample phones back to... C&C servers..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b...519a/analysis/
Detection ratio: 28/48
** https://www.virustotal.com/en/file/0...f652/analysis/
Detection ratio: 9/48
___

FBI Ransomware forcing child porn on infected computers
- http://www.webroot.com/blog/2013/09/...ted-computers/
Sep 23, 2013 - "... new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level..."
Video 2:27: https://www.youtube.com/embed/FAoRSLvtkA4
___

LinkedIn Invitation Spam
- http://threattrack.tumblr.com/post/6...nvitation-spam
Sep 23, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
67.215.196.13 /images/wp-gdt.php?x1MVGHILHO0IT6347
exitdaymonthyear .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...HBA1r6pupn.png

- https://www.virustotal.com/en/ip-add...3/information/

Tagged: Blackhole, Sirefef, LinkedIn

[AplusWebMaster]

FYI...

Fake DivX plug-in leads to Malware ...
- http://www.threattracksecurity.com/i...pping-malware/
Sep 23, 2013 - "Fans of semi-humorous Internet videos be warned: there’s a batch of files doing the rounds which pretend to be image files acting as DivX plug-ins... Sites pushing the files will claim you have the wrong type of DivX Plugin installed, with a new one being required to view the content. The first port of call (now replaced by a page-full of Javascript which we’re taking a look at) is / was located at sjsinternational(dot)com/shirleen
> http://www.threattracksecurity.com/i...09/fbdivx1.jpg
“DivX plug-in required!
You don’t have the plugin required to view the video
Save the video and run it locally”
A rogue file – which appears to have been compiled in Russia – will be offered up to the end-user, typically offering up filenames that suggest photographs of a lewd and / or salacious nature. The files come from a .ua URL... one of the oldest tricks in the book is being used here – all the files claim to be gifs, jpegs and tif files, when they are (of course) anything but. Elsewhere on the same domain, we have a page which claims “You need to download and execute the Facebook app to see it! It’s amazing!” with yet another file being offered up. This page is still active, and located at sjsinternational(dot)com/marguerite.html
> http://www.threattracksecurity.com/i...09/fbdivx2.jpg
... various URLs serving up the Malware have been very busy... More often than not, “Run this file to see a picture” results in no pictures and lots of files (bad ones, at that). This one is at least a little bit unusual if only because the end-user receives a (not very impressive) “reward” at the end of the hoop jumping. However, that reward comes loaded with Malware and should be avoided at all costs, whether posing as image files, Facebook apps or anything else you care to mention."
___

Fake Wire Transfer SPAM / INTL_Wire_Report-09242013.zip
- http://blog.dynamoo.com/2013/09/inte...sfer-spam.html
24 Sep 2013 - "This fake wire transfer spam has a malicious attachment:
Date: Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@ wellsfargo .com]
Subject: International Wire Transfer File Not Processed
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: S203-8767457
Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700 ...

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48*... network traffic to ta3online .org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site. Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this."
* https://www.virustotal.com/en/file/c...is/1380058931/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Wire Transfer Failure Notification Email Messages - 2013 Sep 24
Fake Payment Information Email Messages - 2013 Sep 24
Fake Unpaid Debt Invoice Email Messages - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Fake Shipping Order Information Email Messages - 2013 Sep 24
Fake Picture Delivery Email Messages - 2013 Sep 24
Fake Account Payment Notification Email Messages - 2013 Sep 24
Fake Fax Document Delivery Email Messages - 2013 Sep 24
Fake Media File Sharing Email Messages - 2013 Sep 24
Fake Bank Payment Information Email Messages - 2013 Sep 24
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 24
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 24
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake Intuit SPAM / Invoice_3056472.zip
- http://blog.dynamoo.com/2013/09/intu...056472zip.html
25 Sep 2013 - "It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..
Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From: Lewis Muller [Lewis.Muller @ intuit .com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48*... the usual sort of badness, including a call home to gidleybuilders .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week**. Two compromised domains in a week seems a bit more than a coincidence... legitimate domains are also on that same server..."
* https://www.virustotal.com/en/file/a...is/1380130529/

** http://blog.dynamoo.com/2013/09/adp-...760091zip.html
___

Fake Phish - FW: Invoice 8428502
- http://security.intuit.com/alert.php?a=87
9/25/2013 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Please be advised that that the attachment (Invoice_092513.exe) received with this email was removed in accordance with the Assante Virus policy. If you are aware of the contents of this attachment and you require it for business reasons please contact the IT Helpdesk (its@assante.com OR 888 955 8886). Please contact the sender if you are unsure of the contents or purpose for the attachment.
Your invoice is attached.
Sincerely,
Cliff Jeffers

This is the end of the -fake- email..."
___

Fake AICPA SPAM / children-bicycle .net
- http://blog.dynamoo.com/2013/09/aicp...icyclenet.html
25 Sep 2013 - "This fake AICPA spam leads to malware on the domain children-bicycle .net:
From: Reggie Wilkins [blockp12@ clients.aicpa .net]
Date: 25 September 2013 15:03
Subject: Your accountant license can be cancelled.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,
We have received a complaint about your recent participation in tax return infringement for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.
Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants...

Screenshot: https://lh3.ggpht.com/-bGGHCaxMLis/U...1600/aicpa.png

... The link in the email goes to a legitimate -hacked- site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle .net/news/aicpa-all.php (report here*).. but only if the visitor is running Windows (more of which in a moment). The domain children-bicycle .net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang... The payload is hosted on the following IP addresses (all also listed here**):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa .org website:
> https://lh3.ggpht.com/-9WjcD-F-6Hk/U...aicpa-code.png
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29 ..."
* http://urlquery.net/report.php?id=5941489

** http://blog.dynamoo.com/2013/09/malw...k-2492013.html
___

6rf .net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211
- http://blog.dynamoo.com/2013/09/6rfn...g-evil-on.html
25 Sep 2013 - "Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf .net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant .biz. The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains... That IP hosts various exploit kits* and is suballocated to a Russian customer... Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer... But that's not the only infection that 6rf .net is punting, as there is another malicious domain of [donotclick]yandex .ru.sgtfnregsnet .ru in use (report here**) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot .ru ***) which is also serving up an exploit kit... It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf .net ..."
(More listed at the dynamoo URL aqbove.)
* http://urlquery.net/search.php?q=198...3-09-25&max=50

** http://urlquery.net/report.php?id=5939386

*** http://urlquery.net/report.php?id=5924098