Page 32 of 132 FirstFirst ... 222829303132333435364282 ... LastLast
Results 311 to 320 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #311
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ACH, USPS SPAM ...

    FYI...

    Fake ACH SPAM / ACAS1104201336289204PARA7747.zip
    - http://blog.dynamoo.com/2013/11/ach-...nd-of-day.html
    5 Nov 2013 - "This fake ACH (or is it Paychex?) email has a malicious attachment:
    Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
    From: "Paychex, Inc" [paychexemail@ paychex .com]
    Subject: ACH Notification : ACH Process End of Day Report
    Attached is a summary of Origination activity for 11/04/2013 If you need assistance
    please contact us via e-mail at paychexemail@ paychex .com during regular business hours.
    Thank you for your cooperation.


    Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46*. Automated analysis... shows an attempted connection to slowdating .ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised. The malware drops several files..."
    * https://www.virustotal.com/en-gb/fil...is/1383665169/

    - https://www.virustotal.com/en/ip-add...5/information/
    ___

    Fake USPS SPAM / Label_442493822628.zip
    - http://blog.dynamoo.com/2013/11/usps...822628zip.html
    5 Nov 2013 - "This -fake- USPS spam has a malicious attachment:
    Date: Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
    From: USPS Express Services [service-notification@ usps .gov]
    Subject: USPS - Missed package delivery
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    Label: 442493822628
    Print this label to get this package at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    USPS Logistics Services...


    The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46*. Automated analysis... shows an attempted connection to sellmakers .com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised."
    * https://www.virustotal.com/en-gb/fil...is/1383666106/

    - https://www.virustotal.com/en-gb/ip-...0/information/

    Last edited by AplusWebMaster; 2013-11-06 at 15:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #312
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake invoice, Voicemail SPAM ...

    FYI...

    Fake invoice SPAM leads to DOC exploit
    - http://blog.dynamoo.com/2013/11/invo...ommercial.html
    6 Nov 2013 - "This -fake- invoice email leads to a malicious Word document:
    From: Dave Porter [mailto:dave.porter@blueyonder .co .uk]
    Sent: 06 November 2013 12:06
    To: [redacted]
    Subject: Invoice 17731 from Victoria Commercial Ltd
    Dear Customer :
    Your invoice is attached to the link below:
    [donotclick]http ://www.vantageone .co .uk/invoice17731.doc
    Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Victoria Commercial Ltd


    The email originates from bosmailout13.eigbox .net 66.96.186.13 which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone .co .uk/invoice17731 .doc which appears to be a -hacked- legitimate web site.
    Detection rates have continued to improve throughout the day and currently stand at 10/47*. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
    A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
    feed404.dnsquerys .com
    feeds.nsupdatedns .com
    It is the same attack as described by Blaze's Security Blog** and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
    118.67.250.91
    158.255.2.60
    ..."
    * https://www.virustotal.com/en-gb/fil...is/1383746893/

    ** http://bartblaze.blogspot.co.uk/2013...-exploits.html

    - https://www.virustotal.com/en/ip-add...1/information/

    - https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake voice mail SPAM / VoiceMail.zip
    - http://blog.dynamoo.com/2013/11/voic...nown-spam.html
    6 Nov 2013 - "This -fake- voice mail spam comes with a malicious attachment:
    Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
    From: Administrator [voice9@ victimdomain]
    Subject: Voice Message from Unknown (886-966-4698)
    - - -Original Message- - -
    From: 886-966-4698
    Sent: Wed, 6 Nov 2013 22:22:28 +0800
    To: recipients@ victimdomain
    Subject: Private Message


    The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file. This malware file has a detection rate of 3/47* at VirusTotal. Automated analysis tools... show an attempted connection to twitterbacklinks .com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before** in this type of attack. Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28... domains are consistent with the ones compromised here*** and it is likely that they have all also been compromised."
    Recommended blocklist:
    69.26.171.176/28
    216.151.138.240/28
    ..."
    (More listed at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1383748084/

    ** http://blog.dynamoo.com/search/label/Xeex

    *** http://blog.dynamoo.com/2013/10/susp...617117628.html

    Last edited by AplusWebMaster; 2013-11-06 at 18:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #313
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake voicemail, Visa, DocuSign, FedEx SPAM ...

    FYI...

    Fake voicemail SPAM / Voice_Mail.exe
    - http://blog.dynamoo.com/2013/11/you-...mail-spam.html
    7 Nov 2013 - "This -fake- voice mail spam has a malicious attachment:
    Date: Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
    From: Microsoft Outlook [no-reply@ victimdomain .net]
    Subject: You received a voice mail
    You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
    Caller-Id:
    698-333-5643
    Message-Id:
    80956-84B-12XGU
    Email-Id:
    [redacted]
    This e-mail contains a voice message.
    Double click on the link to listen the message.
    Sent by Microsoft Exchange Server


    Screenshot: https://lh3.ggpht.com/-TcGTepv34NQ/U.../voicemail.png

    Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47* and automated analysis tools... show an attempted connection to amazingfloorrestoration .com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious."
    * https://www.virustotal.com/en-gb/fil...is/1383838216/

    - https://www.virustotal.com/en/ip-add...6/information/
    ___

    Visa Recent Transactions Report Spam
    - http://threattrack.tumblr.com/post/6...ns-report-spam
    Nov 7, 2013 - "Subjects Seen:
    VISA - Recent Transactions Report
    Typical e-mail details:
    Dear Visa card holder,
    A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
    For more details please see the attached transaction report.
    Dion_Andersen
    Data Protection Officer
    VISA EUROPE LIMITED
    1 Sheldon Square
    London W2 6WH
    United Kingdom


    Malicious File Name and MD5:
    payment.exe (A4D868FB8A01CA999F08E5739A5E73DC)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...xPM1r6pupn.png
    ___

    DocuSign - Internal Company Changes Spam
    - http://threattrack.tumblr.com/post/6...y-changes-spam
    Nov 7, 2013 - "Subjects Seen:
    Please DocuSign this document : Company Changes - Internal Only
    Typical e-mail details:
    Sent on behalf of <email address>.
    All parties have completed the envelope ‘Please DocuSign this document: Company Changes - Internal Only..pdf’.
    To view or print the document download the attachment. (self-extracting archive, Adobe PDF)
    This document contains information confidential and proprietary to <email domain>


    Malicious File Name and MD5:
    Company Changes - Internal Only.PDF.zip (1B853B2962BB6D5CAA7AB4A64B83EEFF)
    Company Changes - Internal Only.PDF.exe (03C3407D732A94B05013BD2633A9E974)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...8NO1r6pupn.png
    ___

    My FedEx Rewards Spam
    - http://threattrack.tumblr.com/post/6...x-rewards-spam
    Nov 7, 2013 - "Subjects Seen:
    Your Rewards Order Has Shipped
    Typical e-mail details:
    This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
    You can review complete details of your order on the Order History page
    Thanks for choosing FedEx.


    Malicious File Name and MD5:
    Order history page.zip (EE074EAACC3D444563239EF0C9F4CE0D)
    Order history page.pdf.exe (DF86900EC566E13B2A8B7FD9CFAC5969)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...7MY1r6pupn.png

    Last edited by AplusWebMaster; 2013-11-07 at 23:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #314
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware sites to block, Voicemail SPAM, Styx and Nuclear ...

    FYI...

    Malware sites to block - (Nuclear EK)
    - http://blog.dynamoo.com/2013/11/malw...3-nuclear.html
    8 Nov 2013 - "The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example*). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google. The domains are being used with subdomains, so they don't resolve directly. I have identified -3768- domains in this OVH range... The subdomains can found in this file [csv**] but as it is almost definitely incomplete it is simpler to use the blocklist below:
    142.4.194.0/30 ..."
    (More domains listed at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=7517029

    ** http://www.dynamoo.com/files/penziat...e-customer.csv
    ___

    Fake Voicemail SPAM / MSG00049.zip and MSG00090.exe
    - http://blog.dynamoo.com/2013/11/voic...49zip-and.html
    8 Nov 2013 - "Another day, yet another -fake- voicemail message spam with a malicious attachment:
    Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
    From: Voicemail [user@ victimdomain .com]
    Subject: Voicemail Message
    IP Office Voicemail redirected message


    Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47*. Automated analysis... shows an attempted connection to seminyak-italian .com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not".
    * https://www.virustotal.com/en-gb/fil...is/1383936341/

    - https://www.virustotal.com/en/ip-add...9/information/
    ___

    Shylock/Caphaw Drops Blackhole for Styx and Nuclear
    - http://www.threattracksecurity.com/i...x-and-nuclear/
    Nov 8, 2013 - "In early October, news of the arrest of “Paunch” and his cohorts in Russia... Because of this, experts in the security industry had noticed the lack of new updates for the BHEK. Our experts in the Labs also concurred a possible dropping of threats involving the BHEK. With this in mind, it’s highly likely for online criminals to look for other alternatives...
    > http://www.threattracksecurity.com/i...to-exploit.jpg
    ... Sutra TDS has been associated with a number of Web threats, such as exploits (BHEK), rogue AV and ransomware among others as part of their infection and/or propagation tactics for years. Even phishers have jumped into the bandwagon... steps you can take in protecting yourself against Styx-based threats:
    • Make sure to update all your software in real-time. You might be better off using a patch management software to assist on this. Such programs run in the background and prompts users whenever it detects new updates for software users have installed on systems.
    • Keep your antivirus software also up-to-date.
    • Block or filter off URLs with patterns that resemble Sutra TDS landing pages. Please ask assistance from someone if you need to."
    ___

    Key Bank Secure Message Spam
    - http://threattrack.tumblr.com/post/6...e-message-spam
    Nov 8, 2013 - "Subjects Seen:
    You have received a secure message
    Typical e-mail details:
    Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @ res. cisco .com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.7941.
    First time users - will need to register after opening the attachment.


    Malicious File Name and MD5:
    Secure_Message.zip (4301BE522A5254DBB5DBCF96023526B9)
    Secure_Message.exe (8E0E9C0995B220FA8DFBC8BFFA54759F)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...bVl1r6pupn.png

    Last edited by AplusWebMaster; 2013-11-08 at 23:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #315
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Typhoon Scams, Adware sites to block ...

    FYI...

    Typhoon Scams... Email, Telephone, Door to Door
    - http://www.threattracksecurity.com/i...one-door-door/
    Nov 11, 2013 - "In the wake of Typhoon Haiyan, both law enforcement and members of the public are coming forward to make timely reminders related to donation scams.
    1) Police in Huntsville, Ontario have warned of individuals from unverified donation campaigns* going door to door.
    Sudden arrivals on your doorstep asking for donations related to any form of disaster should always be viewed with suspicion, and keep in mind that any form of ID can be faked convincingly. If the person is particularly pushy about you handing over money in a short period of time, be extra suspicious...
    2) Anxious friends and relatives of those who have gone missing are apparently posting up too much personal information on social networks in their quest to re-establish contact... Avoid posting personal details to sites such as Twitter and Facebook.
    3) In the US, cold calling from individuals claiming to be from the Salvation Army asking for Typhoon relief donations has begun. I did a little digging on the phone number listed, and it appears on a Snopes page*** related to Hurricane Sandy FEMA cleanup crews... If you want to donate through Salvation Army, you should visit their donation page** and keep cold calls to your telephone line on the back burner.
    4) Scam emails are already in circulation. Expect the majority of these to ride on the coat-tails of efforts by organisations such as The Red Cross. One particularly devious tactic to watch out for is scammers giving you a real, genuine domain as a reply email to send your bank details to but including a fake as a CC address..."
    (More detail at the threattracksecurity URL above.)

    * http://moosefm.com/cfbg/news/14095-p...l-typhoon-scam

    ** https://donate.salvationarmyusa.org/TyphoonHaiyan

    *** http://www.snopes.com/fraud/employment/femasandy.asp
    ___

    - https://www.us-cert.gov/ncas/current...-Antivirus-and
    Nov 12, 2013
    ___

    Adware sites to block / "Consumer Benefit Ltd" ...
    - http://blog.dynamoo.com/2013/11/cons...-sites-to.html
    11 Nov 2013 - "A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report*) and GFilterSvc.exe (report**) both in C:\WINDOWS\SYSTEM32. The blocks are 212.19.36.192/27 and 82.98.97.192/28 ... Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature... the following domains and IPs are all part of these "Consumer Benefit Ltd" ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
    212.19.36.192/27
    82.98.97.192/28
    ..."
    (More detail and URLs listed at the dynamoo URL above.)

    * https://www.virustotal.com/en-gb/fil...is/1384162704/

    ** https://www.virustotal.com/en-gb/fil...is/1384162774/
    ___

    Fake Confidential Message SPAM / To All Employees 2013.zip.exe
    - http://blog.dynamoo.com/2013/11/to-a...l-message.html
    11 Nov 2013 - "This -fake- "all employees" email comes with a malicious attachment:
    Date: Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
    From: DocuSign Service [dse@ docusign .net]
    Subject: To all Employees - Confidential Message
    Your document has been completed
    Sent on behalf of administrator@victimdomain.
    All parties have completed the envelope 'Please DocuSign this document:
    To All Employees 2013.doc'.
    To view or print the document download the attachment .
    (self-extracting archive, Adobe PDF) This document contains information confidential and proprietary to spamcop .net
    DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring yoursignature, please contact the sender directly...


    The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47*. Automated analysis... shows a callback to trc-sd .com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP."
    * https://www.virustotal.com/en-gb/fil...is/1384175853/

    - https://www.virustotal.com/en-gb/ip-...4/information/
    ___

    Fake Paypal SPAM / Identity_Form_04182013.zip
    - http://blog.dynamoo.com/2013/11/iden...-587-spam.html
    11 Nov 2013 - "For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a -fake- spam pretending to be from PayPal with a malicious attachment:
    Date: Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
    From: Payroll Reports [payroll@ quickbooks .com]
    Subject: Identity Issue #PP-716-097-521-587
    We are writing you this email in regards to your PayPal account. In accordance with our
    "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
    identity by completing the attached form. Please print this form and fill in the
    requested information. Once you have filled out all the information on the form please
    send it to verification@ paypal .com along with a personal identification document
    (identity card, driving license or international passport) and a proof of address
    submitted with our system ( bank account statement or utility bill )
    Your case ID for this reason is PP-D503YC19DXP3
    For your protection, we might limit your account access. We apologize for any
    inconvenience this may cause.
    Thanks, PayPal...


    Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47*, and automated analysis... shows an attempted connection to trc-sd .com which is the same domain seen in this attack**."
    * https://www.virustotal.com/en-gb/fil...is/1384185446/

    ** http://blog.dynamoo.com/2013/11/to-a...l-message.html
    ___

    American Express Suspicious Activity Report Spam
    - http://threattrack.tumblr.com/post/6...ty-report-spam
    Nov 11, 2013 - "Subjects Seen:
    Recent Activity Report - Incident #6U7X67B05H6NGET
    Typical e-mail details:
    As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
    Please review the “Suspicious Activity Report” document attached to this email.
    Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress .com/phishing
    Thank you for your Cardmembership.
    Sincerely,
    Lindsey_Oneal
    Tier III Support
    American Express Account Security
    Fraud Prevention and Detection Network


    Malicious File Name and MD5:
    Incident#<random>.zip(14F92A367A01C5AD8F0C4A7062000FE6)
    Incident#.exe (77F23BC4F0ECB244FAA61163B07EAEC7)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...fCm1r6pupn.png

    Tagged:
    American Express: http://threattrack.tumblr.com/tagged/American-Express
    Upatre: http://threattrack.tumblr.com/tagged/Upatre

    Last edited by AplusWebMaster; 2013-11-12 at 22:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #316
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake HMRC, Outlook SPAM, Dynamic DNS sites you might want to block ...

    FYI...

    Dynamic DNS sites you might want to block ...
    - http://blog.dynamoo.com/2013/11/dyna...t-want-to.html
    12 Nov 2013 - "These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is -abused- by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following... listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL*. The links go to the Google diagnostic page."
    (Long list at the dynamoo URL above.)
    * http://www.surbl.org/lists
    ___

    Fake HMRC SPAM - HMRC_Message.zip and qualitysolicitors .com
    - http://blog.dynamoo.com/2013/11/you-...ages-from.html
    12 Nov 2013 - "This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors .com:
    Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
    From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
    Subject: You have received new messages from HMRC
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Please do not reply to this e-mail.
    1.This e-mail and any files or documents transmitted with it are confidential and
    intended solely for the use of the intended recipient. Unauthorised use, disclosure or
    copying is strictly prohibited and may be unlawful. If you have received this e-mail in
    error, please notify the sender at the above address and then delete the e-mail from your
    system.
    2. If you suspect that this e-mail may have been intercepted or amended, please
    notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
    sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
    this e-mail and any attachments have been created in the knowledge that internet e-mail
    is not a 100% secure communications medium. It is your responsibility to ensure that they
    are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
    for any loss or damage arising from the receipt of this e-mail or its contents.
    QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
    Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
    TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
    TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
    Solicitors Regulation Authority (57864). A full list of Partners names is available from
    any of our offices...


    ... there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47*. Automated analysis tools... show that it attempts to communicate with alibra .co .uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
    [donotclick]synchawards .com/a1.exe
    [donotclick]itcbadnera .org/images/dot.exe
    a1.exe has a detection rate of 16/47**, and Malwr reports further HTTP connections to:
    [donotclick]59.106.185.23 /forum/viewtopic.php
    [donotclick]new.data.valinformatique .net/5GmVjT.exe
    [donotclick]hargobindtravels .com/38emc.exe
    [donotclick]bonway-onza .com/d9c9.exe
    [donotclick]friseur-freisinger .at/t5krH.exe
    dot.exe has a much lower detection rate of 6/47***... various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
    a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47***, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus."
    Recommended blocklist:
    59.106.185.23 ..."
    (More URLS listed at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1384264864/

    ** https://www.virustotal.com/en-gb/fil...is/1384265605/

    *** https://www.virustotal.com/en-gb/fil...is/1384266070/
    ___

    Fake "Outlook Settings" SPAM - Outlook.zip
    - http://blog.dynamoo.com/2013/11/impo...ings-spam.html
    12 Nov 2013 - "This spam email has a malicious attachment:
    Date: Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
    From: Undisclosed Recipients
    Subject: Important - New Outlook Settings
    Please carefully read the attached instructions before updating settings.
    This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.


    The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that). Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.
    Screenshot: https://lh3.ggpht.com/-uZyweXA5n_g/U...tlook-icon.png
    The detection rate at VirusTotal is 5/45*. Automated analysis tools... show an attempted connection to dchamt .com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean."
    * https://www.virustotal.com/en-gb/fil...is/1384270918/

    - https://www.virustotal.com/en-gb/ip-...3/information/

    - http://threattrack.tumblr.com/post/6...-settings-spam
    Nov 12, 2013 - "Subjects Seen:
    Important - New Outlook Settings
    Typical e-mail details:
    Please carefully read the attached instructions before updating settings.
    This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at <sender e-mail address> and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.


    Malicious File Name and MD5:
    Outlook.zip (4D0A70E1DD207785CB7067189D175679)
    Outlook.exe (C8D22FA0EAA491235FA578857CE443DC)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...TYV1r6pupn.png
    ___

    Fake Tax/Accountant SPAM / tax 2012-2013.exe
    - http://blog.dynamoo.com/2013/11/2012...countants.html
    12 Nov 2013 - "This -fake- tax spam comes with a malicious attachment:
    Date: Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
    From: "support@ salesforce .com" [support@ salesforce .com]
    Subject: FW: 2012 and 2013 Tax Documents; Accountant's Letter
    I forward this file to you for review. Please open and view it.
    Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.
    This email message may include single or multiple file attachments of varying types.
    It has been MIME encoded for Internet e-mail transmission.


    Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.
    > https://lh3.ggpht.com/-4dRp1ML5c40/U...0/tax-icon.png
    VirusTotal detection rates are 17/47*. Automated analysis tools... show an attempted connection to nishantmultistate .com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack**, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea."
    * https://www.virustotal.com/en-gb/fil...is/1384287261/

    ** http://blog.dynamoo.com/2013/11/impo...ings-spam.html
    ___

    Department of Treasury Outstanding Obligation Spam
    - http://threattrack.tumblr.com/post/6...bligation-spam
    Nov 12, 2013 - "Subjects Seen:
    Department of Treasury Notice of Outstanding Obligation - Case <random>
    Typical e-mail details:
    We have received notification from the Department of the Treasury,
    Financial Management Service (FMS) that you have an outstanding
    obligation with the Federal Government that requires your immediate
    attention.
    In order to ensure this condition does not affect any planned
    contract or grant activity, please review and sign the attached document and if
    you are unable to understand the attached document please call FMS at 1-800-304-3107
    to address this issue. Please make sure the person making the telephone call has the
    Taxpayer Identification Number available AND has the authority/knowledge
    to discuss the debt for the contractor/grantee.


    Malicious File Name and MD5:
    FMS-Case-<random>.zip (55D31D613A6A5A57C07D496976129068)
    FMS-Case-{_Case_DIG}.zip.exe (B807F603C69AEA97E900E59EC99315B5)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Mit1r6pupn.png

    Last edited by AplusWebMaster; 2013-11-13 at 04:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #317
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake PayPal, CareerBuilder, Facebook SPAM ...

    FYI...

    Fake PayPal "Identity Issue" SPAM / Identity_Form_04182013.zip
    - http://blog.dynamoo.com/2013/11/this...uickbooks.html
    13 Nov 2013 - "This -fake- PayPal (or is it Quickbooks?) spam has a malicious attachment:
    Date: Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
    From: Payroll Reports [payroll@ quickbooks .com]
    Subject: Identity Issue #PP-679-223-724-838
    We are writing you this email in regards to your PayPal account. In accordance with our
    "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
    identity by completing the attached form. Please print this form and fill in the
    requested information. Once you have filled out all the information on the form please
    send it to verification@ paypal .com along with a personal identification document
    (identity card, driving license or international passport) and a proof of address
    submitted with our system ( bank account statement or utility bill )
    Your case ID for this reason is PP-TEBY66KNZPMU
    For your protection, we might limit your account access. We apologize for any
    inconvenience this may cause.
    Thanks,
    PayPal ...


    Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.
    > https://lh3.ggpht.com/-sx8_WjDsH10/U...ntity-form.png
    The detection rate for this at VirusTotal is 9/47*, automated analysis tools... shows an attempted connection to signsaheadgalway .com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack**, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP."
    * https://www.virustotal.com/en-gb/fil...is/1384340556/

    ** http://blog.dynamoo.com/2013/11/you-...ages-from.html
    ___

    CareerBuilder Notification Spam
    - http://threattrack.tumblr.com/post/6...ification-spam
    Nov 13, 2013 - "Subjects Seen:
    CareerBuilder Notification
    Typical e-mail details:
    Hello,
    I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
    You can review the position on the CareerBuilder by downloading the attached PDF file.
    Attached file is scanned in PDF format.
    Adobe(R)Reader(R) can be downloaded from the following URL: adobe.com
    Best wishes in your job search !
    Savannah_Moyer
    Careerbuilder Customer Service Team


    Malicious File Name and MD5:
    CB_Offer_<random>.zip (B61D44F18092458F7B545A16D2FF77D6)
    CB_Offer_<random>.exe (40AB8B0050E496FB00F499212B600DDB)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...QrQ1r6pupn.png

    Tagged:
    CareerBuilder: http://threattrack.tumblr.com/tagged/CareerBuilder
    Upatre: http://threattrack.tumblr.com/tagged/Upatre
    ___

    Facebook Password Request Spam
    - http://threattrack.tumblr.com/post/6...d-request-spam
    Nov 13, 2013 - "Subjects Seen:
    You requested a new Facebook password!
    Typical e-mail details:
    Hello,
    You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    Read your secure message by opening the attachment, Facebook-SecureMessage.zip.


    Malicious File Name and MD5:
    Facebook-SecureMessage.zip (FE3AB674A321959B3EA83CF54666A763)
    Transaction_{_tracking}.exe (95191C75EF4A87CBFA46C0818009312E)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...vP31r6pupn.png

    Tagged:
    Facebook: http://threattrack.tumblr.com/tagged/Facebook
    Upatre: http://threattrack.tumblr.com/tagged/Upatre
    ___

    EXE-in-ZIP SPAM storm continues
    - http://blog.dynamoo.com/2013/11/the-...continues.html
    13 Nov 2013 - "Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46* which calls home... to amandas-designs .com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

    The second one is a -fake- Wells Fargo spam similar to this:
    We have received this documents from your bank, please review attached documents.
    Lela Orozco
    Wells Fargo Advisors
    817-232-5887 office
    817-067-3871 cell Lela.Orozco@ wellsfargo .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
    FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...


    In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47** and calls home... to kidgrandy .com on 184.154.15.190 (Singlehop, US). Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter."
    * https://www.virustotal.com/en-gb/fil...is/1384377409/

    ** https://www.virustotal.com/en-gb/fil...is/1384377605/

    - https://www.virustotal.com/en/ip-add...8/information/

    - https://www.virustotal.com/en/ip-add...0/information/

    Last edited by AplusWebMaster; 2013-11-14 at 00:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #318
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Google Drive phish, Caphaw malware attack...

    FYI...

    Google Drive phish...
    - http://www.threattracksecurity.com/i...uri-technique/
    Nov 14, 2013 - "... interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.
    > http://www.threattracksecurity.com/i...cheedrive1.jpg
    The email is called “Document”... This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:
    bashoomal(dot)com/redirect.html
    The end-user will be presented with a -fake- Google Drive login page which asks them to fill in their email address / password.
    > http://www.threattracksecurity.com/i...cheedrive2.jpg
    As you can see from the URL bar, this is another -phish- that tries to take advantage of the Data URI scheme... The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links..."

    - https://isc.sans.edu/diary.html?storyid=17018
    2013-11-13
    ___

    Malware sites to block - (Caphaw)
    - http://blog.dynamoo.com/2013/11/malw...13-caphaw.html
    14 Nov 2013 - "These domains and IPs appear to be involved in a Caphaw malware attack, such as this one*. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.
    Recommended blocklist:
    141.8.225.5
    46.4.47.20
    46.4.47.22
    88.198.57.178
    ..."
    (More listed at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=7696954

    - http://www.virusradar.com/en/Win32_Caphaw.K/description

    Last edited by AplusWebMaster; 2013-11-14 at 18:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #319
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BoA fax, Malware sites to block - (Caphaw)

    FYI...

    More Malware sites to block - (Caphaw)
    - http://blog.dynamoo.com/2013/11/malw...13-caphaw.html
    15 Nov 2013 - "Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday* is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity). The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains..."
    (Long list at the dynamoo URL above.)
    * http://blog.dynamoo.com/2013/11/malw...13-caphaw.html

    - https://www.virustotal.com/en/ip-add...8/information/

    - http://www.virusradar.com/en/Win32_Caphaw/detail
    ___

    Fake BoA fax message SPAM / 442074293440-1116-084755-242.zip
    - http://blog.dynamoo.com/2013/11/ring...x-message.html
    15 Nov 2013 - "This -fake- fax message email has a malicious attachment:
    Date: Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
    From: RingCentral [notify-us@ ringcentral .com]
    Subject: New Fax Message on 11/15/2013 at 09:51:51 CST
    You Have a New Fax Message
    From
    Bank of America
    Received: 11/15/2013 at 09:51:51 CST
    Pages: 5
    To view this message, please open the attachment.
    Thank you for using Ring Central .


    Screenshot: https://lh3.ggpht.com/-bw4CETLVd5I/U...ingcentral.png

    There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to aspenhonda .com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been -hacked-, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box."
    * https://www.virustotal.com/en-gb/fil...is/1384537461/

    - https://www.virustotal.com/en/ip-add...3/information/
    ___

    Citigroup Secure Message Spam
    - http://threattrack.tumblr.com/post/6...e-message-spam
    Nov 15, 2013 - "Subjects Seen:
    You have a new encrypted message from Citigroup Inc.
    Typical e-mail details:
    You have received a secure e-mail message from Citigroup Inc..
    We care about your privacy, Citigroup Inc. uses this secure way to exchange e-mails containing personal information.
    Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
    If you have concerns about the validity of this message, please contact the sender directly.
    First time users - will need to register after opening the attachment.


    Malicious File Name and MD5:
    SecureMessage.zip (969AEFFE28BC771C8453BF849450BC6A)
    SecureMessage.exe(C2CD447FD9B19B7F062A5A8CF6299600)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...gMb1r6pupn.png

    Tagged: CitiGroup, Upatre
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Authorization Form Email Messages - 2013 Nov 15
    Fake Product Purchase Order Email Messages - 2013 Nov 15
    Fake Payment Receipt Email Messages - 2013 Nov 15
    Malicious Personal Pictures Attachment Email Messages - 2013 Nov 15
    Fake Bank Payment Notification Email Messages - 2013 Nov 15
    Fake Product Order Email Messages - 013 Nov 15
    Fake Meeting Invitation Email Messages - 2013 Nov 15
    Fake Payroll Invoice Notification Email Messages - 2013 Nov 15
    Fake Product Quote Request Email Messages - 2013 Nov 15
    Fake Shipping Order Information Email Messages - 2013 Nov 15
    Fake Shipping Notification Email Messages - 2013 Nov 15
    Fake Product Inquiry Email Messages - 2013 Nov 15
    Fake Payment Receipt Email Messages - 2013 Nov 15
    Fake Tax Document Email Messages - 2013 Nov 15
    Fake Travel Information Email Messages - 2013 Nov 15
    Email Messages with Malicious Attachments - 2013 Nov 15
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-11-18 at 13:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #320
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phone SCAM, Freenters breach, Survey Scams, Silverlight exploit ...

    FYI...

    Phone SCAM - (08445715179)
    - http://blog.dynamoo.com/2013/11/0844...445715179.html
    18 Nov 2013 - "This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:
    ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

    In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here*), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill. Sadly, I don't know who is behind this scam, and in this case it was -illegally- sent to a TPS-registered number**. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO*** who may be able to take more serious action against these spammers."
    * http://www.moneysavingexpert.com/new...ium-rate-calls

    ** http://www.tpsonline.org.uk/tps/number_type.html

    *** http://www.ico.org.uk/complaints/marketing/2
    ___

    Freenters Hit By Breach, Student Data Leaked
    - http://www.threattracksecurity.com/i...-student-data/
    Nov 18, 2013 - "If you’re a student who signed up to the Freenters free printing service, you may want to go and ensure your logins are safe and sound, as it appears they were compromised pretty badly.
    > http://www.threattracksecurity.com/i...printpwn11.jpg
    ... Affected students were sent two separate emails which added to the confusion, with one stating “Passwords were secure” with a follow up advising them “we highly recommend you change your password for other accounts”... This might be a perfect time to ensure you’re not sharing passwords across sites and services, and think about using a password manager..."
    ___

    PlayStation 4 and Xbox One Survey Scams ...
    - http://blog.trendmicro.com/trendlabs...scams-spotted/
    Nov 18, 2013 - "... We found a Facebook page that advertised a PS4 raffle. Users were supposed to visit the advertised site, as seen below:
    > http://blog.trendmicro.com/trendlabs...3/11/ps4-1.jpg
    The site urges users to “like” or “follow” the page, and then share it on social media sites. This could be a way for scammers to gain a wider audience or appear more reputable.
    > http://blog.trendmicro.com/trendlabs...3/11/ps4-2.jpg
    Afterwards, users are required to enter their name and email address. Instead of a raffle, they are led to a survey scam:
    > http://blog.trendmicro.com/trendlabs...3/11/ps4-3.jpg
    ... Scams are also using the Xbox One as bait. However, the site in this currently inaccessible. Since the Xbox One has yet to be released, scammers could be waiting for the official launch before making the site live.
    > http://blog.trendmicro.com/trendlabs...3/11/xbox1.jpg
    The scams were not limited to Facebook. We spotted a site that advertised a Xbox One giveaway. Like the PS4 scam, users are encouraged to promote the giveaway through social media. Once they click the “proceed” button, they are led to a site that contains a text file they need for the raffle. But like other scams, this simply leads to a survey site.
    > http://blog.trendmicro.com/trendlabs...3/11/xbox2.jpg
    ... Product launches have become a tried-and-tested social engineering bait. Earlier in the year, we saw scams that used Google Glass as a way to trick users. Early last year, the launch of the iPad 3 became the subject of many scams and spam. Users should always be cautious when it comes to online raffles and giveaways, especially from unknown or unfamiliar websites. If the deal seems too good to be true, it probably is..."
    ___

    Netflix on your PC - Beware of Silverlight exploit
    - http://blog.malwarebytes.org/exploit...light-exploit/
    Nov 15, 2013 - "A vulnerability affecting Microsoft Silverlight 5 is being used in the wild to infect PCs that visit compromised or malicious websites... The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074*) on March 12, 2013. The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack:
    > http://cdn.blog.malwarebytes.org/wp-...-11-13_016.png
    ... those that already have an older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk. Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
    > http://cdn.blog.malwarebytes.org/wp-...ilverlight.png "

    * http://technet.microsoft.com/en-us/s...letin/ms13-022
    ___

    IRS Tax Payment Rejection Spam
    - http://threattrack.tumblr.com/post/6...rejection-spam
    Nov 18, 2013 - "Subjects Seen:
    Your FED TAX payment ( ID : 6LHIRS930292818 ) was Rejected
    Typical e-mail details:
    *** PLEASE DO NOT RESPOND TO THIS EMAIL ***
    Your federal Tax payment (ID: 6LHIRS930292818), recently sent from your checking account was returned by the your financial institution.
    For more information, please download notification, using your security PIN 55178.
    Transaction Number: 6LHIRS930292818
    Payment Amount: $ 2373.00
    Transaction status: Rejected
    ACH Trace Number: 268976180630733
    Transaction Type: ACH Debit Payment-DDA


    Malicious File Name and MD5:
    FED TAX payment.zip (661649A0CA9F13B06056B53B9BC3CBA7)
    FED TAX payment.exe (157BBC283245BBE5AB2947C446857FC9)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...bhC1r6pupn.png

    Tagged: IRS, Upatre

    Last edited by AplusWebMaster; 2013-11-19 at 04:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •