FYI...
Fake Amazon SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/amaz...ntains-trojan/
Dec 4, 2013 - "... new trojan distribution campaign by email with the subject “order #852-9045074-5639529 or “order ID801-7322179-4122684". This email is sent from the spoofed address “”AMAZON.CO.UK” <SALES@ AMAZON .CO .UK>”and has the following body:
Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID266-3050394-3760006 Placed on December 2, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk
The attached ZIP file has the name Order details.zip and contains the 86 kB large file Order details.exe. The trojan is known as Trojan-PWS.Fareit, Trojan.Inject.RRE, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Generic-S. At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc."
* https://www.virustotal.com/en/file/0...is/1386150729/
** https://malwr.com/analysis/YTk5MDIzN...YzNDlhY2ZhY2Q/
79.187.164.155 - PL
- https://www.virustotal.com/en/ip-add...5/information/
- http://blogs.appriver.com/Blog/bid/1...r-the-Holidays
Dec 03, 2013 - "... floods of -fake- Amazon.com "Order Details" notifications are hitting our filters... They are out in full force."
Screenshot: http://blogs.appriver.com/Portals/53...esized-600.png
___
Fake Amazon.co.uk SPAM / Order details.zip
- http://blog.dynamoo.com/2013/12/fake...etailszip.html
4 Dec 2013 - "This -fake- Amazon spam comes with a malicious attachment:
Date: Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From: "AMAZON.CO.UK" [SALES@ AMAZON .CO .UK]
Subject: order ID718-4116431-2424056
Good evening, Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID757-7743075-1612424 Placed on December 1, 2013 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon. co .uk
Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49*. Automated analysis tools... are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup."
* https://www.virustotal.com/en-gb/fil...is/1386166395/
___
Fake Royal Mail SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/newe...ained-package/
Dec 4, 2013 - "... Today’s campaign is slightly different and carrying a new variant of the trojan. This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now noreply@ royalmail .com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.
Screenshot: http://img.blog.mxlab.eu/2013/20131202_royalmail.gif
The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf. The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX. This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).
At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66.
UPDATE: The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available. At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink*** or Malwr permalink**** for more detailed information.
SHA256: 1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db."
* https://www.virustotal.com/en/file/3...is/1386160116/
** https://malwr.com/analysis/MjNjZTZjM...RhYzYyN2FkYWY/
*** https://www.virustotal.com/en/file/1...is/1386167663/
**** https://malwr.com/analysis/YTI1YmQxZ...kzYzg3N2I4OWE/
___
Fake Dept of Treasury SPAM / FMS-Case.exe
- http://blog.dynamoo.com/2013/12/depa...notice-of.html
4 Dec 2013 - "This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.
Date: Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From: "support@salesforce.com" [support@ salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...
Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49*. Automated analysis tools... show an attempted connection to worldofchamps .com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran .com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47**, although automated analysis tools are inconclusive***. I recommend blocking -both- those domains."
* https://www.virustotal.com/en-gb/fil...is/1386170174/
** https://www.virustotal.com/en-gb/fil...is/1386170947/
*** https://malwr.com/analysis/NWJmNGQyN...E0MTlmMDU0NTY/
___
Job SCAMS - "british-googleapps .com" (and other googleapps .com domains)
- http://blog.dynamoo.com/2013/12/brit...and-other.html
4 Dec 2013 - "This following spam email is attempting to recruit money mules:
From: arwildcbrender@ victimdomain .com
to: arwildcbrender@ victimdomain .com
date: 4 December 2013 07:49
subject: Employment you've been searching!
Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.
This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.
Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.
You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.
Region: United Kingdom only.
If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.
If you are interested, please reply to: Gene@british-googleapps .com
Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine...
british-googleapps .com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam... In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.
50.194.47.186 - US
175.67.90.27 - CN
95.94.135.113 - PT
220.67.126.175 - KR ..."
(Many URLs listed at the dynamoo URL above.)