SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Something evil on 91.231.98.149 and boats .net
- http://blog.dynamoo.com/2013/09/some...98149-and.html
26 Sep 2013 - "This injection attack* [urlquery] on boats .net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards .biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards .biz/_cp/crone/ which cannot be anything good. What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar... A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites... I don't know what the payload is, but the IP address was also used in this recent malware attack**. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping .biz
gamelikeboards .biz
sixteenups .biz
sorelyzipmagics .biz
technicaltutoring .biz
zarazagorakakaxx1 .org
zarazagorakakaxx2 .com
* http://urlquery.net/report.php?id=5960880

** https://malwr.com/analysis/YjQ1ZmIyN...U2NDU2NDgzNmE/

Added: it looks like this site has been compromised before*** ..."
*** http://news.softpedia.com/news/Outdo...k-382161.shtml
___

Print A Tree, Pop An Ad
- http://www.threattracksecurity.com/i...t-tree-pop-ad/
Sep 26, 2013 - "... We first noticed this one as part of a larger Installcore bundler from a pop up on a “free video” site:
> http://www.threattracksecurity.com/i...treeprint5.png
...
> http://www.threattracksecurity.com/i...treeprint6.jpg
Quite what our chosen subject matter has to do with videos I’ve no real idea, but never let relevance detract from an Adware bundle. Here it is during the main install of “FLV Player Setup”, and it is called “Print-A-Tree”.
> http://www.threattracksecurity.com/i...treeprint2.jpg
... Some of the other programs installed from the Installcore bundle included Web Connect (Yontoo variant), Bonanza Deals and O-to-Lyrics... This is where things go horribly wrong, because not only do you have ads injected onto numerous websites, you also end up with pop-ups which often lead to additional installs (with additional Adware!)... The pop-up ad promotes a web browser which will offer up more adware at install, to sit alongside whatever applications you happen to have on board from the first bundle... You can see more about the original bundler file over at VirusTotal*, which currently has it pegged at 8/41..."
* https://www.virustotal.com/en/file/4...is/1380126410/
File name: FlvPlayerSetup.exe_
Detection ratio: 8/41 ...
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Xerox Scan Attachment Email Messages - 2013 Sep 26
Fake Package Delivery Invoice Notification Email Messages - 2013 Sep 26
Fake Account Payment Notification Email Messages - 2013 Sep 26
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 26
Fake Sales Receipt Notification Email Messages - 2013 Sep 26
Fake Product Order Email Messages - 2013 Sep 26
Fake Voice Messages Delivery Email Messages - 2013 Sep 26
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 26
Fake Purchase Order Request Email Messages - 2013 Sep 26
Fake Product Requirements List Email Messages - 2013 Sep 26
Fake Product Sample Request Email Messages - 2013 Sep 26
Blank Email Messages with Malicious Attachments - 2013 Sep 26
Fake Financial Document Delivery Email Messages - 2013 Sep 26
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake Facebook SPAM / directgrid .org
- http://blog.dynamoo.com/2013/09/face...fications.html
27 Sep 2013 - "This fake Facebook spam leads to malware on directgrid .org:
Date: Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From: Facebook [notification+W85BNFWX @facebookmail .com]
Subject: You have 21 friend suggestions, 11 friend requests and 14 photo tags
facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages
11 friend requests
21 friend suggestions
14 photo tags
View Notifications
Go to Facebook ...

Screenshot: https://lh3.ggpht.com/-7H6j4ml6nRk/U.../facebook2.png

The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes .com/starker/manipulator.js
[donotclick]dtwassociates .com/marry/sullies.js
[donotclick]repairtouch .co .za/lollypops/aquariuses.js
This leads to a malware landing page hosted on a -hijacked- GoDaddy domain at [donotclick]directgrid .org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains...
Recommended blocklist:
50.116.10.71 ..."
(More listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-add...1/information/

[AplusWebMaster]

FYI...

Fake IRS SPAM / oooole .org
- http://blog.dynamoo.com/2013/09/irs-...nder-spam.html
30 Sep 2013 - "This fake IRS spam leads to malware on oooole .org:
Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From: "Fire@irs.gov" [burbleoe9@ irs .org]
Subject: Invalid File Email Reminder
9/30/2013
Valued Transmitter,
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Email Has
Been Sent Tax
Year
ORIG.62U55.2845 2 2012...

The link in the email goes through a legitimate -hacked- site and then -redirects- through one of the following three scripts:
[donotclick]savingourdogs .com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns .biz/resonators/sunbonnet.js
[donotclick]polamedia .se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole .org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains...
Recommended blocklist:
75.98.172.238 ..."

- https://www.virustotal.com/en/ip-add...8/information/
___

Fake Wells Fargo SPAM - malicious ZIP file
- http://blog.dynamoo.com/2013/09/well...ents-spam.html
30 Sep 2013 - "This fake Wells Fargo spam comes with a malicious attachment:
Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From: Bryon Faulkner [Bryon.Faulkner@ wellsfargo .com]
Subject: Important Documents
Please review attached documents.
Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe). The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48*... attempted connection to the site demandtosupply .com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago**. Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box... so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply .com
ce-cloud .com"
* https://www.virustotal.com/en/file/3...is/1380564661/

** http://blog.dynamoo.com/2013/09/scan...ched-spam.html

- https://www.virustotal.com/en/ip-add...7/information/

[AplusWebMaster]

FYI...

Fake AMEX phish ...
- http://threattrack.tumblr.com/post/6...dentials-phish
Oct 1, 2013 - "Subjects Seen:
Fraud Alert : Irregular Card Activity
Typical e-mail details:
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 1st October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
americanexpress.com
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.

Malicious URLs
kaindustries.comcastbiz .net/boulevards/index.html
theswordcoast.awardspace .com/catalepsy/index.html
i37raceway .com/hovers/index.html
pizzapluswindsor .ca/americanexpress/

Screenshot: https://gs1.wac.edgecastcdn.net/8019...01I1r6pupn.png
___

Fake NACHA SPAM - malware on thewalletslip .com
- http://blog.dynamoo.com/2013/10/fake...alware-on.html
1 Oct 2013 - "This fake NACHA spam leads to malware on thewalletslip .com:
Date: Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From: ACH Network [markdownfyye396@ nacha .org]
Subject: Your ACH transfer
The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.
Aborted transfer
ACH transfer ID: 428858072307
Reason of Cancellation Notice information in the report below
Transaction Report View Report 428858072307
About NACHA ...

Screenshot: https://lh3.ggpht.com/-Fs6-J6CBRpE/U...1600/nacha.png

The link in the email goes through a legitimate -hacked- site and then runs one of three scripts:
[donotclick]theodoxos .gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home .org/volleyballs/cloture.js
[donotclick]www.knopflos-combo .de/subdued/opposition.js
Then the victim is directed to a malware landing page at [donotclick]thewalletslip .com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy... It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday*."
Recommended blocklist:
75.98.172.238 ..."
* http://blog.dynamoo.com/2013/09/irs-...nder-spam.html

- https://www.virustotal.com/en/ip-add...8/information/
___

Apple spikes as Phishing Target
- http://blog.trendmicro.com/trendlabs...ishing-target/
Oct 1, 2013 - "... Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers. Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below:
Number of identified Apple-related phishing sites
> http://blog.trendmicro.com/trendlabs...pple-graph.png
Some cases of these Apple-related threats just use Apple as social engineering bait. For example, here, the need to “verify” one’s Apple products or services is used to phish email services:
Phishing site
> http://blog.trendmicro.com/trendlabs...le-phish-2.gif
... Apple ID itself is now being targeted for theft. For users of all Apple products – whether they be Macs, iOS devices, or just the iTunes store – the Apple ID is a key ingredient in how they use these products. For example, it can be used to control the data stored in your iCloud account, make purchases of both music and apps, and even manage your iOS or Mac device. Not only that, users from all over the world are being targeted. For example, this phishing site is in French:
Apple ID phishing site
> http://blog.trendmicro.com/trendlabs...h-france-4.gif
... It would appear that cybercriminals are using Apple-related rumors as a gauge of potential interest from users/victims and increase the number of their attacks as needed. This growth in Apple-related threats highlights how Apple users, far from being safe, are continuously targeted by threats today as well..."
___

Pinterest Facebook Friend Spam
- http://threattrack.tumblr.com/post/6...ok-friend-spam
Oct 1, 2013 - "Subjects Seen:
Your Facebook friend <removed> joined Pinterest
Typical e-mail details:
Your Facebook friend <removed> just joined Pinterest. Help welcome <removed> to the community!

Malicious URLs
ats.webd .pl/caskets/index.html
theodoxos .gr/hairstyles/defiling.js
web29.webbox11.server-home .org/volleyballs/cloture.js
knopflos-combo .de/subdued/opposition.js
pizzapluswindsor .ca/topic/latest-blog-news.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...D5p1r6pupn.png
___

Tens of thousands of fake Twitter accounts passed off and sold as 'followers'
- https://www.virusbtn.com/blog/2013/09_20.xml
20 Sep 2013
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Email Messages with Malicious Attachments - 2013 Oct 01
Fake Commissions Statement Notification Email Messages - 2013 Oct 01
Fake Product Order Request Email Messages - 2013 Oct 01
Fake Purchase Order Notification Email Messages - 2013 Oct 01
Fake Product Order Delivery Information Email Messages - 2013 Oct 01
Fake Multimedia Message Delivery Email Message - 2013 Oct 01
Fake Product Order Email Messages - 2013 Oct 01
Fake Bank Payment Notification Email Messages - 2013 Oct 01
Fake Court Document Email Messages - 2013 Oct 01
Fake Document Filing Notification Email Messages - 2013 Oct 01
Fake Debt Collection Notification Email Messages - 2013 Oct 01
Fake Account Payment Notification Email Messages - 2013 Oct 01
Fake Product Purchase Order Email Messages - 2013 Oct 01
Fake Product Specification Request Email Messages - 2013 Oct 01
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 01
Fake Shipment Invoice Email Messages - 2013 Oct 01
Fake Payment Information Email Messages - 2013 Oct 01
Blank Email Messages with Malicious Attachments - 2013 Oct 01
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake T-Mobile message emails lead to malware
- http://www.webroot.com/blog/2013/10/...-lead-malware/
Oct 2, 2013 - "A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they’ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs. Detection rate for the spamvertised sample – MD5: 5d69a364ffa8d641237baf4ec7bd641f – * W32/Trojan.XTWU-6193; TR/Sharik.B; Trojan.DownLoader9.22851
Once executed, the sample phones back to networksecurityx.hopto .org – 69.65.19.117 ... subdomains are also known to have phoned back to the same IP in that past... malicious MD5s are also known to have phoned back to the same domain/IP in the past..."
* https://www.virustotal.com/en/file/a...is/1379599644/
___

Fake Facebook Mobile Page Steals Credit Card Details
- http://blog.trendmicro.com/trendlabs...-card-details/
Oct 1, 2013 10:28 pm (UTC-7) - "... a mobile phishing page that looks very similar to the official Facebook mobile page. However, looking closely into the URL address, there are noticeable differences. The real Facebook page is located at https://m.facebook.com/login and has the lock icon to show that the page is secured.
Fake vs. legitimate Facebook mobile page
> http://blog.trendmicro.com/trendlabs...vsreal-pag.gif
This page tries to steal more than Facebook credentials. Should users actually try to log in, the page then prompts users to choose a security question. This may sound harmless, but these same security questions might be used across several different sites, and can compromise your security as well.
Fake Facebook security page
> http://blog.trendmicro.com/trendlabs...urity-page.gif
Once users are done, they are led to another page, this time asking for their credit card details.
Page asking for credit card details
> http://blog.trendmicro.com/trendlabs...e-creditca.gif
In cases like these, users should always be careful and double-check the URLs of sites they are entering personal information into, particularly those that claim to belong to a particular service. In addition, Facebook does -not- ask for a user’s credit card information unless they are making a purchase..."
___

"microsoft support" calls - now with ransomware
- https://isc.sans.edu/diary.html?storyid=16703
Last Updated: 2013-10-02 04:16:32 UTC - "Most of us are familiar with the "microsoft support" call. A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected. The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions). Previously they would install software that would bug you until you paid the "subscription fee". As the father of a friend found out the other day, when he received a call. They now install -ransomware- which will lock the person out of their computer until a fee has been been paid. In this instance it was done quite early in the "support" call so even disconnecting when smelling a rat it was too late. The ransomware itself looks like it replaced some start up parameters to kick in the lockout rather than encrypting the drive or key elements of the machine. However for most users that would be enough to deny access. So in the spirit of Cyber Security Awareness Month make this month one where you let your non-IT friends and family know two things. Firstly, BACKUP YOUR STUFF. Secondly, tell them "when you receive a call from "microsoft support", the correct response is to hang up."
___

Fake Staples SPAM leads to malware on tootle .us
- http://blog.dynamoo.com/2013/10/fake...alware-on.html
2 Oct 2013 - "This fake Staples spam leads to malware on a site called tootle .us:
Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From: support@ orders.staples .com
Subject: Staples order #: 1353083565
Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
Customer No.:1278823232 Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135
Item1 Qty. Subtotal
DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS 2 $125.26
Item2 Qty. Subtotal
DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS 2 $124.03
Subtotal:: $243.59
Delivery: FREE
Tax: $17.66
Total: $250.35
Your order is subject to review ...

Screenshot: https://lh3.ggpht.com/-q6p692ui0yA/U...00/staples.png

The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation .org/inventory/symphony.js
[donotclick]apptechgroups .net/katharine/bluejacket.js
[donotclick]ctwebdesignshop .com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle .us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another -hijacked- GoDaddy domain (there are some more on this server...)..."
Recommended blocklist:
23.92.22.75
tootle .us ..."

- https://www.virustotal.com/en/ip-add...5/information/

[AplusWebMaster]

FYI...

Fake Amazon SPAM - uses email address harvested from Comparethemarket .com
- http://blog.dynamoo.com/2013/10/fake...l-address.html
3 Oct 2013 - "This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket .com.
From: Amazon.com [ship-confirm@ amazon .com]
Reply-To: "Amazon.com" [ship-confirm@ amazon .com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
Amazon .com
Kindle Store
| Your Account | Amazon.com
Order Confirmation
Order #159-2060285-0376154 ...

Screenshot: https://lh3.ggpht.com/-c8R7xg-gpdY/U...600/amazon.png

How the email address was extracted from Comparethemarket.com is not known. The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi .de/unclear/unsettle.js
[donotclick]sigmarho.zxq .net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online .de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc .info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). This is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252 ..."

- https://www.virustotal.com/en/ip-add...2/information/

USPS Express Services Spam
- http://threattrack.tumblr.com/post/6...-services-spam
Oct 3, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel <random> )
USPS - Missed package delivery
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: <random>
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services.

Malicious File Name and MD5:
USPS_Label_<random>.zip (43BA7C2530EF2F69DEF845FE5E10C6C7)
USPS_Label_<date>.exe (7EAC25BFC4781CA44C5D991115AAF0B4)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...MFH1r6pupn.png

[AplusWebMaster]

FYI...

Fake Dropbox SPAM - leads to malware on adelect .com
- http://blog.dynamoo.com/2013/10/fake...alware-on.html
4 Oct 2013 - "This fake Dropbox spam leads to malware:
Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From: Dropbox [no-reply@ dropboxmail .com]
Subject: Please update your Expired Dropbox Password
Hi [redacted].
We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.
Please visit the page to update your password
Reset Password
Thanks!
- The Dropbox Team

Screenshot: https://lh3.ggpht.com/-8446bMdKtno/U...00/dropbox.png

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
[donotclick]12.158.190.75 /molls/smudgier.js
[donotclick]freetraffic2yourweb .com/palermo/uneconomic.js
[donotclick]www.bathroomchoice .com/huntsmen/bestsellers.js
From there the victim is delivered to a malware landing page at [donotclick]adelect .com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server..."
Recommended blocklist:
66.150.155.210
wrightleasing .com
renewalbyandersendayton .com
adelect .com
12.158.190.75
freetraffic2yourweb .com
www .bathroomchoice .com"

- https://www.virustotal.com/en/ip-add...0/information/

[AplusWebMaster]

FYI...

Fake National Bankruptcy Services SPAM
- http://threattrack.tumblr.com/post/6...-services-spam
Oct 7, 2013 - "Subjects Seen:
6253-9166
Typical e-mail details:
Please see the attached Iolta report for 6253-9166.
We received a check request in the amount of $19,335.05 for the above referenced file. However, the attached report reflects a $0 balance. At your earliest convenience, please advise how this request is to be funded.
Thanks.
Milton_Forrest *
Accounts Payable
National Bankruptcy Services, LLC

Malicious File Name and MD5:
6253-9166.zip (47E464919165F040B03160BAA38FD5E3)
report_<date>.exe (0798687A993B98EBF5E87A6F78311F32)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...gf21r6pupn.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Account Complaint Resolution Document Email Messages - 2013 Oct 07
Fake Payment Receipt Notification Email Messages - 2013 Oct 07
Fake Payment Confirmation Notification Email Messages - 2013 Oct 07
Fake Account Payment Notification Email Messages - 2013 Oct 07
Fake Commissions Invoice Email Messages - 2013 Oct 07
Fake Hotel Reservation Confirmation Email Messages - 2013 Oct 07
Fake Product Order Email Messages - 2013 Oct 07
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 07
Fake Financial Document Email Messages - 2013 Oct 07
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 07
Fake Shipping Notification Email Messages - 2013 Oct 07
Fake Document Attachment Email Messages - 2013 Oct 07
Fake Payment Confirmation Email Messages - 2013 Oct 07
Fake Product Quote Request Email Messages - 2013 Oct 07
Fake Electronic Payment Cancellation Email Messages - 2013 Oct 07
Fake Bank Account Details Inquiry Email Messages - 2013 Oct 07
Fake Personal Picture Sharing Notification Email Messages - 2013 Oct 07
Fake Portuguese Personal Picture Notification Email Messages - 2013 Oct 07
Fake Order Shipment Tracking Information Email Messages - 2013 Oct 07
Fake Business Complaint Notification Email Messages - 2013 Oct 07
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake Well Fargo SPAM - malicious attachment / lasub-hasta .com
- http://blog.dynamoo.com/2013/10/fake...omes-with.html
8 Oct 2013 - "This fake Wells Fargo spam is a retread of this one*, but comes with a slightly different attachment:
Date: Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From: "Harry_Buck@ wellsfargo .com" [Harry_Buck@ wellsfargo .com]
Subject: Documents - WellsFargo
Please review attached files.
Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48**. Automated analysis... shows that the malware tries to phones home to lasub-hasta .com on 205.251.152.178 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity*** on this server which you might want to take into account if you are thinking of -blocking- this IP."
* http://blog.dynamoo.com/2013/09/well...ents-spam.html

** https://www.virustotal.com/en-gb/fil...is/1381222163/

*** https://www.virustotal.com/en-gb/ip-...8/information/
___

Spoofed APEC 2013 email mixes old threat tricks
- http://blog.trendmicro.com/trendlabs...threat-tricks/
Oct 8, 2013 - "... threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect veil for their spoofed emails. The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).
> http://blog.trendmicro.com/trendlabs...mmit-email.jpg
... the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158*), an old vulnerability that was also exploited in other targeted attacks... This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. Once done, the exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll. This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries). BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather exfiltrate important data, leading to serious repercussions to the targeted parties..."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013 - "... triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability"..."
___

Fake "Voicemail" SPAM ...
- http://www.threattracksecurity.com/i...ate-winwebsec/
Oct 7, 2013 - "... fake WhatsApp email messages leading to various forms of mobile infection. Over the last day or so, our Labs have noticed a shift into other realms – namely, Fake AV. Whenever we see Kuluoz, it is typically using compromised boxes to host payloads – and those payloads are usually Winwebsec and Medfos. Fake emails are the name of the game, and as you can see the run the full range of wedding invites, airline spam, DHL / Fedex notifications and more besides. In this case, we begin with the now familiar WhatsApp spam email messages:
> http://www.threattracksecurity.com/i...winwebsec0.jpg
Instead of links taking end-users to malicious mobile downloads, they’ll be taken to a .biz.ua URL offering up a Kuluoz.B executable file which will download WinWebSec onto the target PC. Winwebsec has been signed by a valid cert, which is increasingly becoming a problem where Malware is concerned. The Winwebsec variant is fairly recent, dating from mid to late August. It downloads Fareit and Ursnif, which are both infostealers (of course, the Fake AV – called Antivirus Security Pro – will try to convince end-users to pay up for non-existent infection removal. It will completely ignore the genuine infections dropped on the PC, but you wouldn’t expect anything less really).
> http://www.threattracksecurity.com/i...winwebsec1.jpg
... At time of writing, Virustotal has the Kuluoz pegged at 16/48... VIPRE Antivirus will find it is detected as Trojan.Win32.Generic.pak!cobra. Fake voicemail messages are a great way for scammers to target individuals and corporations, especially if sent to less technologically inclined victims. Expect the payloads of these spam messages to keep changing, and be very wary of running any executable files sent via email – no matter how tempting the supposed message waiting for you is..."
___

Verizon Wireless Picture Messaging Spam
- http://threattrack.tumblr.com/post/6...messaging-spam
Oct 8, 2013 - "Subjects Seen:
No Subject
Typical e-mail details:
This message was sent using the Picture and Video Messaging service from Verizon Wireless!

Malicious File Name and MD5:
<random>Img_Picture.zip (0FF888E38099617CBD03451DA72F5FC4)
<random>Img_Picture.jpeg.exe
(67355A28A8EA584D0A08F17BE10E251E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...0sn1r6pupn.png
___

Mileage Reimbursement Form Spam
- http://threattrack.tumblr.com/post/6...ment-form-spam
Oct 8, 2013 - "Subjects Seen:
Annual Form - Authorization to Use Privately Owned Vehicle on State Business
Typical e-mail details:
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Malicious File Name and MD5:
Form_<e-mail domain>.zip (00D3C33F37DEE0B3AB933C968BE8043A)
Form_20130810.exe
(6828091CBF4AACEC10195EDBFA804FA7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...E2x1r6pupn.png

[AplusWebMaster]

FYI...

Fake Business form SPAM / warehousesale .com .my
- http://blog.dynamoo.com/2013/10/annu...on-to-use.html
9 Oct 2013 - "This oddly-themed spam has a malicious attachment:
Date: Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]
From: Waldo Reeder [Waldo@ victimdomain .com]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.

The is a ZIP file attached which includes the victim's domain name as part of the filename. Inside is an exectuable file with an icon to make it look like a PDF file, and the date is encoded into the filename. VirusTotal detections are not bad at 25/48*. Automated analysis... shows an attempted connection to warehousesale .com .my hosted on 42.1.61.90 (Exa Bytes Network, Malaysia). There are no other sites on that server that I can see and I recommend that you -block- both the IP and domain as a precaution.
Recommended blocklist:
warehousesale .com .my
42.1.61.90"
* https://www.virustotal.com/en-gb/fil...is/1381305964/
File name: Form_20130810.exe

- https://www.virustotal.com/en-gb/ip-...0/information/
___

Fake GMail emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/10/...eutical-scams/
Oct 9, 2013 - "Pharmaceutical scammers are currently mass mailing tens of thousands of fake emails, impersonating Google’s GMail in an attempt to trick its users into clicking on the links found in the spamvertised emails. Once users click on them, they’re automatically exposed to counterfeit pharmaceutical items, with the scammers behind the campaign attempting to capitalize on the ‘impulsive purchase’ type of social engineering tactic typical for this kind of campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...l_Scams_01.png
Sample screenshot of the landing pharmacautical scams page:
> https://www.webroot.com/blog/wp-cont...ical_Scams.png
... Landing URL: shirazrx .com – 85.95.236.188 – Email: ganzhorn@ shirazrx .com ... pharmaceutical scam domains are also known to have responded to the same IP (85.95.236.188)... This isn’t the first, and definitely not the last time pharmaceutical scammers brand-jack reputable brands in order to trick users into clicking on the links found in the fake emails, as we’ve already seen them brand-jack Facebook’s Notification System, YouTube, as well as the non-existent Google Pharmacy. Thanks to the (natural) existence of affiliate networks for pharmaceutical items, we expect that users will continue falling victim to these pseudo-bargain deals, fueling the the growth of the cybercrime economy. Our advice? Never bargain with your health, spot the scam and report it."

- https://www.virustotal.com/en-gb/ip-...8/information/