Page 38 of 132 FirstFirst ... 283435363738394041424888 ... LastLast
Results 371 to 380 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #371
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Human Rights SCAM/SPAM ...

    FYI...

    Fake Human Rights SCAM/SPAM ...
    - http://blog.dynamoo.com/2014/02/afri...-refugees.html
    1 Feb 2014 - "This spam email is actually part of an advanced fee fraud setup:
    From: fernando derossi fernandderossi59@ gmail .com
    To: fernandderossi59@ gmail .com
    Date: 1 February 2014 13:22
    Subject: URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
    Signed by: gmail .com
    Dear Sir:
    My company has been mandated to look for a company capable of
    supplying food stuffs product listed bellow by the AFRICAN HUMAN
    RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for assisting of the
    refugee within the war affected countries IN middle east and Africa
    like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
    going through your company's profile, have decided to know if your company is interested.
    Below are the list of food Stuffs and the targeted value needed by (AHRRPC) ...
    We will be happy to work with you company only as representing agent
    to secure an allocation for your company while in return your company
    will give us comission as soon as your receive your contract value. We
    will give you more details about the contract when we recieve your reply.
    Regards,
    Mr.Fernando Derossi
    AHRRPC AGENT ...


    The email links to a website at www .ahrrpc .8k .com which set off all sorts of -alarms- on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC)...
    > https://lh3.ggpht.com/-rmNQq0bAL6I/U...600/ahrrpc.png
    Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear... Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource."
    ___

    Fake SMS SPAM ...
    - http://blog.dynamoo.com/2014/02/unsu...nd-of-ppi.html
    1 Feb 2014 - "... scammers are still at it, pumping away lead generation spam to persuade people to make PPI claims to which they are -not- entitled.

    Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out.
    TPPCO


    In this case the scammers used the contact number +447743623103 but they burn through dozens of SIM cards every day with their illegal spamming operations. If you get one of these, you should forward the spam and the sender's number to your carrier... T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You can also report persistent spam like this via the ICO's page on the subject*. With any luck these spammers will end up on the receiving end of a massive fine**."
    * http://ico.org.uk/for_the_public/top...arketing/texts

    ** http://blog.dynamoo.com/2012/11/gary...bel-fined.html

    Last edited by AplusWebMaster; 2014-02-02 at 14:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #372
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 192.95.7.224/28 + 64.120.137.32/27 + 192.95.43.160/28 ...

    FYI...

    Something evil on 192.95.7.224/28
    - http://blog.dynamoo.com/2014/02/some...295722428.html
    3 Feb 2014 - "Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack*). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload. This block is carrying out the same malicious activity that I wrote about a few days ago**. OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x .org.
    CustName: Private Customer
    Address: Private Residence
    City: Penziatki ...
    Country: RU
    RegDate: 2014-01-24 ...
    These IPs are particularly active:
    192.95.7.232
    192.95.7.233
    192.95.7.234

    There is nothing of value in this /28 block and I recommend that you -block- the entire IP range plus the following domains (which are all already flagged as being malicious by Google)
    Recommended blocklist:
    192.95.7.224/28
    archerbocce .pw
    athleticsmove .pw
    .."
    (Long list of .pw domains at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=9205587

    ** http://blog.dynamoo.com/2014/01/some...951020828.html

    - https://www.virustotal.com/en/ip-add...2/information/
    ___

    Something evil on 64.120.137.32/27
    - http://blog.dynamoo.com/2014/02/some...201373227.html
    3 Feb 2014 - "64.120.137.32/27 is a range of IP addresses belonging to Network Operations Center Inc in the US and suballocated to a customer which is currently being used in malware attacks as an intermediate step in sending victims to this malicious OVH range*.You can see an example of some of the badness in action here**. The range was formerly used by a company called TixDepot but may have been hijacked or reassigned. NOC report the following contact details for the block:
    network:ID:NET-64.120.137.32/27
    network:Auth-Area:64.120.128.0/17
    network:network:NET-64.120.137.32/27
    network:block:64.120.137.32/27 ...
    network:country: US ...
    About -half- the domains in this /27 have been flagged as -malicious- by Google, concentrated on the three IP addresses:
    64.120.137.53
    64.120.137.55
    64.120.137.56

    I would recommend -blocking- the entire /27, but this is the breakdown by IP address with domains tagged by Google highlighted (there's a plain list here***)"
    * http://blog.dynamoo.com/2014/02/some...295722428.html

    ** http://urlquery.net/report.php?id=9196650

    *** http://pastebin.com/hHGvXkJa

    - https://www.virustotal.com/en/ip-add...3/information/

    - https://www.virustotal.com/en/ip-add...5/information/

    - https://www.virustotal.com/en/ip-add...6/information/
    ___

    Something evil on 192.95.43.160/28
    - http://blog.dynamoo.com/2014/02/some...954316028.html
    3 Feb 2014 - "More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here*. Here is a typical IP flagged by VirusTotal** and a failed resolution by URLquery*** which frankly gives enough information to make it suspicious. However, the key thing is the registrant details which have been used in -many- malware attacks before****.
    CustName: Private Customer
    Address: Private Residence
    Country: RU
    RegDate: 2014-01-24...
    I can see the following .pw domains active in this range:
    basecoach .pw
    crewcloud .pw
    boomerangfair .pw
    kickballmonsoon .pw
    martialartsclub .pw
    runningracer .pw

    All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28."
    * http://blog.dynamoo.com/2014/02/some...295722428.html

    ** https://www.virustotal.com/en-gb/ip-...0/information/

    *** http://urlquery.net/report.php?id=9209750

    **** http://blog.dynamoo.com/search?q=Penziatki
    ___

    Fake inTuit/TurboTax/IRS Refund Notice
    - http://security.intuit.com/alert.php?a=97
    2/3/14 - "People are receiving -fake- emails with the title "IRS Refund Notice":
    Screenshot: http://security.intuit.com/images/phish97_tt_refund.jpg
    This is the end of the -fake- email.
    Steps to Take Now:
    Do -not- open the attachment in the email.
    -Delete- the email..."
    ___

    German email accounts hacked - Scams circulate ...
    - http://blog.trendmicro.com/trendlabs...ts-get-hacked/
    Feb 3, 2014 - "Recently, the German Federal Office for Information Security disclosed that the email accounts of up to 16 million users had been compromised. The computers of these users were infected with information-stealing malware which were used to steal these login credentials. The German government has set up a page where users can check if their email accounts have been compromised*. We recommend that users in Germany check their accounts, as we’re seeing a re-occurrence of certain -scams- which rely on compromised email accounts...
    Protecting email accounts should be a top priority, considering the amount of sensitive information stored in them and the other accounts that can be controlled via password resets. Users should remember a few key safety tips:
    • Always use different complex passwords or passphrases for different accounts. Password managers can help create and manage multiple online accounts.
    • Opt for two-factor authentication when possible.
    • Only log in using secure and trusted devices. Think twice before logging in from public devices such as Internet cafes.
    • Users can also opt for encryption services for added protection."
    * https://www.sicherheitstest.bsi.de/
    ___

    ANZ 'Upgrade to New System' Phish ...
    - http://www.hoax-slayer.com/anz-upgra...ing-scam.shtml
    Feb 3, 2014 - "Email pretending to be from large Australian and New Zealand bank ANZ claims that customers must click a link to upgrade to a new system technology designed to give users maximum protection... The email is a phishing scam that tries to trick users into divulging their personal information to criminals. The "Log on" button opens a -bogus- website designed to steal the user's ANZ account login details...
    > http://www.hoax-slayer.com/images/an...ing-2014-1.jpg
    According to this email, which purports to be from the ANZ bank, customers are required to upgrade to a new system by logging into their accounts. The message claims that the new system will offer maximum protection and invites users to click a "Log on" button. The email is formatted with ANZ's logo and colour scheme to make it appear more genuine... the message is -not- from ANZ and the claim that users must login due to a system upgrade is untrue. The email is a simple phishing scam designed to grab account login credentials from unsuspecting ANZ customers... If users enter their customer number and password on the fake page and click the "Log on" button, they will be automatically redirected to the genuine ANZ site. They may believe that they have successfully "upgraded" to the new system and may remain unaware that they have been scammed until the next time they try to login... ANZ has published information about phishing scams on its website*..."
    * http://www.anz.com/auxiliary/securit...nternet-fraud/
    ___

    Fake Evernote - Malware Email
    - http://www.hoax-slayer.com/evernote-...re-email.shtml
    Feb 2, 2014 - "Email purporting to be from note taking application Evernote claims that an image has been sent and invites users to click a link to view the image... Evernote did not send the email and has no connection to it. The message is a criminal ruse designed to trick people into downloading and installing malware...
    > http://www.hoax-slayer.com/images/ev...-malware-1.jpg
    According to this email, which purports to be from popular note taking application Evernote, an image addressed to the recipient has been sent. The message includes a clickable "Go to Evernote" button. The name of the supposed image is also clickable. However, Evernote did not send the email. Nor did it send an image as claimed. Clicking the links in the message will not open an image stored in Evernote as suggested in the message. Both links lead to a compromised website that harbours -malware-..."

    Last edited by AplusWebMaster; 2014-02-04 at 03:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #373
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down GameOver Zeus modified, Email malware spikes ...

    FYI...

    GameOver Zeus now using Encryption to bypass detection
    - http://threatpost.com/gameover-zeus-...tection/104019
    Feb 3, 2014 - "Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials. To get the job done the malware has been working in tandem with the malware Upatre. For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses. Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted* about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday... Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of -spam- messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware..."
    * http://garwarner.blogspot.com/2014/0...yption-to.html

    - https://www.virustotal.com/en/file/0...fee8/analysis/
    File name: vti-rescan
    Detection ratio: 0/50
    Analysis date: 2014-02-05

    - https://slashdot.org/topic/datacente...e-from-a-user/
    Feb 4, 2014 - "... The newest version of the GameOver Zeus variant slipped through -50- anti-virus filters at online anti-virus service VirusTotal by encrypting its malicious payload and changing the name to make it look inert, according to security researcher Gary Warner at Malcovery, who blogged about it Feb. 2. “Why? Well, because technically, it isn’t malware. It doesn’t actually execute!” Warner wrote*. “All Windows EXE files start with the bytes “MZ”. These files start with “ZZP”. They aren’t executable, so how could they be malware? Except they are.” Rather than launching its own malicious payload, the attachment downloads an encrypted file ending in .enc, then decrypts it, renames it and stores the new payload somewhere else on the infected machine – as an executable scheduled to launch sometime later. It was easier when botnets used IRC to control malware-infected zombies, but the state of the art is now to use TCP and HTTP, which helps botnets hide their tracks among gigabytes of legitimate HTTP traffic..."

    - http://www.fortiguard.com/legacy/ana...sanalysis.html
    ___

    Email malware at 5-year high - Jan 2014
    - http://blogs.appriver.com/Blog/bid/1...uary-in-Review
    Feb 3, 2014 - "... a few metrics that we saw in January:
    > http://blogs.appriver.com/Portals/53...esized-600.jpg
    Though traffic was close to normal, the four day -spike- from the 7th-10th was enough to push this month’s total virus message count to the highest monthly total since Q3 of 2008. (269,108,311 virus-laden messages were quarantined in January 2014.) The traffic on Jan.7th-10th was roughly -40- times the daily average, which is typically about 2+million emails containing a virus attachment..."

    Last edited by AplusWebMaster; 2014-02-06 at 00:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #374
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Barclays. Lloyds SPAM ...

    FYI...

    Fake Barclays transaction SPAM
    - http://blog.dynamoo.com/2014/02/barc...tion-spam.html
    5 Feb 2014 - "This -fake- Barclays spam comes with a malicious payload:
    Date: Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]
    From: Barclays Bank [support@ barclays .net]
    Subject: Barclays transaction notification #002601
    Transaction is completed. £9685 has been successfully transfered.
    If the transaction was made by mistake please contact our customer service.
    Receipt of payment is attached.
    Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.


    Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51* (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload... with only the Malwr report** having any real detail."
    * https://www.virustotal.com/en-gb/fil...is/1391591290/

    ** https://malwr.com/analysis/OGIzYjYzN...dkMGRlOTc5ODI/
    ___

    Hacked Within Minutes: Sochi Visitors Face Internet Minefield
    - http://www.nbcnews.com/watch/nightly...d-137647171983
    Feb 4, 2014 - "... they should have “no expectation of privacy,” even in their hotel rooms."
    ___

    Fake "LloydsLink reference" SPAM - malicious attachment
    - http://blog.dynamoo.com/2014/02/lloy...omes-with.html
    5 Feb 2014 - "This -fake- Lloyds TSB spam comes with a malicous payload:
    Date: Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
    From: GRP Lloydslink Tech [GRPLloydslinkTech@ LLOYDSBANKING .COM]
    Subject: LloydsLink reference: 8255820 follow up email and actions to be taken
    Lloyds TSB
    Help
    (New users may need to verify their email address)
    If you do not see or cannot click / tap the Download attachment button:
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
    Email Security Powered by Voltage IBE™
    Copyright 2002-2014 Voltage Security, Inc. All rights reserved.
    Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500
    Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41 ...


    Screenshot: https://lh3.ggpht.com/-WflKBnC4NEw/U...lloyds-tsb.png

    The attachment is SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has an icon that looks like Internet Explorer. Despire the .scr suffix, this file is a plain old .exe file and will execute if you double-click it (-don't!-). VirusTotal detections are 11/51*, and automated analysis... show an attempted download from [donotclick]asianfarm .org/images/pdf.enc and [donotclick]ideasempurna .com .my/wp-content/uploads/2014/02/pdf.enc with the following IPs being involved:
    108.90.186.161 (AT&T, US)
    111.90.133.246 (Piradius Net, Malaysia)
    121.117.209.51 (NTT, Japan)
    124.217.241.34 (Piradius Net, Malaysia)
    174.103.25.199 (Time Warner Cable, US)
    The .enc file is an encoded executable, explained in detail here**. I haven't tried to decode it but obviously that too will be malicious."
    Recommended blocklist:
    asianfarm .org
    ideasempurna .com .my
    108.90.186.161
    111.90.133.246
    121.117.209.51
    124.217.241.34
    174.103.25.199
    "
    * https://www.virustotal.com/en-gb/fil...is/1391616188/

    ** http://blog.crysys.hu/2014/02/gameov...nc-encryption/
    ___

    Malware uses ZWS compression for evasion tactic
    - http://blog.trendmicro.com/trendlabs...vasion-tactic/
    Feb 5, 2013 - "... We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions. This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss... Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware. However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression. We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013..."

    Last edited by AplusWebMaster; 2014-02-06 at 05:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #375
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake HMRC, TNT SPAM, Fake AV ...

    FYI...

    Fake HMRC "VAT Return" SPAM
    - http://blog.dynamoo.com/2014/02/fake...turn-spam.html
    6 Feb 2014 - "This -fake- HMRC spam comes with a malicious attachment:
    Date: Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
    From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
    Subject: Successful Receipt of Online Submission for Reference 3608005
    Thank you for sending your VAT Return online. The submission for reference 3608005 was
    successfully received on Thu, 6 Feb 2014 20:32:34 +0100 and is being processed. Make VAT
    Returns is just one of the many online services we offer that can save you time and
    paperwork.
    For the latest information on your VAT Return please open attached report.
    The original of this email was scanned for viruses by the Government Secure Intranet
    virus scanning service supplied by Cable&Wireless Worldwide in partnership with
    MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
    certified virus free...


    ... this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50*. Automated analysis tools... show an encrypted file** being downloaded from:
    [donotclick]wahidexpress .com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc
    Recommended blocklist:
    182.18.188.191
    wahidexpress .com
    bsitacademy .com

    * https://www.virustotal.com/en-gb/fil...is/1391686048/

    ** http://blog.crysys.hu/2014/02/gameov...nc-encryption/

    Update: A -second- version of the email is circulating with the following body text:
    The submission for reference 485/GB1392709 was successfully received and was not
    processed.
    Check attached copy for more information.
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.

    ___

    Fake "TNT UK Limited " SPAM - zero detections
    - http://blog.dynamoo.com/2014/02/fake...with-zero.html
    6 Feb 2014 - This -fake- TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.
    Date: Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
    From: TNT COURIER SERVICE [tracking@ tnt .co .uk]
    Subject: TNT UK Limited - Package tracking 798950432737
    Your package have been picked up and is ready for dispatch.
    Connote # : 798950432737
    Service Type : Export Non Documents - Intl
    Shipped on : 05 Feb 14 00:00
    Order No : 2819122
    Status : Driver's Return Description : Wrong Address
    Service Options: You are required to select a service option below.
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 798950432737
    The options, together with their associated conditions...


    Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41*. Despite the zero detection rate, there is plenty of badness going on... including downloads of an encrypted file from the following locations:
    [donotclick]newz24x .com/wp-content/uploads/2014/02/pdf.enc
    [donotclick]oilwellme .com/images/banners/pdf.enc
    The Malwr report** indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x .com is hosted. Take care with these if you are thinking about blocking them.
    Recommended blocklist:
    182.18.151.160
    newz24x .com
    oilwellme .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1391684255/

    ** https://malwr.com/analysis/N2UyOTljM...UxZGU3YTljNDk/
    ___

    Visa/MasterCard Important Notification Spam
    - http://threattrack.tumblr.com/post/7...ification-spam
    Feb 6, 2014 - "Subjects Seen:
    ATTN: Important notification for a Visa / MasterCard holder!
    Typical e-mail details:
    Dear <email name>, Your Bank debit card has been temporarily blocked
    We’ve detected unusual activity on your Bank debit card . Your debit card has been temporarily blocked, please fill document in attachment and contact us


    Malicious File Name and MD5:
    <email name>_Account_Report_7552804B13.zip (F08171CEF69EFD04CFC0F525ABD862FD)
    PDF_Account_Details_User_543857394652798346597456987235986498756234798573280945-4353452345-32453245324532-45.pdf.exe (A1E61D4628E8381F47CE2E8424410A39


    Screenshot: https://31.media.tumblr.com/0eb34e8b...4t81r6pupn.png

    Tagged: Visa, MasterCard, Tepfer
    ___

    Swedish newssite compromised - Fake AV
    - http://bartblaze.blogspot.com/2014/0...mpromised.html
    Feb 6, 2014 - "... a Swedish and well-visited newssite, AftonBladet (http ://www .aftonbladet .se), was -compromised- and serving visitors a fake antivirus or rogueware. There are two possibilities as to the cause:
    - A (rotating) ad where malicious Javascript was injected
    - AftonBladet itself had malicious Javascript injected
    Whoever the cause, the injected script may have been as simple as:
    document.write('< script src=http ://http ://www .aftonbladet .se/article/mal.php'); When trying to reproduce, it appeared it already was cleaned up, fast actions there...
    File: svc-ddrs.exe
    Image icon: https://lh3.ggpht.com/-edoZpNtfHHg/U...Ok/s1600/1.png
    Size: 1084416 bytes
    Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: be886eb66cc39b0bbf3b237b476633a5
    SHA1: 36c3671f37f414ad6e0954e094a1a7bd0dcc34fc
    ssdeep: 24576:M2xJbbGmTvmN9BfQ0lc4Bt4Xsk2QkibF5BOWe8JH0:M6bb3MQ0lc434n2Qhh5kWe8JU
    Date: 0x52F1C3E1 [Wed Feb 5 04:53:53 2014 UTC]
    EP: 0x5a8090 UPX1 1/3 [SUSPICIOUS]
    CRC: Claimed: 0x0, Actual: 0x10eeb0 [SUSPICIOUS]
    Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
    VirusTotal: https://www.virustotal.com/en-gb/fil...2dd0/analysis/
    Anubis: http://anubis.iseclab.org/?action=re...e2&format=html
    When executing the sample: Windows Efficiency Master:
    > https://lh3.ggpht.com/-Gvb7kJhW-4Y/U...00/fakeav2.PNG
    Fake scanning results:
    > https://lh3.ggpht.com/-N53YX8RSsCg/U...600/FakeAV.PNG
    Besides dropping the usual EXE file in the %appdata% folder, it also drops a data.sec file with predefined scanning results (all fake obviously). Here's a pastebin with the contents of data.sec: http://pastebin.com/DCtDWEbi
    It also performs the usual actions:
    - Usual blocking of EXE and other files
    - Usual blocking of browser like Internet Explorer
    - Callback to 93.115.86.197 C&C
    - Stops several antivirus services and prevents them from running
    - Reboots initially to stop certain logging and monitoring tools
    - Uses mshta.exe (which executes HTML application files) for the usual payment screen
    - Packed with UPX, so fairly easy to unpack
    - Connects to http ://checkip .dyndns .org/ to determine -your- IP
    This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same... an excellent post on this family, which you can read here:
    > http://blog.0x3a.com/post/7547473124...y-their-active
    Prevention: In this case, no exploit -nor Java/Adobe, nor browser- was used. Only Javascript was injected. Install an antivirus and antimalware product and keep it up-to-date & running. Use NoScript in Firefox or NotScripts in Chrome. -Block- the above IP...
    Disinfection: Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware. If you are having issues doing this, reboot your machine in Safe Mode and remove the malware..."
    ___

    Payroll Report Spam
    - http://threattrack.tumblr.com/post/7...ll-report-spam
    Feb 5, 2014 - "Subjects Seen:
    Jan Report
    Typical e-mail details:
    Hello ,
    Please find attached reports for this year for checking.
    Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission.
    Kind regards
    Wilton
    Payroll Manager


    Malicious File Name and MD5:
    January.zip (F261B2109FD733559191CCCB7DEC79F8)
    January.scr (811AD8F76AD489BAF15DB72306BD9F34)


    Screenshot: https://31.media.tumblr.com/97e3ccd0...Um21r6pupn.png

    Tagged: Payroll, Upatre
    ___

    Fake "Payment Fund" SPAM - Wire.Transfer.rar attachment
    - http://blog.dynamoo.com/2014/02/paym...ansferrar.html
    5 Feb 2014 - "It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..
    From: Alison George allison.george@ transferduc .nl
    Date: 5 February 2014 22:41
    Subject: Payment Fund
    ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
    to your bank confirmed by the FedWire.
    Transaction ID: 99076900
    Date: 2/3/2014
    Transfer Origination: Fedline
    Please review the attached copy of transaction report,
    Federal Reserve Financial Services
    Creating Nationwide Solutions for Your Payment Needs
    20th Street and Constitution Avenue N.W.
    Washington, D.C. 20551


    Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind. The VirusTotal detection rate is 7/50* but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason -not- showing in their database right now) has the following details:
    Submission Summary:
    Submission details:
    Submission received: 5 February 2014, 04:39:38 PM
    Processing time: 6 min 0 sec
    Submitted sample:
    File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
    Filesize: 248,320 bytes
    Summary of the findings:
    What's been found Severity Level
    Creates a startup registry entry.
    Technical Details:
    Memory Modifications
    There was a new process created in the system:
    Process Name Process Filename Main Module Size
    server.exe %Temp%\server.exe 57,344 bytes
    Registry Modifications
    The newly created Registry Values are:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
    so that %Temp%\server.exe runs every time Windows starts
    [HKEY_CURRENT_USER\Environment]
    SEE_MASK_NOZONECHECKS = "1"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
    babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
    so that %Temp%\server.exe runs every time Windows starts
    Other details
    To mark the presence in the system, the following Mutex object was created:
    babe8364d0b44de2ea6e4bcccd70281e "
    * https://www.virustotal.com/en-gb/fil...is/1391640427/

    Last edited by AplusWebMaster; 2014-02-07 at 02:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #376
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 69.64.39.166

    FYI...

    Something evil on 69.64.39.166
    - http://blog.dynamoo.com/2014/02/some...696439166.html
    7 Feb 2014 - "69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta*) according to URLquery reports such as this one**. The code is being -injected- into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious..."
    (Long list of URLs at the dynamoo URL above.)
    * http://blog.0x3a.com/post/6237551326...g-msie-exploit

    ** http://urlquery.net/report.php?id=9258190

    - https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake rbs .co .uk "Important Docs" SPAM
    - http://blog.dynamoo.com/2014/02/rbsc...docs-spam.html
    7 Feb 2014 - "This -fake- spam claiming to be from the Royal Bank of Scotland has a malicious attachment:
    Date: Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
    From: Doris Clay [Doris@ rbs .co .uk]
    Subject: Important Docs
    Account report.
    Tel: 01322 589422
    Fax: 01322 296116
    email: Doris@rbs .co .uk
    This information is classified as Confidential unless otherwise stated.
    CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
    confidential and are intended solely for the use of the person or entity to whom the
    message was addressed. If you are not the intended recipient of this message, please be
    advised that any dissemination, distribution, or use of the contents of this message is
    strictly prohibited. If you received this message in error, please notify the sender.
    Please also permanently delete all copies of the original message and any attached
    documentation. Thank you.


    Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50*. Automated analysis tools... show a downlad of en encrypted file from the following locations:
    [donotclick]professionalonlineediting .com/theme/cc/images/07UKex.enc
    [donotclick]mararu .ro/Media/07UKex.enc
    Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.
    Recommended blocklist:
    204.93.165.33
    50.31.147.54
    professionalonlineediting .com
    mararu .ro
    "
    * https://www.virustotal.com/en-gb/fil...is/1391768230/

    - http://threattrack.tumblr.com/post/7.../rbs-bank-spam
    Feb 7, 2014 - "Subjects Seen:
    Important Docs
    Typical e-mail details:
    Account report.
    Tel: 01322 052736
    Fax: 01322 513203
    email: Trenton@ rbs .co .uk
    This information is classified as Confidential unless otherwise stated.


    Malicious File Name and MD5:
    AccountReport.zip (0D143292B014E22DEE91930C488CBCE0)
    AccountReport.scr (61DF278485C8012E5B2D86F825E12D0D)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...k421r6pupn.png

    Tagged: RBS, Upatre
    ___

    Fake Authorization SPAM
    - http://blog.dynamoo.com/2014/02/auth...ely-owned.html
    7 Feb 2014 - "We've seen this particular type of malware-laden spam before..
    Date: Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
    From: Callie Figueroa [Callie@ victimdomain]
    Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
    All employees need to have on file this form STD 261 (attached). The original is
    retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
    The form can be used for multiple years, however it needs to re-signed annually by
    employee and supervisor.
    Please confirm all employees that may travel using their private car on state business
    (including training) has a current STD 261 on file. Not having a current copy of this
    form on file in Accounting may delay a travel reimbursement claim.


    The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51*. Anubis reports** an attempted connection to faneema .com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.
    * https://www.virustotal.com/en-gb/fil...is/1391770188/

    ** http://anubis.iseclab.org/?action=re...2b&format=html

    Last edited by AplusWebMaster; 2014-02-10 at 04:19.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #377
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Evil .pw domains on 31.41.221.131 to 31.41.221.135

    FYI...

    Evil .pw domains on 31.41.221.131 to 31.41.221.135
    - http://blog.dynamoo.com/2014/02/some...221131-to.html
    10 Feb 2014 - "Thanks to Malekal for the heads up*, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:
    31.41.221.131
    31.41.221.132
    31.41.221.133
    31.41.221.134
    31.41.221.135

    These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report**.
    The evil .pw domains in use all use a subdomain of one of the following:
    (Long list at the dynamoo URL above)
    I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]***"
    * https://twitter.com/malekal_morte/st...04655374938112

    ** http://urlquery.net/report.php?id=9308286

    *** http://pastebin.com/xSHmpKQR
    ___

    81.4.106.132 / oochooch .com / 10qnbkh .xip .io
    - http://blog.dynamoo.com/2014/02/8141...nbkhxipio.html
    10 Feb 2014 - "... don't like the look of this [urlquery*], seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132 **...
    > https://lh3.ggpht.com/-_KGxwVddVxI/U...0/oochooch.png "

    * http://urlquery.net/search.php?q=81....4-02-10&max=50

    ** https://www.virustotal.com/en/ip-add...2/information/
    ___

    Malicious Android apps hit 10 million ...
    - http://www.theinquirer.net/inquirer/...0-million-mark
    Feb 10, 2014 - "THE ANDROID OPERATING SYSTEM (OS) has over 10 million malicious apps, security firm Kaspersky has warned in its latest report. In the Kaspersky Security Bulletin 2013, researchers said that by late January 2014 they had found 200,000 unique samples of mobile malware at the Google Play store and other sources, which get re-used and re-packaged to look like different apps... (cybercriminals used 10,604,273 unique hosts)... Kaspersky said in its report*... in most cases, malware targets the user's financial information**..."
    * https://www.securelist.com/en/analys...cs_for_2013#09

    ** https://www.securelist.com/en/analys...cs_for_2013#02

    Corporate Threats: Target organizations
    - https://www.securelist.com/en/analys...ate_threats#01

    Last edited by AplusWebMaster; 2014-02-10 at 20:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #378
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down TrendMicro 2013 report ...

    FYI...

    TrendMicro 2013 report
    - http://blog.trendmicro.com/trendlabs...urity-roundup/
    Feb 11, 2014 - "... We saw almost a -million- new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:
    Volume of new banking malware
    > http://blog.trendmicro.com/trendlabs...13roundup1.jpg
    Two countries – the United States and Brazil – accounted for half of all banking malware victims:
    Countries most affected by banking malware
    > http://blog.trendmicro.com/trendlabs...13roundup2.jpg
    ... CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years. The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator... was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers... other exploit kits have emerged into the threat landscape since then...
    Types of mobile malware threats
    > http://blog.trendmicro.com/trendlabs...13roundup4.jpg
    ... Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on -all- social media platforms have become so common, it may almost be considered “business as usual”..."
    ___

    NatWest Bank Credit Card Spam
    - http://threattrack.tumblr.com/post/7...edit-card-spam
    Feb 11, 2014 - "Subjects Seen:
    Cards OnLine E-Statement E-Mail Notification
    Typical e-mail details:
    Dear Customer
    Your February 11, 2014 E-Statement for account number xxxxxxxxxxxx9496 from Cards OnLine is now available.
    For more information please check attached copy
    Thank you
    Cards OnLine


    Malicious File Name and MD5:
    E-Statement.zip (3B17E8E5BADF9ADB41974C2DDED1464E)
    E-Statement.exe (20E7520948EE772E192127374569B219)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...yrt1r6pupn.png

    Tagged: NatWest, Upatre
    ___

    'Incoming Fax Report' - Malware Email
    - http://www.hoax-slayer.com/incoming-...re-email.shtml
    Feb 11, 2014 - "Email purporting to be a notification about an incoming payroll related fax claims that users can click a link to read the file online... The link in the email opens a compromised website that harbours malware. If downloaded and installed, this malware may steal information from the infected computer, make connections with remote servers operated by criminals and download further malware components. If you receive one of these fake fax emails do not click any links or open any attachments that it contains.
    Example:
    *********************************************************
    INCOMING FAX REPORT
    *********************************************************
    Date/Time: 10/02/2014 05:13:13 EST
    Speed: 25903 bps
    Connection time: 04:08
    Pages: 7
    Resolution: Normal
    Remote ID: 8102702342
    Line number: 4
    DTMF/DID:
    Description: Payroll
    Click here to view the file online
    *********************************************************


    ... Those who go ahead and click the link in the hope of viewing the supposed fax file will be taken to a website that displays a 'please wait' message. The compromised site may attempt to load malicious scripts, which then redirect to a malware page. The exact configuration and payload of the malware sites may vary. Typically, however, malware downloaded from such sites may perform one or more nefarious tasks. It may harvest information from the infected computer and send it to cybercriminals. It may allow criminals to control the computer remotely and join it to a botnet. It may download and install even more malware that can perform various other functions... The criminals bank on the fact that at least a few customers of such services may click on the link without due caution. And, even people that have never used such a service may be panicked into clicking the link in the mistaken belief that their bank account has been compromised or payments have been made in their names..."

    Last edited by AplusWebMaster; 2014-02-12 at 05:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #379
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FedEx SPAM, Phony SSL certificates ...

    FYI...

    Fake FedEx SPAM
    - http://blog.dynamoo.com/2014/02/trac...edex-spam.html
    12 Feb 2014 - "This -fake- FedEx spam leads to malware:
    Date: Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
    From: FedEx [yama@ rickyz .jp]
    Subject: Track shipments/FedEx 7487214609167750150131 results: Delivered
    Track shipments/FedEx Office orders summary results:
    Tracking number Status Date/Time
    7487214609167750150131 Delivered Feb 11, 2014 11:20 AM
    Track shipments/FedEx Office orders detailed results:
    Tracking number 7487214609167750150131
    Reference 304562545939440100902500000000
    Ship date Feb 03, 2014
    Ship From NEW YORK, NY
    Delivery date Feb 11, 2014 11:20 AM
    Service type FedEx SmartPost
    Tracking results as of Feb 11, 2014 3:37 PM CST
    Click Here and get Travel History ...


    Screenshot: https://lh3.ggpht.com/-HHSPTBU0P1s/U...600/fedex2.png

    In this case, the link in the email goes to [donotclick]pceninternet .net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip. In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49*, but automated analysis tools are inconclusive as to its payload..."
    * https://www.virustotal.com/en-gb/fil...is/1392219267/
    ___

    Malware (Neutrino EK?) sites to block
    - http://blog.dynamoo.com/2014/02/malw...ock-12214.html
    12 Feb 2014 - "The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino*. In the case I saw, the victim was directed to the EK from a compromised site at greetingstext .com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie. I would recommend that you block these following IPs and domains as a precaution:
    108.178.7.118
    212.83.164.87
    jakiewebs .com
    sheethoo .com
    chaefooh .com
    goldnclouds .com
    nofledno .com
    zeuriele .com
    wqywdo .xip .io
    glindeb.com
    "
    1) https://www.virustotal.com/en-gb/ip-...8/information/

    2) http://urlquery.net/search.php?q=108...4-02-12&max=50

    3) https://www.virustotal.com/en-gb/ip-...7/information/

    4) http://urlquery.net/search.php?q=212...4-02-12&max=50

    * http://urlquery.net/report.php?id=9410080
    ___

    In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes
    - http://arstechnica.com/security/2014...ok-and-itunes/
    Feb 12, 2014 - "Researchers have found dozens of fake certificates impersonating the secure sections of online banks, e-commerce sites, and social networks. Google, Facebook, iTunes, and even a POP e-mail server belonging to GoDaddy are a small sample of the services affected by the fraudulent credentials, which in some cases can allow attackers to read and modify encrypted traffic passing between end users and protected servers.
    > http://cdn.arstechnica.net/wp-conten.../facebook1.png
    The secure sockets layer (SSL) certificates don't pose much of a threat to people using a popular Web browser to visit spoofed websites, because the credentials aren't digitally signed by a trusted certificate authority, researchers from Netcraft wrote in a blog post published Wednesday*. They went on to say that people accessing sensitive websites with smartphone apps or other non-browser software may -not- be so lucky... Many of the fake SSL certificates discovered by Netcraft were created with malicious intentions. A wildcard certificate for *.google.com suggests an attempt to spoof a variety of Google services. The fake certificate was served by a machine in Romania hosting other sites with .ro and .com domains. The phony credential claims to have been issued by America Online Root Certification Authority 42. The name closely mimics a legitimate trusted root certificate that is installed in all browsers, although it's not enough to trick them. Other fraudulent credentials masqueraded as certificates for Facebook, iTunes, and a payment service and bank located in Russia. Yet another bogus certificate covered pop.where.secureserver.net, a server address belonging to GoDaddy's POP e-mail service... given the large number of e-mail clients, smartphone apps, and other non-browser programs available, it's not a stretch to think the certificates discovered by Netcraft are fooling some people right now. You should carefully consider the source of any app that connects to an SSL-protected server before installing it, and you should -never- click through pop-up windows that warn of self-signed certificates."
    * http://news.netcraft.com/archives/20...-internet.html

    - http://www.theregister.co.uk/2014/02...sl_cert_peril/
    14 Feb 2014

    Last edited by AplusWebMaster; 2014-02-14 at 16:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #380
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake MS Email acct Phish ...

    FYI...

    Fake MS 'Reactivate Your Email Account' Phish
    - http://www.hoax-slayer.com/microsoft...ing-scam.shtml
    Feb 13, 2014 - "Email purporting to be from Microsoft claims that recipients must click a link to complete a 'one time automatic verification' in order to avoid having their email account suspended. The email is not from Microsoft. It is a crude phishing scam designed to trick recipients into giving their email address and password to online criminals. The criminals will use the stolen data to hijack the compromised email accounts and use them to send further spam and scam messages in the names of their victims. Example:
    Subject: REACTIVATE YOUR EMAIL ACCOUNT!!!
    Attention;
    In compliance with the email upgrade instructions from
    Microsoft Corporation and WWW email domain host, all unverified email accounts would be suspended for verification.
    To avoid suspension of your email account and also to retain all email Contents, please perform one time automatic verification by completing the online verification form.
    Please CLICK HERE
    for the online verification form.
    As a confirmation of complete and successful verification, you shall be automatically be redirected to your email web page.
    Please move this message to your inbox, if found in bulk folder. Please do this for all your email accounts.
    Thank you.
    WWW. mail Support Team.
    © 2014 Microsoft Corporation.


    Screenshot: http://www.hoax-slayer.com/images/mi...cam-2014-1.jpg

    According to this email, which purports to be from Microsoft, the recipient must complete a verification of his or her email account by clicking a link in the message. The message warns that all unverified email accounts will face suspension and the loss of all 'email contents' in the accounts... the email is -not- from Microsoft. It is a phishing scam designed to trick recipients into giving their email address and password to Internet criminals. Clicking the link in the fake email takes users to an equally fake site that asks for their email address, email password and date of birth. After supplying this information, users are automatically redirected away from the scam website. Meanwhile, the scammers can use the data that they have stolen to access the compromised email accounts and use them to launch further spam and scam campaigns. Since the scam emails are sent via the hijacked accounts of victims, the emails cannot be traced back to the criminals responsible... No legitimate email provider is likely to send an unsolicited email asking customers to provide their email password by clicking a link, opening an attachment or replying. Be very wary of any email that makes such a request."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •