SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

DoubleClick malvertising campaign exposes... malvertising infrastructure
- http://www.webroot.com/blog/2014/02/...nfrastructure/
Feb 14, 2014 - "... we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About .com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case...
Malvertising domains/URLs/IPs involved in the campaign:
adservinghost1 .com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1 .com); 212.124.112.229; 74.50.103.41; 68.233.228.236
ad.onlineadserv .com – 37.59.15.44; 37.59.15.211, hxxp ://188.138.90.222 /ad.php?id=31984&cuid=55093&vf=240
IP reconnaissance:
188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver .com; notslead .com; adwenia .com – Email: philip.woronoff@ yandex .ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia .com)
Based on BrightCloud’s database, not only is adservinghost1 .com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec)* is known to have phoned back to the same IP as the actual domain, hxxp ://212.124.112.232 /cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular...
> https://www.webroot.com/blog/wp-cont...lvertising.png
Here comes the interesting part. Apparently, the name servers of adservinghost1 .com are currently responding to the same IPs as the name servers of the Epom ad platform.
NS1.ADSERVINGHOST1 .COM – 212.124.126.2
NS2.ADSERVINGHOST1 .COM – 74.50.103.38
... domains are also responding to the same IP as the Epom .com domain at 198.178.124.5 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/7...7bbb/analysis/
___

Malware sites to block 14/2/14
- http://blog.dynamoo.com/2014/02/malw...ock-14214.html
14 Feb 2014 - "This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here* by Umbrella Labs). OVH Canada have a long history with this bad actor (who I believe to be r5x .org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all. First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active... (Long list at the dynamoo URL above)
Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.
142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30
I can see the following domains being actively supported by these nameservers, all of which should be considered hostile..." (Long list at the dynamoo URL above)

* http://labs.umbrella.com/2014/02/14/...ps-go-nuclear/
Feb 14, 2014
___

Fake Flash install via Silverlight
- http://community.websense.com/blogs/...lverlight.aspx
Feb 14, 2014 - "... discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server... the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log... The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run... At the time of initial investigation, fewer than 10% of AV vendors* had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established. The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:
> http://community.websense.com/cfs-fi...07.blog007.png
While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector..."
* https://www.virustotal.com/en/file/e...ff77/analysis/

Silverlight current version: 5.1.20913.0 - http://www.microsoft.com/silverlight/

MS13-087
- http://technet.microsoft.com/en-us/s...letin/ms13-087
Oct 08, 2013 - "... upgrades previous versions of Silverlight to Silverlight version 5.1.20913.0..."

- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0074 - 9.3 (HIGH)

- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-3896 - 4.3

[AplusWebMaster]

FYI...

400Gbps DDoS attacks ...
- http://atlas.arbor.net/briefs/index#411367071
High Severity
13 Feb 2014
NTP reflection/amplification attacks continue to gain momentum. Indicators of attacks up to 400Gbps have been discussed. Mitigations are ongoing, however the situation is still volatile.
Analysis: Despite multiple efforts to notify those running NTP servers that are not yet up to date and allow for a much larger amplification attack, the number of NTP servers that function beautifully as attack amplification sources is still quite high. Stressor services are known to implement NTP amplification attacks (along with SNMP and DNS amplification attacks and likely others) and lists of vulnerable NTP servers are shared on underground forums, leading to many copycat attacks. Several NTP amplification attack scripts have been shared on underground forums and elsewhere which makes this attack within easy reach of anyone who has a system that can originate spoofed traffic...

- https://www.us-cert.gov/ncas/alerts/TA14-013A
Last revised: Feb 05, 2014 - "... all versions of ntpd prior to 4.2.7 are vulnerable... upgrade all versions of ntpd that are publically accessible to at least 4.2.7... where it is not possible to upgrade the version of the service, it is possible to -disable- the monitor functionality in earlier versions of the software. To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery "

- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-5211 - 5.0
Last revised: 01/24/2014 - "... as exploited in the wild in December 2013."

>> http://www.ntp.org/downloads.html
2014/02/10 - 4.2.7p421

NTP attacks continue ...
- http://www.arbornetworks.com/asert/2...st-few-months/
3/10/2014
___

FTP sites compromised to serve malware and scams
- https://net-security.org/malware_news.php?id=2709
Feb 14, 2014 - "Some 7,000 FTP sites and servers have been compromised to serve malware, and its administrators are usually none the wiser... FTP sites function as online file caches and are accessible remotely - usually via Web browsers. Users who have the required login credentials can upload and download files from them, but other users can also retrieve certain files hosted on such a server if given a specific link that leads to the file (and without needing to provide login credentials). It is this latter capacity that makes login credentials to FTP servers a prized haul for cyber scammers, as they upload malware and malicious links to the server, then embed direct links to them in spam emails delivered to potential victims. Access to a FTP server can also be occasionally leveraged by the attackers to compromise connected web services. "The victim companies hosting exploited FTP sites are spread across the spectrum – from small companies and individual accounts with ISPs to major multi-national corporations," noted the researchers*. "Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites"... It is unknown who stole the FTP credentials, and who is using them, but judging by the complexity of some of the passwords, it's natural to assume that they haven't been guessed, but stolen via information-stealing malware. Also, some sites have default or publicized login credentials, so exploitation of them is easy."
* http://www.holdsecurity.com/#!news2013/c13i1
Feb 13, 2014
___

Fake "Account Credited" / TTCOPY.jar SPAM
- http://blog.dynamoo.com/2014/02/acco...yjar-spam.html
16 Feb 2014 - "This spam email comes with a malicious .JAR attachment:
From: Tariq Bashir muimran@ giki .edu .pk
Reply-To: Tariq Bashir [ta.ba@ hot-shot .com]
Date: 15 February 2014 11:03
Subject: Account Credited
Dear Sir,
I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.
Find attached Bank TT and update us on delivery schedule.
Regards,
Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@ hot-shot .com

The spam email originates from 121.52.146.226 (mail.giki .edu .pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50* and the Malwr analysis reports** an attempted connection to clintiny.no-ip .biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany). Although this is an unusual threat, Java attacks are one of the main ways that an attacker will gain access to your system. I strongly recommend -deinstalling- Java if you have it installed. I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:
67.215.4.64/28
67.215.4.120/29
u558801.nvpn .so
jagajaga.no-ip .org
jazibaba.no-ip .org
cyberx2013.no-ip .org
deltonfarmhouse.no-ip .biz
deltoncowstalls.no-ip .org
can2-pool-1194.nvpn .so
jazibaba1.no-ip .biz
ns2.rayaprodserver .com
kl0w.no-ip .org
jajajaja22.no-ip .org
mozillaproxy.zapto .org "
* https://www.virustotal.com/en/file/f...is/1392589951/

** https://malwr.com/analysis/Y2I2MDcxY...E1M2QwNTAyNjI/

- https://www.virustotal.com/en-gb/ip-...3/information/

[AplusWebMaster]

FYI...

Fake Evernote SPAM
- http://blog.dynamoo.com/2014/02/fake...sent-spam.html
17 Feb 2014 - "... the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one...
Date: Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From: accounts@ pcfa .co .in
Subject: Image has been sent
Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote
Copyright 2014 Evernote Corporation. All rights reserved

The links in the email go to:
[donotclick]www.aka-im .org/1.html
[donotclick]bluebuddha .us/1.html
Which in turn loads a script from:
[donotclick]merdekapalace .com/1.txt
[donotclick]www.shivammehta .com/1.txt
That in turn attempts to load a script from [donotclick]opheevipshoopsimemu .ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)
The URLquery report* on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis. There are a number of other hostile sites on those same IPs... I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant .biz
bakrymseeculsoxeju .ru
boadoohygoowhoononopee .biz
bydseekampoojopoopuboo .biz
jolygoestobeinvester .ru
noaphoapofoashike .biz
opheevipshoopsimemu .ru
ozimtickugryssytchook .org
telaceeroatsorgoatchel .biz
ypawhygrawhorsemto .ru
aka-im .org
bluebuddha .us
merdekapalace .com
shivammehta .com "
* http://urlquery.net/report.php?id=9484541
___

Fake Evernote emails serve client-side exploits ...
- http://www.webroot.com/blog/2014/02/...side-exploits/
Feb 18, 2014 - "Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam. We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the -fake- emails...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...amvertised.png
Sample redirection chain: hxxp ://nortonfire .co .uk/1.html (82.165.213.55) -> hxxp ://merdekapalace .com/1.txt – 202.71.103.21 -> hxxp ://www.shivammehta .com/1.txt – 181.224.129.14 -> hxxp ://ypawhygrawhorsemto .ru:8080/z4ql9huka0
Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto .ru:
37.59.36.223
180.244.28.149
140.112.31.129
31.222.178.84
54.254.203.163
78.108.93.186
202.22.156.178
54.254.203.163
78.108.93.186
140.112.31.129
202.22.156.178
31.222.178.84
37.59.36.223
180.244.28.149
Responding to 78.108.93.186, are also the following malicious domains:
ypawhygrawhorsemto .ru – 78.108.93.186
jolygoestobeinvester .ru – 78.108.93.186
afrikanajirafselefant .biz – 78.108.93.186
bakrymseeculsoxeju .ru – 78.108.93.186
ozimtickugryssytchook .org – 78.108.93.186
bydseekampoojopoopuboo .biz – 78.108.93.186
Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto .ru – 173.255.243.199
Name server: ns2.ypawhygrawhorsemto .ru – 119.226.4.149
Name server: ns3.ypawhygrawhorsemto .ru – 192.237.247.65
Name server: ns4.ypawhygrawhorsemto .ru – 204.232.208.115 ...
Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46*
Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu .ru:
31.222.178.84
180.244.28.149
78.108.93.186
140.112.31.129
78.129.184.4
54.254.203.163
202.22.156.178
37.59.36.223
Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu .ru. 173.255.243.199
Name server: ns2.opheevipshoopsimemu .ru. 119.226.4.149
Name server: ns3.opheevipshoopsimemu .ru. 192.237.247.65
Name server: ns4.opheevipshoopsimemu .ru. 204.232.208.115 ..."
* https://www.virustotal.com/en/file/c...1e46/analysis/

[AplusWebMaster]

FYI...

Phishing Scam – 'Apple ID Used to Download OS X Mavericks' Email
- http://www.hoax-slayer.com/mavericks...ing-scam.shtml
Feb 19, 2014 - "Email purporting to be from the Apple Security Department warns recipients that their Apple ID was used to download OS X Mavericks and urges them to open an attached file to confirm their accounts if they did not initiate the download. The email is -not- from Apple. It is a phishing scam designed to trick users into giving their Apple account login details and financial information to criminals. The attached file contains a -bogus- HTML form that requests account and credit card details. Example:
Dear Apple Customer,
Your Apple ID, was just used to download OS X Mavericks from the Mac App
Store on a computer or device that had not previously been associated with
that Apple ID.
This download was initiated from Spain.
If you initiated this download, you can disregard this email. It was only
sent to alert you in case you did not initiate the download yourself.
If you did not initiate this download, you have to confirm your account and
validate your informations, so we recommend you to :
1- Download the attached document and open it in a secure browser.
2- Follow the verification process to protect your account.
Your sincerely.
Apple Security Department.
Apple Support

This email, which purports to be from Apple's Security Department, warns recipients that their account was used to download a copy of OSX Mavericks from a computer or device not previously associated with their Apple ID. The message claims that the download was initiated from Spain. It suggests that, if recipients did not initiate the download, they should open an attached file to confirm their account and validate their 'informations'. However, the email is -not- from Apple and the warning about an unauthorized download is designed to trick people into opening the attached file. The attachment contains a HTML form that lodes in the user's browser when opened. The -bogus- form first asks for the user's Apple account login details. It then asks for ID and credit card information, ostensibly so that the user's account can be verified and 'protected'. All the information submitted on the fake from can be harvested by criminals and used to hijack the real Apple accounts belonging to victims. The criminals may also conduct fraudulent credit card transactions and try to steal the identities of victims. The scammers responsible for the email hope that at least a few recipients will be panicked into opening the attachment and supplying the requested information in the mistaken belief that their Apple ID has been compromised. Like other high profile companies, Apple is almost continually targeted in phishing campaigns. Apple will never send you an unsolicited email that asks you to login and verify account details by clicking a link or opening an attached file."

___

'Product Testing UK' Facebook Survey Scam
- http://www.hoax-slayer.com/product-t...vey-scam.shtml
Feb 19, 2014 - "Facebook messages originating from a Facebook Page called 'Product Testing UK' claim that testers are needed for iPhones and other products and invite users to click a link to fill in a 'Product Testing Application Form'... The messages and associated Facebook Page are part of a survey scam. The 'Application Form' link takes users to suspect third party survey websites that ask them to provide personal information to go in the draw for various prizes. Users will never get to test and keep the promised products. Do -not- click any links in these scam messages. Example:
PRODUCT TESTER NEEDED
Get brand new iPhone for Review it! Test it! Rate it & you will keep it!
CLICK HERE TO REGISTER YOURSELF-->[Link Removed]
*PRODUCT IS GIVING ACCORDING TO FIRST COME FIRST GET BASIS AND OFFER FOR ONLY UK.
> http://www.hoax-slayer.com/images/pr...-uk-scam-1.jpg
According to messages currently appearing on Facebook, users can sign up as product testers for iPhones and other tech products by following a link and filling in an application form. The messages come from a Facebook Page called 'Product Testing UK'. The messages claim that users can keep the product they test after the testing process is over. However, the claims in the posts are -lies- and the Page is fraudulent. Those who click the link will not be taken to a 'Product Testing Application Form' as claimed.Instead, they will be redirected to various suspect 'survey' or 'offer' websites that promise the chance to win prizes in exchange for providing personal information. Some of the pages ask users to provide name, address and contact details, supposedly to allow them to go in the draw for a prize. Others will claim that users must provide their mobile phone number - thereby subscribing to absurdly expensive text messaging services - in order to get the results of a survey or go in the running for a prize. Users will be trapped in a confusing tangle of open webpages, all offering supposedly free gifts or services in exchange for participating. Often, trying to exit the pages will call up various pop-ups that try to convince the person to stay on the page rather than navigate away. The people who set up these scams earn a commission via dodgy affiliate marketing schemes whenever one of their victims completes an 'offer' or 'survey'. And, alas, no matter how many surveys or offers users complete, they will never get to fill in the product testing application form. Nor, of course, will they ever get to test and keep one of the promised testing products..."
___

Malicious mobile apps on Google Play up 400 percent
- https://net-security.org/malware_news.php?id=2713
Feb 19, 2014 - "RiskIQ* announced research findings on the presence of malicious apps contained in the Google Play store. The company found that malicious apps have grown 388 percent from 2011 to 2013, while the number of malicious apps removed annually by Google has -dropped- from 60% in 2011 to 23% in 2013. Apps for personalizing Android phones led all categories as most likely to be malicious. The most downloaded -malicious- app in 2013 was Talking Angela..."
* http://www.riskiq.com/company/press-...ked-nearly-400

[AplusWebMaster]

FYI...

Cushion redirect on 62.212.128.22
- http://blog.dynamoo.com/2014/02/susp...221212822.html
20 Feb 2014 - "... there is an apparent cushion redirect running on 62.212.128.22 (XenoSite, Netherlands) using hijacked GoDaddy domains (which is never a good sign). An example can be found with this URLquery report* but in this case it seems to end up at a wallpaper site (picture here**). VirusTotal sees the IP*** as being somewhat suspect. Given that this is abusing subdomains of legitimate GoDaddy domains then on balance I would regard this as being malicious. All the subdomains I can find are listed here**** [pastebin], but they are all covered by this recommended blocklist:
46.231.87.57
310casting .com
analacrobatsfree .com
dovizpiyasa .net
dovmeara .com
dovmebakirkoy .com
dovmeblog .com
dovmeci .co
dovmeciadresleri .com
dovmecibul .com
dovme-resimlerim .com "
* http://urlquery.net/report.php?id=9546681

** http://urlquery.net/screenshot.php?id=9546681

*** https://www.virustotal.com/en-gb/ip-...2/information/

**** http://pastebin.com/4UhwdY3a
___

Exploit Kits in Fake Skype, Evernote Themed Attacks
- http://community.websense.com/blogs/...loit-kits.aspx
Feb 19, 2014 - "... recent campaigns were themed around fake -Skype- voicemail notifications (Feb 19, 2014), and fake -Evernote- image notifications (Feb 7, 17-18, 2014). The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection...
Fake Skype messages:
> http://community.websense.com/cfs-fi...er_5F00_EK.jpg
Fake Evernote Messages:
> http://community.websense.com/cfs-fi...r_5F00_EK1.jpg
... Checking in Virus Total to provide context about AV coverage for this malware, we can see detection when first seen is 7/50*, and it looks like a Zeus variant...
* https://www.virustotal.com/en/file/9...is/1392844805/
... We have seen evidence and reports of the "ru:8080" gang switching to Angler Exploit Kit as far back as December 2013... The "ru:8080" criminal gang typically pushes trojans such as Cridex, Zeus GameOver, Click-Fraud trojans like ZeroAccess, and we have seen instances in the past of Ransomware such as RansomLock and worms like Andromeda. It looks like after a period of relatively little use of exploit kits, cyber criminals resume use of different exploit kits to deliver malware in email based attacks. However, the switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation. Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures... we see a relatively heavy bias from the attackers towards targets located in the UK, followed by US and Germany:
> http://community.websense.com/cfs-fi...00_targets.jpg "
___

Zeus banking Trojan - back with another variant, ZeusVM
- http://www.theinquirer.net/inquirer/...variant-zeusvm
Feb 19 2014 - "... Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing emails or web-based attacks, including "malvertising", whereby people are infected by visiting websites containing malicious ads. "The Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it's so popular it gave birth to many offshoots and copycats," Malwarebytes* said in a blog post... Malwarebytes senior security researcher Jerome Segura explained that there are various parts to this piece of malware. While the main executable - the bot - will bury itself into your computer and ensure it is reactivated every time you reboot, at regular intervals it also checks with its command and control server for new instructions while monitoring user activity... It can also perform wire transfers while the victim is logged in, Segura said, and even alter the appearance of the current account balance to ensure that it remains unnoticed... Fireeye has said that hackers are dropping standard malware like Zeus in favour of more advanced but harder to use remote access Trojans (RATs) such as Xtreme RAT... Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services."
* http://blog.malwarebytes.org/securit...anking-trojan/

[AplusWebMaster]

FYI...

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131
- http://blog.dynamoo.com/2014/02/some...36231-and.html
21 Feb 2014 - "Thanks to @Techhelplistcom for the heads up on this little mystery..
> http://3.bp.blogspot.com/-N6rkvf8I25...chhelplist.png
It all starts with a spam evil (described here*).. The link goes to a URLquery report that seems pretty inconclusive**, mentioning a URL of [donotclick]overcomingthefearofbeingfabulous .com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured*** server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs .com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set. As Techhelplist says, set the UA to an Android one**** and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno .name)
[donotclick]mobile.downloadadobecentral .ru/FLVupdate.php then to
[donotclick]mobile.downloadadobecentral .ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk . 3NT Solutions / inferno .name is a known bad actor[5] and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket. FlashUpdate.apk has a VirusTotal detection rate of 22/47[6], but most Android users are probably not running anti-virus software. The Andrubis analysis[7] of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster .com. It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.
Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral .ru
jariaku .ru
350600700200 .ru
overcomingthefearofbeingfabulous .com "

* http://techhelplist.com/index.php/sp...wed-up-one-day

** http://www.urlquery.net/report.php?id=9558246

*** https://www.virustotal.com/en/ip-add...8/information/

**** http://www.useragentstring.com/pages...kit%20Browser/

[5] http://blog.dynamoo.com/search/label/Iran

[6] https://www.virustotal.com/en-gb/fil...is/1392977002/

[7] http://anubis.iseclab.org/?action=re...14&format=html
___

Zeus variant targets Salesforce .com accounts, SaaS applications
- http://atlas.arbor.net/briefs/index#1152292298
Elevated Severity
20 Feb 2014
The Zeus malware - typically used as a banking trojan - was used to copy data from Salesforce .com after infecting a vulnerable home machine.
Analysis: Researchers speculate that pharming - redirecting traffic by manipulating settings such as hosts files on target systems and DNS servers in infrastructure gear - may have been a vector. Considering the home machine was most likely connected via a broadband router, it is possible that the router was exploited however enough information is not yet available to determine this. Initial indicators suggest that Zeus and other contemporary banking trojans in general have not been used to target Salesforce, therefore this maybe a targeted attack, or an opportunistic attack that was leveraged in a more targeted manner once the threat actors understood the value of the compromised asset. It is also possible that access to this particular machine was purchased in the underground once a potentially opportunistic attacker realized they could sell access to other threat actors who have more strategic goals.
Source: http://www.zdnet.com/zeus-variant-ta...ns-7000026557/
___

Fake inTuit TurboTax email - "Issue on Your Refund"
- http://security.intuit.com/alert.php?a=99
2/20/14 - "People are receiving -fake- emails with the title "Issue on Your Refund". Below is a copy of the email people are receiving.
> http://security.intuit.com/images/tt2014phish.jpg
This is the end of the -fake- email.
Steps to Take Now
Do -not- open any attachment or -click- any links in the email...
Delete the email."
.

[AplusWebMaster]

FYI...

Attack code exploits critical bug in majority of Android phones
- http://atlas.arbor.net/briefs/index#610868271
Elevated Severity
Feb 20, 2014
Public exploit code has been released for a 14 month old vulnerability in a large number of Android devices. The exploit code is trivial to use and is freely available in the Metasploit Framework.
Analysis: The slow update cycle for Android devices is a serious security consideration. Combining the risks of the typical BYOD work environment and the popularity of accessing enterprise resources with personal devices, such publicly released exploit code will make it easier for targeted attacks to leverage a compromised Android device in attack campaigns. The video that demonstrates the exploit shows the -malicious- URL being delivered to the device in the form of a QR code - an attack vector previously discussed but rarely observed... Apparently using an alternate browser other than the built-in Android browser (based on WebView) such as Google Chrome will -mitigate- this vulnerability, however many users are likely to be taking advantage of the default configuration which includes a WebView based browser...
Source: http://arstechnica.com/security/2014...ndroid-phones/

[AplusWebMaster]

FYI...

Fake PayPal email - wants card details ...
- http://blog.malwarebytes.org/fraud-s...-card-details/
Feb 24, 2014 - "Be wary of emails bearing gifts – in this case, claiming to reward those who would fill in a so-called Paypal survey to obtain a “£25 reward”. This one is flagged as -spam- in Gmail, but depending on your mail provider it may creep into the Inbox instead of the Spam folder:
> http://cdn.blog.malwarebytes.org/wp-...urveyspam1.jpg
... The zipfile, online_form.zip, contains a .htm page which looks like this:
> http://cdn.blog.malwarebytes.org/wp-...urveyspam2.jpg
Underneath the entirely pointless “survey questions”, the form asks for name, address, city, postcode, birthday, the “£25 bonus code” and full debit card information which all sits above a handy “Submit” button (top tip: -don’t- hit the submit button). While the people sending this mail have presumably tried to panic recipient into replying quickly (that is one seriously tight deadline), they may find this backfires as would-be victims see “23 February 2014” and send it straight to the trash. Take note of the following advice from the PayPal Security Center*:
* https://www.paypal.com/c2/cgi-bin/we...ishing-outside
"To help you better identify fake emails, we follow strict rules. We will -never- ask for the following personal information in email:
Credit and debit card numbers
Bank account numbers
Driver’s license numbers
Email addresses
Passwords
Your full name”
If it sounds too good to be true…"
___

Pony botnet steals bitcoins, digital currencies
- http://blog.spiderlabs.com/2014/02/l...our-coins.html
Feb 24, 2014 - "... discovered yet another instance of a Pony botnet controller. Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it’s also more advanced and collected approximately $220,000 (all values in this post will be in U.S. dollars) worth, at time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others. According to our data, the cyber gang that was operating this Pony botnet was active between September 2013 and mid-January 2014. In this ~4 month period, the botnet managed to steal over 700,000 credentials, distributed as follows:
~600,000 website login credentials stolen
~100,000 email account credentials stolen
~16,000 FTP account credentials stolen
~900 Secure Shell account credentials stolen
~800 Remote Desktop credentials stolen
... the one thing you need to know is that BitCoins are stored in virtual wallets, which are essentially pairs of private and public keys. Whoever holds the private key to a wallet is the owner of that wallet and no name, ID or history is associated with the wallet. Again, possession of the private key indicates ownership. This holds true for all the other digital currencies that grew from BTC and now live alongside it—the most popular alternative right now being LiteCoin. BTC started out as an underground currency... The value of a BitCoin fluctuates. As of February 24; a BitCoin is valued at approximately $600. Unfortunately, even though some people may have had more money in their virtual wallet than they did in their bank account, very few had the understanding of how to properly secure their wallets... cybercriminals began developing ways to steal BitCoins, each within their own field of expertise. The most obvious choice for an attacker is to go after websites that offer various trading services. Many of these websites store virtual wallets for their users. A number of attacks on trading websites have popped-up over time. One of the most famous attacks on a trading website was the Sheep Marketplace scam** because of the large amount of BTC stolen... the bots interacted directly with the command-and-control server, which provided us with a little more insight into the geographical distribution of the victims:
Stolen passwords geo location destribution
> http://a7.typepad.com/6a0168e94917b4...d793ddf970d-pi
... most popular websites for which credentials were stolen...
Stolen passwords by domains
> http://a5.typepad.com/6a0168e94917b4...16de6e5970c-pi
If you’d like to check your credentials, we’ve created a web tool that will allow you to enter your e-mail address to see whether it was included in the data cache. The tool will only send an e-mail to the address you input... You can find the tool here*..."
* https://www3.trustwave.com/support/l...ised-email.asp

** http://thehackernews.com/2013/12/She...Silk-Road.html

[AplusWebMaster]

FYI...

Fake Westpac Bill Payment - Phish
- http://www.hoax-slayer.com/westpac-b...ing-scam.shtml
Feb 25, 2014 - "Message supposedly sent by Australian bank Westpac, notifies recipients that a payment to a biller has been successfully processed and invites them to click a link to view transaction details. Westpac did -not- send the email. The message is a phishing scam that attempts to lure Westpac customers into visiting a fraudulent website and providing their account login details. Criminals will use the stolen information to hijack Westpac bank accounts belonging to their victims.
Example:
> http://www.hoax-slayer.com/images/we...ing-2014-1.jpg
This email, which was supposedly sent by large Australian bank Westpac, informs recipients that a payment to a biller has been successfully processed. The email includes details of the bill payment and invites recipients to follow a link to view more information about the transaction. The message includes the Westpac logo... It is a -phishing- scam that was created with the goal of tricking recipients into giving their Westpac account login details to cybercriminals. Some Westpac customers who receive the bogus notification may be panicked into clicking the link in the mistaken belief that their accounts have been compromised and used to conduct fraudulent transactions in their names... the criminals responsible for the phishing campaign will collect the submitted login credentials. The criminals can use the stolen credentials to access their victims' bank accounts, transfer funds and commit further fraudulent transactions. If you receive one of these emails, do -not- click any links -or- open any attachments that it contains. Westpac has published information about phishing scams and how to report them on its website*..."
* http://www.westpac.com.au/security/f.../online-fraud/
___

Fake British Airways e-ticket email - malware ...
- http://www.welivesecurity.com/2014/0...hed-via-email/
Feb 25, 2014 - "If you have received an unexpected email, claiming to come from British Airways, about an upcoming flight that you haven’t booked – please be on your guard. Online criminals are attempting to infect innocent users’ computers with a variant of the malicious Win32/Spy.Zbot.AAU trojan, by disguising their attack as an e-ticket from the airline. To maximise the potential number of victims, the attackers have spammed out messages widely from compromised computers.
> http://www.welivesecurity.com/wp-con...are-email.jpeg
... Of course, although the email claims to come from British Airways – it is nothing of the sort. In a classic example of social engineering, criminals are hoping that email recipients will worry that their credit card has been fraudulently used to purchase an air ticket, and click on links inside the email to find out more. However, if user download the supposed e-ticket, and launch its contents they will be infecting themselves with a trojan horse that can spy on their computer activity and give malicious hackers third-party access to their data... the malware has been spread via malicious links after cybercriminals forged email headers to make their messages look like they really came from British Airways’s customer service department. But it’s equally possible for attackers to spread their malware via email attachments, or for other disguises to be deployed if those behind the spam blitz believe that they have a greater chance of success. Remember to always be suspicious of clicking on links in unsolicited emails, and the social engineering tricks that are frequently used to lure computer users into making unwise decisions..."
___

WhatsApp desktop client doesn’t exist, used in Spam Attack anyway
- http://blog.trendmicro.com/trendlabs...attack-anyway/
Feb 25, 2014 - "The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook... Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.
Screenshot of spammed message:
> http://about-threats.trendmicro.com/...cebookspam.jpg
... The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices). That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil. Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak. We strongly advise users to be careful of this or similar messages; WhatsApp does -not- currently have a Windows or Mac client, so all messages that claim one exists can be considered -scams- ..."
___

Bitcoin exchange Mt. Gox disappears...
- http://www.reuters.com/article/2014/...A1O07920140225
Feb 25, 2014 - "Mt. Gox, once the world's biggest bitcoin exchange, looked to have essentially disappeared on Tuesday, with its website down, its founder unaccounted for and a Tokyo office empty bar a handful of protesters saying they had lost money investing in the virtual currency. The digital marketplace operator, which began as a venue for trading cards, had surged to the top of the bitcoin world, but critics - from rival exchanges to burned investors - said Mt. Gox had long been lax over its security. It was not clear what has become of the exchange, which this month halted withdrawals indefinitely after detecting "unusual activity." A global bitcoin organization referred to the exchange's "exit," while angry investors questioned whether it was still solvent..."
- http://www.wired.com/wiredenterprise...-gox-implodes/
___

Developers attack code bypasses MS EMET tool
- http://arstechnica.com/security/2014...rotection-app/
Feb 24, 2014 - "Researchers have developed attack code that completely bypasses Microsoft's zero-day prevention software, an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware. The exploit code, which was developed by researchers from security firm Bromium Labs, bypasses each of the many protections included in the freely available EMET, which is short for Enhanced Mitigation Experience Toolkit... The Bromium exploit included an example of a real-world attack that was able to circumvent techniques designed to mitigate the damage malicious code can do when targeting security bugs included in third-party applications... The researchers privately informed security personnel at Microsoft before going public with their findings; the software giant plans to credit the research when releasing the upcoming version 5 of EMET..."

[AplusWebMaster]

FYI...

Fake AMEX email - phish ...
- http://www.hoax-slayer.com/amex-pers...ing-scam.shtml
Feb 26, 2014 - "Email claiming to be from American Express instructs recipients to visit a website and create a Personal Security Key (PSK) as an account authentication measure. The email is -not- from American Express. Links in the email open a fraudulent website designed to emulate a genuine American Express webpage. The fake website asks users to provide credit card details and other information. The criminals behind the scam will use the stolen data to commit credit card fraud and hijack online accounts. If this message comes your way, do -not- click on any links -or- open any attachments that it contains.
> http://www.hoax-slayer.com/images/am...phishing-1.jpg
According to this email, which purports to be from American Express, users can increase their account security by having a Personal Security Key (PSK). The message invites recipients to click a link to create their PSK. The email is professionally presented and includes seemingly legitimate subscription and copyright information. At first glance, the message may seem like a genuine American Express notification, especially since it supposedly provides information to help customers protect themselves from fraud. American Express does offer customers a PSK system as one of several authentication measures. However, this email is not from American Express. Ironically, considering its content, the email is itself a scam designed to defraud customers. Clicking any of the links in the fake message will take users to a bogus website that asks for their credit card information. Like the email itself, the bogus website looks professional and has been built so that it closely emulates a genuine American Express page. The information provided on the fake website can be collected by scammers and used to commit credit card fraud and identity theft... scammers are likely to create new scam sites and send out more of the scam emails. Phishing scammers continually target American Express and other credit card providers. As such scams go, this is a quite sophisticated attempt. Because of the way it is presented, the scam may catch out even more experienced users. American Express will -never- send customers unsolicited emails that request them to provide their card details or other sensitive personal information by clicking a link. The American Express website* includes information about phishing and how to report scam emails."
* https://www.americanexpress.com/us/c...ity-theft.html
___

Android - 98% of all mobile malware targeted this platform...
- https://www.securelist.com/en/analys...lution_2013#05
24 Feb 2014 - "... Android remains a prime target for -malicious- attacks. 98.05% of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture..."
Charted: https://www.securelist.com/en/images...ts_2013_02.png

- http://www.theinquirer.net/inquirer/...mobile-malware
Feb 26 2014 - "... the number of new malicious programs in 2013 -doubled- to over 100,000... The bulk of attacks, 40 percent, target people in Russia. The UK ranks fifth, with three percent of victims. Germany, which lurks just below the UK, is apparently rather susceptible to a premium charge SMS takeover attack... that is unlikely to last for long: given cybercriminals' keen interest in consumer bank accounts, the activity of mobile banking Trojans is expected to grow in other countries in 2014..."
___

Eviction Notice Spam
- http://threattrack.tumblr.com/post/7...on-notice-spam
Feb 26, 2014 - "Subjects Seen:
Eviction Notice
Typical e-mail details:
Urgent notice of eviction,
We have to inform you about the eviction proceedings against
you and the decision of the bank to foreclose on your property.
As a trespasser you need to move out until 20 March 2014
and leave the property empty of your belongings and any trash.
Please contact our office without delay to make arrangements for a move out.
If you do not do this, you could be simply locked out of your home.
Detailed bank statement as well as our contact information
can be found in the attachment to this notice.
Real estate agency,
Helen Tailor

Malicious File Name and MD5:
Notice_of_eviction_id65697RE.zip (26660A4FEB6D13BA67BFDBEF486A36FD)
Urgent_notice_of_eviction.exe (1B7E61B48866A523BF5618F266AC5600)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...f2Y1r6pupn.png

Tagged: Eviction Notice, Kuluoz