Page 40 of 132 FirstFirst ... 303637383940414243445090 ... LastLast
Results 391 to 400 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #391
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon + Royal Mail SPAM ...

    FYI...

    Fake Amazon SPAM / 213.152.26.150
    - http://blog.dynamoo.com/2014/02/amaz...ur-online.html
    27 Feb 2014 - "This fake Amazon spam leads to something bad.
    Date: Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
    From: "Amazon.com" [t1na@ msn .com]
    Subject: Important For Your Online Account Access .
    Your Account Has Been Held
    Dear Customer ,
    We take you to note that your account has been suspended for protection , Where the password was entered more than once .
    In order to protect ,account has been suspended .Please update your Account Information To verify the account...
    Thanks for Update at Amazon .com...


    Screenshot: https://lh3.ggpht.com/-I0pRhOGLLtA/U...00/amazon2.png

    In the samples that I have seen the link in the email goes to either [donotclick]exivenca .com/support.php or [donotclick]vicorpseguridad .com/support.php both of which are currently -down- but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care.."
    ___

    Fake Royal Mail SPAM
    - http://blog.dynamoo.com/2014/02/roya...sory-spam.html
    27 Feb 2014 - "This -fake- Royal Mail spam has a malicious payload:
    From: Royal Mail noreply@ royalmail .com
    Date: 27 February 2014 14:50
    Subject: Royal Mail Shipping Advisory, Thu, 27 Feb 2014
    Royal Mail Group Shipment Advisory
    The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE ...


    Screenshot: https://lh3.ggpht.com/-Uwr252R1CT4/U.../royalmail.png

    This is a ThreeScripts attack, the link in the email goes to:
    [donotclick]wagesforinterns .com/concern/index.html
    and it then runs one or more of the following scripts:
    [donotclick]billigast-el .nu/margarita/garlicky.js
    [donotclick]ftp.arearealestate .com/telecasted/earners.js
    [donotclick]tattitude .co .uk/combines/cartooning.js
    in this case the payload site is at
    [donotclick]northwesternfoods .com/sg3oyoe0v2
    which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites... The payload appears to be an Angler Exploit Kit (see this example*).
    Recommended blocklist:
    23.239.12.68
    billigast-el .nu
    ftp.arearealestate .com
    tattitude .co .uk
    n2ocompanies .com
    northerningredients .com
    northwesternfoods .com
    oziama .com
    oziama .net
    "
    * http://urlquery.net/report.php?id=9660606

    Last edited by AplusWebMaster; 2014-02-27 at 17:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #392
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down IE10 0-day now Drive-by-Download...

    FYI...

    IE10 0-day exploited in widespread Drive-by Downloads
    - http://www.symantec.com/connect/blog...rive-downloads
    Updated: 27 Feb 2014 - "... We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes. Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world. Our telemetry shows -both- targeted attacks and drive-by downloads in the mix.
    Attacks targeting CVE-2014-0322 around the world
    > http://www.symantec.com/connect/site...%20day%201.png
    ... websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks... Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:
    - Upgrade to Internet Explorer 11
    - Install the Microsoft Fix it workaround solution:
    > http://support.microsoft.com/kb/2934088#FixItForMe "
    ___

    Fake Netflix Phish leads to Fake MS Tech Support
    - http://blog.malwarebytes.org/fraud-s...-tech-support/
    Feb 28, 2014 - "... came across what I first thought was a typical phishing scam targeting Netflix:
    > http://cdn.blog.malwarebytes.org/wp-.../02/signin.png
    Until I realized it wasn’t, or at least that there was something more to it. Of course it stole my credentials:
    > http://cdn.blog.malwarebytes.org/wp-...4/02/phish.png
    But it also displayed a message saying my account had been suspended:
    > http://cdn.blog.malwarebytes.org/wp-.../suspended.png
    In order to fix this issue, you are urged to call “Netflix” at a 1-800 number. If you do a bit of a search you will find out this is -not- the official hotline, so this warranted a deeper investigation. Once I called the number, the rogue support representative had me download a “NetFlix Support Software”:
    > http://cdn.blog.malwarebytes.org/wp-...2/software.png
    This is nothing else but the popular remote login program TeamViewer:
    > http://cdn.blog.malwarebytes.org/wp-.../downloads.png
    After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity. This was supposedly due to hackers who had infiltrated my computer as he went on to show me the scan results from their own ‘Foreign IP Tracer’, a -fraudulent- custom-made Windows batch script... According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer. He drafted a quick invoice and was kind enough to give me a $50 Netflix coupon (fake of course) before transferring me to another technician... During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as ‘banking 2013.doc‘... Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen... This is where it ended as my camera was disabled by default. The scammers were located in India, information gathered from the TeamViewer logfile... -never- let anyone take remote control of your computer unless you absolutely trust them. This scam took place in a controlled environment that had been set up specifically for that purpose..."

    Last edited by AplusWebMaster; 2014-02-28 at 23:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #393
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Companies House, Fake Urgent eviction SPAM ...

    FYI...

    The ThreatCon is currently at Level 2: Elevated
    - http://www.symantec.com/security_res...atconlearn.jsp
    Mar 2, 2014 - "On February 19, 2014, Microsoft released a security advisory confirming a limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 9 and 10. The exploit is now being used in mass attacks. Customers are advised to update to Internet Explorer 11 or apply the Microsoft Fix it* solution described in the Microsoft Security Advisory. A security patch has yet to be released.
    Microsoft Security Advisory (2934088) Vulnerability in Internet Explorer Could Allow Remote Code Execution"
    * http://support.microsoft.com/kb/2934088#FixItForMe

    > http://www.netmarketshare.com/browse...=0&qpcustomd=0
    Feb 2014 - IE: 58%
    ___

    Fake Companies House SPAM
    - http://blog.dynamoo.com/2014/02/comp...9670-spam.html
    28 Feb 2014 - "This -fake- Companies House spam leads to malware:
    From: Companieshouse.gov.uk [web-filing@companies-house .gov .uk]
    Date: 28 February 2014 12:55
    Subject: Spam FW: Case - 6569670
    A company complaint was submitted to Companies House website.
    The submission number is 6569670
    For more details please click : https ://companieshouse .gov .uk/Case?=6569670
    Please quote this number in any communications with Companies House.
    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.
    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other organisations that handle public funds.
    If you have any queries please contact the Companies House Contact Centre ...


    Screenshot: https://lh3.ggpht.com/-_WHfOqxcvGU/U...es-house-4.png

    The link in the email goes to:
    [donotclick]economysquareshoppingcenter .com/izmir/index.html
    in turn this runs one or more of the following scripts:
    [donotclick]homedecorgifts .biz/outfitted/mascara.js
    [donotclick]www.coffeemachinestorent .co.uk/disusing/boas.js
    [donotclick]citystant .com/trails/pulitzer.js
    [donotclick]rccol.pytalhost .de/turban/cupped.js
    which in turn leads to a payload site at:
    [donotclick]digitec-brasil .com.br/javachecker.php?create=3019&void-cat=4467&first-desk=9002
    According to this URLquery report*, the payload site has some sort of Java exploit.
    Recommended blocklist:
    digitec-brasil .com.br
    homedecorgifts .biz
    coffeemachinestorent .co.uk
    citystant .com
    rccol.pytalhost .de
    "
    * http://urlquery.net/report.php?id=9706278
    ___

    Fake Urgent eviction notification - Asprox...
    - http://stopmalvertising.com/spam-sca...ecosystem.html
    Feb 28, 2014 - "The latest Asprox / Kuluoz spam template consists of an unsolicited email appearing to be from ppmrental .com. Prospectors Property Management is a Real Estate Agency located in Morgan Hill, California. The emails arrive with the subject line "Urgent eviction notification". The spammed out message notifies the recipient that as a trespasser they need to move out from their property before the 21 March 2014 and leave the property empty of their belongings and trash. The addressee must contact the Real Estate without delay in order to make arrangements to move out. Failure to do so could result in being locked out of the house. A detailed bank statement as well as the Real Estate's contact information can be found in the attachment. The executable file inside the ZIP archive poses as a Microsoft Word Document. This is one of the main reasons why you should never trust a file by its icon. Make sure that Windows Explorer is set to show file extensions and always pay attention to the file extension instead. The payload, Urgent_notice_of_eviction.exe will start up an instance of svchost.exe before accessing the internet. A copy of the executable will be copied under a random name to the %User Profile%\Local Settings\Application Data folder. A small downloader - bqoqusgj.exe in our analysis - will be fetched from the C&C together with 3 other files:
    vbxghrke - 66.5 KB (68,161 bytes)
    kqrbfxel - 12.0 KB (12,326 bytes)
    ihxqgwcu.exe - 140 KB (143,360 bytes)
    A new start up entry will be created for ihxqgwcu.exe so that the program starts each time Windows starts but the executable isn’t launched yet. In meanwhile bqoqusgj.exe will download two files posing as Updates for the Flash Player: updateflashplayer_9e26d2b2.exe (libs5.8/jquery directory) and UpdateFlashPlayer_266a0199.exe (libs5.8/ajax directory).
    > http://stopmalvertising.com/research...-infogram1.jpg
    ... Updateflashplayer_9e26d2b2.exe will instantly shutdown and reboot the computer. A series of error messages will appear upon reboot as the malicous binary has deleted several critical registry keys belonging to Antivirus / Firewall / HIPS applications...The Asprox ad fraud binary also makes sure that the computer can’t boot in Safe Mode by deleting the corresponding registry entries. As seen below, booting the computer in safe mode results in a blue screen.
    > http://stopmalvertising.com/research...-infogram2.jpg
    ... For an in-depth analysis of Asprox / Kuluoz please refer to: Analysis of Asprox and its New Encryption Scheme*... Email:
    > http://stopmalvertising.com/research...infogram10.jpg
    ... IP Details
    46.161.41.154
    37.221.168.50
    109.163.239.243 ...
    14.54.223.133
    37.193.48.182 (504)
    37.115.155.128
    72.227.178.35
    90.154.249.71
    91.225.93.237
    100.2.223.97
    109.226.203.101
    176.212.145.163
    188.129.241.164
    213.231.48.242
    ..."
    (More detail at the stopmalvertising URL above.)
    * http://stopmalvertising.com/malware-...on-scheme.html

    - http://tools.cisco.com/security/cent...?alertId=33147
    2014 Mar 03

    Last edited by AplusWebMaster; 2014-03-04 at 16:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #394
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware sites to block ...

    FYI...

    Malware sites to block ...
    - http://blog.dynamoo.com/2014/03/malw...lock-2314.html
    2 Mar 2014 - "These domains and IPs are all connected with this gang*, some of it appears to be involved in -malware- distribution, -fraud- or other illegal activities. I recommend that you -block- these IPs and domains. Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting..."
    (Long list at the URL above.)
    * http://blog.dynamoo.com/2014/03/seek...job-offer.html
    2 Mar 2014
    ___

    Rising use of Malicious Java Code ...
    - https://www.trusteer.com/blog/rising...infiltration-0
    Mar 3, 2014 - "... exploit kits such as the Blackhole and Cool exploit kit were found to be using unpatched Java vulnerabilities... to install malware..."
    Extract from the 2014 IBM X-Force Threat Intelligence Quarterly report
    Exploited apps - Dec 2013
    > https://www.trusteer.com/sites/defau...eenShot609.png
    Java vulnerabilities - 2010-2013
    > https://www.trusteer.com/sites/defau...eenShot610.png

    Last edited by AplusWebMaster; 2014-03-03 at 19:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #395
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phone Phishing, Data Breaches, and Banking Scams ...

    FYI...

    Phone Phishing, Data Breaches, and Banking Scams
    - http://blog.trendmicro.com/trendlabs...banking-scams/
    Mar 4, 2014 - "... I received a rather unusual call that claimed to be from National Australia Bank (NAB), one of the four largest banks in Australia. The caller had my complete name and my address. They claimed that they had flagged a suspicious transaction from my account to an Alex Smith in New Zealand to the tune of 700 Australian dollars. They needed my NAB number to confirm if the transaction was legitimate. There was just one problem with this seemingly plausible call: I wasn’t an NAB customer. I offered to call them back – and when I did so, they simply hung up on me. These sorts of calls are not the only threats that arrive via phone – for example, fake “support” calls that are supposedly from Microsoft* that offer to remove malware from user PCs are sadly commonplace. To most users who simply go about their daily lives, these calls can sound quite convincing and can cause a lot of problems... How did they get that all that information? We don’t know. However, it’s very possible that somebody somewhere had a data breach. They may not have known about it, or they may have decided that since the information “wasn’t critical” – say, they didn’t have my credit card or banking credentials – that it was harmless. However, now you can see how seemingly “harmless” information can be used to carry out real fraud. Since last year, we’ve been pointing out the huge gains in banking malware**. Just as support scams can be thought of as a “real-world” equivalent to ransomware and fake antivirus, so can these sort of phishing calls be the equivalent of these banking malware threats..."
    * http://www.microsoft.com/security/on...cy/msname.aspx

    ** http://blog.trendmicro.com/trendlabs...urity-roundup/
    ___

    Twitter sends password reset emails by mistake, admits it wasn't hacked
    - http://www.theinquirer.net/inquirer/...nt-been-hacked
    Mar 04 2014 - "... Twitter sent a number of password reset emails on Monday evening due to a system error. The firm contacted users with the sort of messages usually seen when attackers are taking over accounts. Twitter's email has been shared on the microblogging website, of course, and picked up by the Recode website. The missive presented itself as one of those 'you've been hacked' emails, and informed users about their scorched logins. "Twitter believes that your account may have been compromised by a website or service not associated with Twitter," it said. "We've reset your password to prevent accessing your account." Users took to Twitter to fret about the email, and a search on "Twitter hack" turns up a range of panicked missives and messages of thanks to Twitter for its speedy intervention. Later though, in a statement to Recode, the firm admitted that it had been the victim of nothing more than a system error. "We unintentionally sent some password reset notices tonight due to a system error," it said. "We apologise to the affected users for the inconvenience." Users could not be blamed to worrying about the phantom attack, as we have already seen a large number of security breaches this year already..."
    ___

    Orange MMS Message Spam
    - http://threattrack.tumblr.com/post/7...s-message-spam
    Mar 4, 2014 - "Subjects Seen:
    MMS message from: +447974******
    Typical e-mail details:
    You have received MMS message from: +447974778589
    You can find the contents of the message in the attachment
    If you have any questions regarding this automated message please contact Orange Customer Support


    Malicious File Name and MD5:
    MMS_C0BFB6C0B8.zip (3A123E39BDCAC7ED1127206502C1598C)
    MMS_87436598.exe (10F21C0F2C3C587A509590FA467F8775)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...hjQ1r6pupn.png

    Tagged: Orange, Androm
    ___

    Bitcoin bank Flexcoin shuts down after theft
    - http://www.reuters.com/article/2014/...A2329B20140304
    Mar 4, 2014 - "Bitcoin bank Flexcoin said on Tuesday it was closing down after it lost bitcoins worth about $600,000 to a hacker attack. Flexcoin said in a message posted on its website that all 896 bitcoins stored online were stolen on Sunday. "As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately," the company said. [ http://www.flexcoin.com/ ] Alberta, Canada-based Flexcoin, which is working with law enforcement agencies to trace the source of the hack, said it would return bitcoins stored offline, or in "cold storage", to users. Cold storage coins are held in computers not connected to the Internet and therefore cannot be hacked... Bitcoin is a digital currency that, unlike conventional money, is bought and sold on a peer-to-peer network independent of central control. Its value soared last year, and the total worth of bitcoins minted is now about $7 billion..."

    Last edited by AplusWebMaster; 2014-03-05 at 11:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #396
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake PayPal Phish ...

    FYI...

    Fake PayPal 'Cancel Payment' Phishing Scam
    - http://www.hoax-slayer.com/paypal-ca...ing-scam.shtml
    Mar 5, 2014 - "Email purporting to be from PayPal claims that the recipient has sent a payment to a specified merchant and offers instructions for cancelling the payment if required... The email is a phishing scam designed to trick recipients into divulging their PayPal account login details and a large amount of personal and financial information. All of the information supplied will be sent to online criminals and used to commit financial fraud and identity theft. The merchant or seller specified in the messages may vary in different incarnations of the scam. If you receive one of these bogus emails, do not click on any links or open any attachments that it contains...
    > http://www.hoax-slayer.com/images/pa...ing-2014-1.jpg
    .
    > http://www.hoax-slayer.com/images/pa...ing-2014-2.jpg
    ... Those who do click will be taken to a -bogus- website and asked to supply their PayPal email address and password on a fake login box. After logging in, they will be presented with the following web form, which asks for a large amount of personal and financial information:
    > http://www.hoax-slayer.com/images/pa...ing-2014-3.jpg
    ... All of the information supplied can be harvested by criminals and used to hijack the compromised PayPal accounts, commit credit card fraud and steal the identities of victims... If a PayPal phishing scam email hits your inbox, you can submit it to the company for analysis via the email address listed on the company's phishing information page*. A quick rule of thumb. PayPal emails will ALWAYS address you by your first and last names or business name. They will never use generic greetings such as 'Dear customer'. Nor will they omit the greeting..."
    * https://www.paypal.com/us/webapps/he...=FAQ2331&m=SRE

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #397
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Deceptive ads expose users to PUA ...

    FYI...

    Deceptive ads expose users to PUA ...
    - http://www.webroot.com/blog/2014/03/...d-application/
    Mar 6, 2014 - "Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them. We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application... actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post...
    Sample screenshot of the landing page:
    > https://www.webroot.com/blog/wp-cont..._Performer.png
    ... Sample detection rate for PurpleTech Software Inc’s PC Performer:
    MD5: f85a9d94027c2d44f33c153b22a86473* ... Once executed, the sample phones back to:
    hxxp:// inststats-1582571262.us-east-1.elb.amazonaws .com – 23.21.180.138
    hxxp:// api.ibario .com – 50.22.175.81
    hxxp:// 107.20.142.228 /service/stats.php?sv=1
    hxxp:// 174.36.241.169 /events
    Domain name reconnaissance:
    api.ibario .com – 50.22.175.81; 96.45.82.133; 96.45.82.197; 96.45.82.69; 96.45.82.5
    thepcperformer .com – 96.45.82.5; 96.45.82.69; 96.45.82.133; 96.45.82.197 ...
    ... responded to the same C&C server (23.21.180.138) ...
    ... phoned back to the same IP (50.22.175.81)..."
    * https://www.virustotal.com/en/file/1...is/1394030288/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #398
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake TurboTax: E-file successful email

    FYI...

    Fake TurboTax: E-file successful email
    - http://security.intuit.com/alert.php?a=101
    3/7/14 - " People are receiving fake emails with the title "TurboTax: E-file Successful." Below is a copy of the email people are receiving:
    > http://security.intuit.com/images/ttsuccessful.jpg
    ___
    This is the end of the -fake- email.
    Steps to Take Now
    Do not open any attachment or click any links in the email...
    Delete the email
    ."
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Bank Transaction Statement Email Messages - 2014 Mar 07
    Email Messages with Malicious Attachments - 2014 Mar 07
    Fake Product Invoice Notification Email Messages - 2014 Mar 07
    Fake Account Payment Information Email Messages - 2014 Mar 07
    Fake Product Order Notification Email Messages - 2014 Mar 07
    Fake Failed Delivery Notification Email Messages - 2014 Mar 07
    Fake Fax Message Delivery Email Messages - 2014 Mar 07
    Fake Fax Delivery Email Messages - 2014 Mar 07
    Fake Payment Transaction Notification Email Messages - 2014 Mar 06...
    (Links / more info at the cisco URL above.)
    ___

    Friday (Spam) Roundup
    - http://blog.malwarebytes.org/online-...-spam-roundup/
    Mar 7, 2014 - "... spam for the weekend?
    1) Bitcoin spam: http://cdn.blog.malwarebytes.org/wp-...3/bitspam1.jpg
    “Buy and sell Bitcoins!
    Find the best places online to buy / sell Bitcoin currency”
    The link just takes clickers to what appears to be a parked domain with sponsored links. In other words, delete / avoid.
    2) Skype Team Direct Messages: http://cdn.blog.malwarebytes.org/wp-...3/bitspam2.jpg
    “Direct message from Skype Team
    Skype
    Direct Message
    View Message
    Respectfully,
    Skype Service”
    3) Pharmacy msgs: http://cdn.blog.malwarebytes.org/wp-...3/bitspam3.jpg
    4) TV spamblog spam [-not- email based]: ... when scammers try to take advantage of a service like Google Docs they’re going phishing. I saw this and thought it was at least a little unusual – Google Docs being used to spam a cookie-cutter spamblog promising free TV shows. I’m sure you’ve seen those spam posts across the net...
    > http://cdn.blog.malwarebytes.org/wp-...3/bitspam5.jpg "

    Last edited by AplusWebMaster; 2014-03-08 at 00:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #399
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Q4-2013 McAfee Threat Report, Facebook scam...

    FYI...

    Q4-2013 McAfee Threat Report
    - https://net-security.org/malware_news.php?id=2727
    Mar 10, 2014 - "... By the end of 2013, McAfee Labs saw the number of malicious signed binaries in our database -triple- to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee Labs found more than 2.3 million new malicious signed applications, a 52 percent increase from the previous quarter. The practice of code signing software validates the identity of the developer who produced the code and ensures the code has not been tampered with since the issue of its digital certificate...
    > http://www.net-security.org/images/a...afee032014.jpg
    ... Additional findings:
    - Mobile malware. McAfee Labs collected 2.47 million new mobile samples in 2013, with 744,000 in the fourth quarter alone. Our mobile malware zoo of unique samples grew by an astounding 197 percent from the end of 2012.
    - Ransomware. The volume of new ransomware samples rose by 1 million new samples for the year, doubling in number from Q4 2012 to Q4 2013.
    - Suspicious URLs. McAfee Labs recorded a 70 percent increase in the number of suspect URLs in 2013.
    - Malware proliferation. In 2013, McAfee Labs found 200 new malware samples every minute, or more than three new threats every second.
    - Master boot record-related. McAfee Labs found 2.2 million new MBR-attacks in 2013.
    The complete report is available here*."
    * http://www.mcafee.com/us/resources/r...at-q4-2013.pdf
    ___

    Facebook scam: naked videos of friends - delivers Trojans instead
    - https://net-security.org/malware_news.php?id=2728
    Mar 10, 2014 - "Bitdefender has discovered that more than 1,000 people have already been tricked into installing Trojan malware after clicking on a new Facebook scam that promises naked videos of their friends. The UK was the second most affected country by number of users and infections were also detected in France, Germany, Italy and Romania.
    > http://www.net-security.org/images/a...nder032014.jpg
    The scam, now spreading on the social network, can multiply itself by tagging users’ friends extremely quickly. To avoid detection, cybercriminals vary the scam messages by incorporating the names of Facebook friends alongside “private video,” “naked video” or “XXX private video”... To increase the infection rate, the malware has multiple installation possibilities. Besides the automated and quick drop on the computer or mobile device, it also multiplies itself when users -click- the -fake- Adobe Flash Player update. To make the scam more credible, cybercriminals faked the number of views of the adult video to show that over 2 million users have allegedly clicked on the infected YouTube link..."
    ___

    Malware peddler tryouts: different exploit kits
    - https://net-security.org/malware_news.php?id=2729
    Mar 10, 2014 - "Websense researchers* have been following several recent -email-spam- campaigns targeting users of popular services such as Skype and Evernote, and believe them to be initiated by the infamous ru:8080 gang, which a history of similar spam runs impersonating legitimate Internet services such as Pinterest, Dropbox, etc. These latest campaigns start with -spoofed- emails purportedly alerting the recipients to a message/image they have received on Skype and Evernote, offering an embedded link that leads to compromised sites hosting an exploit kit. In the past, the aforementioned gang's preferred exploit kit was Blackhole, but with the arrest and prosecution of its creator... they have switched first to using the Magnitude, then the Angler and, finally, the Goon exploit kit. This group is currently focusing more on UK users, but targets US and German users as well... This gang typically pushes information-stealing trojans such as Cridex, Zeus GameOver, and click-fraud trojans like ZeroAccess onto the users, but they have also been known to deliver ransomware and worms. In this last few cases, the delivered malware is a Zeus variant that was initially detected by just a handful of commercial AV solutions..."
    * http://community.websense.com/blogs/...loit-kits.aspx
    ___

    Fake gateway .gov .uk SPAM
    - http://blog.dynamoo.com/2014/03/gate...ovuk-spam.html
    10 Mar 2014 - "This -fake- spam from the UK Government Gateway comes with a malicious payload:
    Date: Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
    From: gateway.confirmation@ gateway .gov .uk
    Subject: Your Online Submission for Reference 485/GB3283519 Could not process
    Priority: High
    The submission for reference 485/GB3283519 was successfully received and was not
    processed.
    Check attached copy for more information.
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.


    Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50*. Automated analysis tools... show attempted downloads from i-softinc .com on 192.206.6.82 (MegaVelocity, Canada) and icamschat .com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you -block- traffic to the following IPs and domains:
    192.206.6.82
    i-softinc .com
    icamschat .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1394462821/
    ___

    MS Account 'Outlook Web Access' Phish ...
    - http://www.hoax-slayer.com/outlook-w...ing-scam.shtml
    Mar 10, 2014 - "Email purporting to be from the Microsoft Account Team claims that recipients must click a link to upgrade their email account and set up Outlook Web Access. The email is -not- from Microsoft and the claim that users must click a link to upgrade their email accounts is a lie. The message is a phishing scam designed to trick users into sending their Microsoft account login details to criminals.
    Example:
    > http://www.hoax-slayer.com/images/mi...cam-2014-1.jpg
    ... the email is -not- from Microsoft and the claim that users must follow a link to upgrade their email account is untrue. Instead, the email is a criminal ruse designed to trick people into giving their Microsoft account details to cybercriminals. Those who fall for the trick and click one of the links as instructed will be taken to a -bogus- 'Microsoft' website that displays the following login form:
    > http://www.hoax-slayer.com/images/mi...cam-2014-2.jpg
    Once they have added their email address and password, victims will then be presented with a message claiming that their 'Outlook account was updated successfully'. Within a few seconds, they will be redirected to a genuine Microsoft website. Meanwhile, the criminals responsible for the phishing campaign can use the stolen credentials to hijack the real Microsoft accounts belonging to their victims. A 'Microsoft account' is the new name for what was previously known as a 'Windows Live ID.' The one set of login details can be used to access a number of Microsoft services, and are thus a valuable target for scammers..."

    Last edited by AplusWebMaster; 2014-03-10 at 19:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #400
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DDoS attack - WordPress pingback abuse, Twitter crash, Bitcoin risks ...

    FYI...

    DDoS attack - WordPress pingback abuse...
    - http://blog.sucuri.net/2014/03/more-...ce-attack.html
    Mar 10, 2014 - "Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner... Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use..."
    * http://it-beta.slashdot.org/story/14...into-spotlight
    Mar 12, 2014

    - http://arstechnica.com/security/2014...l-ddos-attack/
    Mar 11 2014
    ___

    Malware found in Google Play Store
    - http://blog.malwarebytes.org/mobile-...le-play-store/
    Mar 12, 2014 - "Most experts agree the best way to stay safe from Android malware is to stick to trusted sources–specifically the Play Store. Unfortunately, those sources can sometimes be compromised. In the last week there have been -two- malware families found in Google’s Play Store... The first one, found by Lookout Security*, is a remote administration tool called Dendroid.
    > http://cdn.blog.malwarebytes.org/wp-...dendriod02.jpg
    This particular malware is a variant of the publicly available remote tool AndroRAT. Dendroid was advertised as “Parental Control” in the Play Store... This Play Store version of Dendroid was discovered only a couple of days after Dendroid was uncovered from the underworld by Symantec**, which means Google was -unaware- of the malicious code at the time... The second app was uncovered by Avast*** and is a SMS -Trojan- disguised as a night vision app.
    > http://cdn.blog.malwarebytes.org/wp-.../fakecam01.jpg
    The Trojan is capable of looking up contact numbers in a social messaging apps like WhatsApp, Telegram, and ChatON. Once the number is collected it’s sent to a remote server and the numbers are used to register for a premium service costing up to $50... Both of these apps have been removed from the Play Store... Android malware continues to increase and at times they’re able to sneak into places we trust..."
    * https://blog.lookout.com/blog/2014/03/06/dendroid/

    ** http://www.symantec.com/connect/blog...h-out-dendroid

    *** http://blog.avast.com/2014/03/07/goo...ndroid-market/
    ___

    Twitter crashes... again
    - http://www.reuters.com/article/2014/...A2A1NY20140311
    Mar 11, 2014 - "Twitter Inc crashed on Tuesday for the second time in nine days when a software glitch stalled the popular messaging service for about one hour. The company apologized to its 250 million users in a status blog, saying it had encountered "unexpected complications" during "a planned deploy in one of our core services." The outage began around 11 a.m. Pacific time and service had "fully recovered" by 11:47 a.m., the San Francisco-based company said..."
    ___

    Beware Bitcoin: U.S. brokerage regulator
    - http://www.reuters.com/article/2014/...A2A1OJ20140311
    Mar 11, 2014 - "Bitcoin can expose people to significant losses, fraud and theft, and the lure of a potential quick profit should not blind investors to the virtual currency's significant risks, a brokerage industry watchdog warned on Tuesday. In an investor alert* titled "Bitcoin: More than a Bit Risky,"* the Financial Industry Regulatory Authority (FINRA) said recent events such as the bankruptcy of Bitcoin exchange operator Mt. Gox have spotlighted some of the currency's risks..."
    * http://www.finra.org/Newsroom/NewsReleases/2014/P457519

    Last edited by AplusWebMaster; 2014-03-13 at 04:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •