Page 31 of 132 FirstFirst ... 212728293031323334354181131 ... LastLast
Results 301 to 310 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #301
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake resume, Company Reports SPAM ...

    FYI...

    Fake resume SPAM / Resume_LinkedIn.exe
    - http://blog.dynamoo.com/2013/10/my-r...nkedinexe.html
    24 Oct 2013 - "This rather terse spam email message has a malicious attachment:
    Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
    From: Elijah Parr [Elijah.Parr@ linkedin .com]
    Subject: My resume
    Attached is my resume, let me know if its ok.
    Thanks,
    Elijah Parr
    ------------------------
    Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
    From: Greg Barnes [Greg.Barnes@ linkedin .com]
    Subject: My resume
    Attached is my resume, let me know if its ok.
    Thanks,
    Greg Barnes


    The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable. VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools... show an attempted connection to homevisitor .co .uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1]* [2]**."
    * https://www.virustotal.com/en-gb/ip-...2/information/

    ** http://urlquery.net/search.php?q=64....3-10-24&max=50

    - http://threattrack.tumblr.com/post/6...in-resume-spam
    Oct 24, 2013 - "Subjects Seen:
    My resume
    Typical e-mail details:
    Attached is my resume, let me know if its ok.
    Thanks,
    Mike Whalen


    Malicious File Name and MD5:
    Resume_LinkedIn.zip (AF04ED38D97867F8E773B6AFC14ED9F0)
    Resume_LinkedIn.exe
    (62F4A3DFE059E9030E2450D608C82899)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...rta1r6pupn.png
    ___

    Fake Company Reports emails lead to malware ...
    - http://www.webroot.com/blog/2013/10/...-lead-malware/
    Oct 24, 2013 - "A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.
    Sample screenshots of the spamvertised email:
    > https://www.webroot.com/blog/wp-cont...ny_Reports.png
    Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 * ... Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH ... The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to... C&C servers (-many- listed at the webroot URL above)... MD5s are known to have phoned back to the same IP (38.102.226.14)... MD5s known to have phoned back to the same C&C servers over the last couple of days..."
    * https://www.virustotal.com/en/file/7...360f/analysis/
    File name: Company_Report_10222013.exe
    Detection ratio: 28/44

    - https://www.virustotal.com/en/ip-add...4/information/
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Faxed Document Delivery Email Messages - 2013 Oct 24
    Fake Payroll Report Email Messages - 2013 Oct 24
    Email Messages with Malicious Attachments - 2013 Oct 24
    Fake UPS Payment Document Attachment Email Messages - 2013 Oct 24
    Fake Financial Account Statement Email Messages - 2013 Oct 24
    Email Messages with Malicious Attachments - 2013 Oct 24
    Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 24
    Fake Invoice Statement Attachment Email Messages - 2013 Oct 24
    Fake Payroll Invoice Notification Email Messages - 2013 Oct 24
    Fake Product Purchase Order Email Messages - 2013 Oct 24
    Fake Payment Confirmation Notification Email Messages - 2013 Oct 24
    Malicious Personal Pictures Attachment Email Messages - 2013 Oct 24
    Fake Resume Delivery Email Messages - 2013 Oct 24
    Email Messages with Malicious Attachments - 2013 Oct 24
    Fake Product Quote Request Email Messages - 2013 Oct 24
    Email Messages with Malicious Attachments - 2013 Oct 24
    Fake Money Transfer Notification Email Messages - 2013 Oct 23
    Fake Xerox Scanned Attachment Email Messages - 2013 Oct 23
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-10-24 at 23:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #302
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Survey Scams - Halloween freebies ...

    FYI...

    Survey Scams - Halloween freebies ...
    - http://blog.trendmicro.com/trendlabs...-survey-scams/
    Oct 24, 2013 - "... scams we saw used free Halloween products as bait. Searching for the phrase “Halloween GET FREE” leads to a suspicious YouTube video:
    Suspicious YouTube video
    > http://blog.trendmicro.com/trendlabs...n-youtube1.jpg
    The URL advertised on the video’s page leads users to a scam site that asks for your personal information, including your email address.
    Survey site
    > http://blog.trendmicro.com/trendlabs...n-youtube2.jpg
    Survey scam
    > http://blog.trendmicro.com/trendlabs...n-youtube3.jpg
    Using similar keywords on Twitter yielded two suspicious accounts. Each account had a Halloween-themed Twitter handle, perhaps to entice users into checking out the accounts.
    Two suspicious Twitter accounts
    > http://blog.trendmicro.com/trendlabs...-twitter11.jpg
    Each account advertises free Halloween candy with a corresponding URL to get the said candy. The advertised website leads users to survey scams, rather than candy. Facebook also became home to a Halloween-themed survey scam. We spotted a Facebook page that advertises free Halloween candy, like the scam on Twitter. To get the candy, users are supposed to click a link on the page.
    Website advertising free candy
    > http://blog.trendmicro.com/trendlabs...-facebook1.jpg
    But much like the other scams, this simply leads to a survey site. It’s interesting to note that users are directed to the page used in the YouTube scam mentioned earlier. To further entice users, the site promises Apple products in exchange for finishing the survey.
    Apple products as “reward” for completed surveys
    > http://blog.trendmicro.com/trendlabs...-facebook3.jpg
    It might be tempting to get free stuff online, but users should always be cautious when encountering these types of promos or deals. Cybercriminals are willing to promise anything and everything just to get what they want. When encountering deals that are too good to be true, users should err on the side of caution and assume that they are..."
    * http://blog.trendmicro.com/trendlabs...s-infographic/
    "... Oct 29, 2011... filed under Bad Sites"
    ___

    Fake Lloyds SPAM - Lloyds TSB msg...
    - http://blog.dynamoo.com/2013/10/you-...loyds-tsb.html
    25 Oct 2013 - "This fake Lloyds TSB message has a malicious attachment:
    Date: Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
    From: LloydsTSB [noreply@ lloydstsb .co .uk]
    Subject: You have received a new debit
    Priority: High Priority 1 (High)
    This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
    The details of the payment are attached...


    Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't. The VirusTotal detection rate is a so-so 13/47*. Automated analysis... shows an attempted connection to www .baufie .com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box."
    * https://www.virustotal.com/en-gb/fil...is/1382702941/

    - https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2013-10-25 at 16:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #303
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Mercedes-Benz winner SPAM ...

    FYI...

    Fake "You're a Mercedes-Benz winner!" SPAM
    - http://blog.dynamoo.com/2013/10/you-...nner-spam.html
    27 Oct 2013 - "This is a slightly novel twist on an advanced fee fraud scam:
    From: Mercedes-Benz [desk_notification@ yahoo .com]
    Reply-To: bmlot20137@ live .com
    Date: 27 October 2013 13:44
    Subject: You are a Mercedes-Benz winner !!!
    Dear Recipient,
    You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner...
    Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.
    Kind Regards,
    Mrs.Katherine Dooley
    Mercedes-Benz,Online coordinator


    The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq). You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise."
    Labels: 419, Advanced Fee Fraud, Scam, Spam

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #304
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake WhatsApp Voice msg. emails lead to malware

    FYI...

    Fake WhatsApp Voice msg. emails lead to malware
    - http://www.webroot.com/blog/2013/10/...ead-malware-2/
    Oct 28, 2013 - "... The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts...
    Sample screenshot of the spamvertised email:
    > https://www.webroot.com/blog/wp-cont...Cybercrime.png
    Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 * ... Trojan.Win32.Sharik.qhd
    ... attempts to download additional malware from the well known C&C server at networksecurityx.hopto .org ..."
    * https://www.virustotal.com/en/file/a...6964/analysis/
    ___

    Fake AMEX "Fraud Alert" SPAM / steelhorsecomputers .net
    - http://blog.dynamoo.com/2013/10/amer...lert-spam.html
    28 Oct 2013 - "This fake Amex spam leads to malware on steelhorsecomputers .net:
    From: American Express [fraud@ aexp .com]
    Date: 28 October 2013 14:14
    Subject: Fraud Alert : Irregular Card Activity
    Irregular Card Activity
    Dear Customer,
    We detected irregular card activity on your American Express
    Check Card on 28th October, 2013.
    As the Primary Contact, you must verify your account activity before you can
    continue using your card, and upon verification, we will remove any restrictions
    placed on your account.
    To review your account as soon as possible please.
    Please click on the link below to verify your information with us:
    https ://www .americanexpress .com/
    If you account information is not updated within 24 hours then your ability
    to access your account will be restricted.
    We appreciate your prompt attention to this important matter.
    © 2013 American Express Company. All rights reserved.
    AMEX Fraud Department


    Screenshot: https://lh3.ggpht.com/-NyKdfJqQV8A/U...s1600/amex.png

    The link in the email goes through a legitimate but -hacked- site and then runs of of the following three scripts:
    [donotclick]kaindustries .comcastbiz .net/imaginable/emulsion.js
    [donotclick]naturesfinest .eu/eroding/patricians.js
    [donotclick]winklersmagicwarehouse .com/handmade/analects.js
    From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers .net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too..."
    Recommended blocklist:
    96.126.102.8
    8353333 .com
    ..."

    - https://www.virustotal.com/en/ip-add...8/information/
    ___

    Past Due Invoice Spam
    - http://threattrack.tumblr.com/post/6...e-invoice-spam
    Oct 28, 2013 - "Subjects Seen:
    Past Due Invoice
    Typical e-mail details:
    Your invoice is attached. Please remit payment at your earliest convenience.

    Malicious File Name and MD5:
    invoice_95836_10282013.zip (7CDBF5827161838D7C5BD0E5B98E01C1)
    invoice_95836_10282013.exe (C277EA5A86F25AC0B704CAF5832FC614)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...8gD1r6pupn.png

    Last edited by AplusWebMaster; 2013-10-28 at 20:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #305
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Wells Fargo SPAM, 82.211.31.147, CookieBomb toolkit ...

    FYI...

    Fake Wells Fargo SPAM / Copy_10292013.zip
    - http://blog.dynamoo.com/2013/10/well...copy-spam.html
    29 Oct 2013 - "These fake Wells Fargo spam messages have a malicious attachment:
    Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
    From: Wells Fargo [Emilio.Hendrix@ wellsfargo .com]
    Subject: FW: Check copy
    We had problems processing your latest check, attached is a image copy.
    Emilio Hendrix
    Wells Fargo Check Processing Services
    817-576-4067 office
    817-192-2390 cell Emilio.Hendrix@ wellsfargo .com
    Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
    --------------------
    Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
    From: Wells Fargo [Leroy.Dale@ wellsfargo .com]
    Subject: FW: Check copy
    We had problems processing your latest check, attached is a image copy.
    Leroy Dale
    Wells Fargo Check Processing Services
    817-480-3826 office
    817-710-4624 cell Leroy.Dale@ wellsfargo .com
    Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...


    Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary. The VirusTotal detection rate is just 3/47*. Automated analysis... shows an attempted connection to allisontravels .com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these."
    * https://www.virustotal.com/en-gb/fil...is/1383058267/

    - http://threattrack.tumblr.com/post/6...heck-copy-spam
    Oct 29, 2013 - "Subjects Seen:
    FW: Check copy
    Typical e-mail details:
    We had problems processing your latest check, attached is a image copy...

    Malicious File Name and MD5:
    Copy_10292013.zip (E0D3B0A7BCCDD0AA79A1F81C79A83784)
    Copy_10292013.exe (93CCC1B516EFC3365CECED8AE0B57EE2)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Faj1r6pupn.png
    ___

    Something evil on 82.211.31.147
    - http://blog.dynamoo.com/2013/10/some...221131147.html
    29 Oct 2013 - "Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2]... domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself."
    (Long list at the dynamoo URL above.)
    1) http://urlquery.net/search.php?q=82....3-10-29&max=50

    2) https://www.virustotal.com/en-gb/ip-...7/information/
    ___

    CookieBomb toolkit ...
    - http://community.websense.com/blogs/...b-toolkit.aspx
    Oct 29, 2013 - "... source of this message is a spambot or script. When looked over with an experienced eye, it becomes apparent this email may just have come from the Kelihos botnet...
    46.180.44.231
    46.185.22.123
    109.162.98.248

    Malware evolution is not new: indeed, since the days of Dark Avenger’s polymorphic engine, the Mutation Engine (MtE), obfuscation and evasion have been commonplace within most, if not all malware families... in as little as 6 months, a simple tool for delivering Exploit Kits to end users has not only had its code radically altered, but has split into two distinct campaigns. One campaign is as mentioned above, infecting legitimate hosts via the exploitation of vulnerabilities; the other... piggybacking on the Kelihos Botnet, which is an incredibly sophisticated and effective spam platform, as a means of exposing end users to EKs via blatantly malicious domains. Whether this tool was exclusively rented by/to the BHEK team, or whether in fact it was coded by them, remains to be seen."
    - https://www.virustotal.com/en/ip-add...1/information/

    - https://www.virustotal.com/en/ip-add...8/information/
    ___

    Suspect network: 69.26.171.176/28
    - http://blog.dynamoo.com/2013/10/susp...617117628.html
    29 Oct 2013 - "69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
    %rwhois V-1.5:0000a0:00 rwhois.xeex .com (by Network Connection Canada. V-1.0)
    network:auth-area:69.26.160.0/19
    network:network-name:69.26.171.176
    network:ip-network:69.26.171.176/28
    network:org-name:MJB Capital, Inc.
    network:street-address:8275 South Eastern Avenue
    network:city:Las Vegas
    network:state:NV
    network:postal-code:89123
    network:country-code:US
    network:tech-contact:Mark Bunnell
    network:updated:2013-05-30 10:01:58
    network:updated-by:noc@ xeex .com
    network:class-name:network


    There are three very recent Malwr reports involving sites in this range:
    69.26.171.179 - bookmarkingbeast .com
    - https://malwr.com/analysis/MDMwMGY2Z...AyYmFjMWRhMTU/
    69.26.171.181 - allisontravels .com
    - https://malwr.com/analysis/ZWE1NDQ0M...JhNDNlZjVjMzA/
    69.26.171.182 - robotvacuumhut .com
    - https://malwr.com/analysis/MDVlNjJkN...Y5ODRiNWVhM2I/
    As a precaution, I would recommend temporarily blocking the whole range... other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection..."
    (More domains listed at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2013-10-29 at 22:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #306
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake eFax message SPAM, Something evil on 144.76.207.224/28 ...

    FYI...

    Fake eFax message SPAM / bulkbacklinks .com and Xeex .com
    - http://blog.dynamoo.com/2013/10/corp...sage-spam.html
    30 Oct 2013 - "... do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.
    Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
    From: eFax Corporate [message@ inbound . efax.com]
    Subject: Corporate eFax message from "673-776-6455" - 2 pages
    Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
    02:22:22 CST.* The reference number for this fax is
    latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
    www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
    your service.Thank you for using the eFax service..
    -----------------------
    Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
    From: eFax Corporate [message@ inbound .efax.com]
    Subject: Corporate eFax message from "877-579-4466" - 5 pages
    Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
    05:55:55 EST.* The reference number for this fax is
    latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
    www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
    your service.Thank you for using the eFax service...


    Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file. This has a very low detection rate at VirusTotal of just 1/46*. Automated analysis tools... show an attempted connection to a domain bulkbacklinks .com on 69.26.171.187. This is part of the same compromised Xeex address range... Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list**."
    * https://www.virustotal.com/en-gb/fil...is/1383148137/

    ** http://blog.dynamoo.com/2013/10/susp...617117628.html
    ___

    Something evil on 144.76.207.224/28
    - http://blog.dynamoo.com/2013/10/some...620722428.html
    30 Oct 2013 - "The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report*)... This is a Hetzner IP range... Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious (Long list - see the dynamoo URL above)... I would recommend blocking all those domains plus the 144.76.207.224/28 range. Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges (Also listed at the dynamoo URL above)..."
    * http://urlquery.net/report.php?id=7281185

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #307
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rogue Ads in Yahoo lead to Sirefef Infection

    FYI...

    Rogue Ads in Yahoo lead to Sirefef Infection
    - http://www.threattracksecurity.com/i...fef-infection/
    Oct 30, 2013 - "Our researchers in the AV Labs are continuing to see fake software being served on unfamiliar sponsored links or ads found in search results. Recently, we found an ad for a fake browser on Yahoo! after doing a search for “google chrome browser”.
    > http://www.threattracksecurity.com/i...-search-ad.png
    Clicking the first ad we highlighted above leads users to the website, softpack(dot)info/chrome/:
    > http://www.threattracksecurity.com/i...hrome-page.png
    Below this page are texts that read as follows:
    > http://www.threattracksecurity.com/i...section-wm.png
    ... In case you’re not familiar, rogue sites like this usually serve free-to-download software that are modified to install adware. In this case, Google_Chrome_30.0.1599.69.exe, the -fake- browser file, is wholly malicious and belongs to the Sirefef/ZeroAccess malware family. We were able to retrieve two variants of this file...
    MD5 9111ebfbf015c3096f650060819f744b – detected as Trojan.Win32.Generic!SB.0 (15/47*)
    MD5 60a0e64fec6b5e509b666902e72833ea – detected as Trojan.Win32.Generic.pak!cobra (7/47**)
    ... We fed the files into our sandbox and found that -both- variants -disable- Windows security features and prevent the OS from updating automatically. Infected systems, especially those that run outdated software and have no added security software in place, face the risk of further infection from other malware. Users are advised to be careful in clicking ads for free software. It is still safer for you... to visit -official- pages of the software you wish to download and install onto your system. You may also consider installing AdBlock Plus*, a software that can be installed in the browser to prevent ads from appearing on sites while you surf..."
    * https://www.virustotal.com/en/file/f...is/1383072130/

    ** https://www.virustotal.com/en/file/c...ffbd/analysis/

    *** https://addons.mozilla.org/en-US/fir.../adblock-plus/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #308
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Snapchat install leads to Adware

    FYI...

    Fake Snapchat install leads to Adware
    - http://www.threattracksecurity.com/i...-leads-adware/
    Nov 1. 2013 - "Our Labs recently identified numerous files claiming to be Snapchat.exe, which is a popular photo messaging application. These files were most assuredly not Snapchat, so we were curious to find out what was going on. As it turns out, a quick search in Bing brings forth answers:
    > http://www.threattracksecurity.com/i...optimum-ad.png
    The very first entry under the search is an ad, leading to videonechat(dot)com.
    > http://www.threattracksecurity.com/i...chatdorgem.jpg
    The website simultaneously talks about installing Snapchat, while listing the program as “Dorgem” in small letters in the grey box on the top right hand side. At this point, you might want to take a wild guess as to whether you’re going to end up with Snapchat, a hugely popular and current application, or a now discontinued webcam capture program called -Dorgem- which has been bundled with programs you likely don’t need... The install offers up a number of ad serving programs, media players and additional software offered up with no relation to Snapchat whatsoever. During testing, we saw Realplayer, GreatArcadeHits, Optimizer Pro, Scorpion Saver and Word Overview...
    > http://www.threattracksecurity.com/i...dge-snap-7.png
    Legitimate programs being bundled with Adware is a common enough tactic, but this is an Optimum Installer bundle where a website serves as clickbait for a deliberately misrepresented app – you most definitely do not get what you’re promised in return for installing numerous pieces of ad-serving software. Don’t fall for this one. VirusTotal pegs this one at 6/47*..."
    * https://www.virustotal.com/en/file/3...is/1383232536/
    ___

    Email Quota Limit Credentials Phish
    - http://threattrack.tumblr.com/post/6...dentials-phish
    Nov 1, 2013 - "Subjects Seen:
    Email Quota Limit
    Typical e-mail details:
    Your mailbox has exceeded the storage limit, you may not be able to send or receive new mail until you re-validate your mailbox mail with the link below.
    System Administrator


    Malicious URLs
    suppereasy.jimdo .com


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Ia01r6pupn.png

    Last edited by AplusWebMaster; 2013-11-01 at 19:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #309
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ads lead to SpyAlertApp PUA ...

    FYI...

    Ads lead to SpyAlertApp PUA ...
    - http://www.webroot.com/blog/2013/11/...d-application/
    Nov 1, 2013 - "... They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs...
    Sample screenshots of the landing page:
    > https://www.webroot.com/blog/wp-cont...n-896x1024.png
    Landing URL: spyalertapp .com
    Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 * ... Win32/ExFriendAlert.B; SearchDonkey (fs)
    Once executed, it phones back to 66.135.34.182 and 66.135.34.181 ... PUA MD5s are known to have phoned back to these IPs... Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam**, a try."
    * https://www.virustotal.com/en/file/5...is/1382979505/

    ** http://www.mozilla.org/en-US/lightbeam/

    - https://www.virustotal.com/en/ip-add...1/information/

    - https://www.virustotal.com/en/ip-add...2/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #310
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake SAGE, Fax SPAM ...

    FYI...

    Fake SAGE SPAM / Payroll_Report-PaymentOverdue.exe
    - http://blog.dynamoo.com/2013/11/paym...pond-spam.html
    4 Nov 2013 - "This -fake- SAGE spam has a malicious attachment:
    Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
    From: Payroll Reports [payroll@sage .co .uk]
    Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
    Sincerely,
    Bernice Swanson
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...


    Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet. This malware has a VirusTotal detection rate of just 4/47*, and automated analysis tools... shows an attempted connect to goyhenetche .com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones** too."
    * https://www.virustotal.com/en-gb/fil...is/1383579237/

    ** https://www.virustotal.com/en-gb/ip-...8/information/

    Diagnostic page for AS32475 (SINGLEHOP-INC)
    - http://google.com/safebrowsing/diagnostic?site=AS:32475
    "... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-11-04, and the last time suspicious content was found was on 2013-11-04... we found 73 site(s) on this network... that appeared to function as intermediaries for the infection of 371 other site(s)... We found 147 site(s)... that infected 543 other site(s)..."

    - http://threattrack.tumblr.com/post/6...e-payment-spam
    Nov 4, 2013 - "Subjects Seen:
    Payment Overdue - Please respond
    Typical e-mail details:
    Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
    Sincerely,
    Shelby Lloyd


    Malicious File Name and MD5:
    PaymentOverdue.zip (AF69AE41F500EBCE3A044A1FC8FF8701)
    Payroll_Report-PaymentOverdue.exe (32B2481F9EF7F58D3EF3640ECFC64B19)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...lId1r6pupn.png
    ___

    Ring Central Fax Spam
    - http://threattrack.tumblr.com/post/6...ntral-fax-spam
    Nov 4, 2013 - "Subjects Seen:
    New Fax Message on 11/04/2013
    Typical e-mail details:
    To view this message, please open the attachment
    Thank you for using RingCentral.


    Malicious File Name and MD5:
    <random #s>.pdf.exe (FE52EE7811D93A3E941C0A15126152AC)
    <random #s>.zip (8728BBFD1ABAC087211D55BB53991017)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...MDn1r6pupn.png

    Last edited by AplusWebMaster; 2013-11-04 at 22:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •