Page 43 of 132 FirstFirst ... 333940414243444546475393 ... LastLast
Results 421 to 430 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #421
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something still evil on 66.96.223.192/27

    FYI...

    Something still evil on 66.96.223.192/27
    - http://blog.dynamoo.com/2014/04/some...622319227.html
    16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
    66.96.223.192/27
    andracia .net
    ..."
    (Long list at the dynamoo URL above.)
    * http://blog.dynamoo.com/2014/04/some...622319227.html

    ** http://pastebin.com/RQfE69hn
    ___

    Netflix-themed tech support SCAM ...
    - http://blog.malwarebytes.org/fraud-s...more-copycats/
    April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
    > http://cdn.blog.malwarebytes.org/wp-...ed_netflix.png
    ... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
    > http://cdn.blog.malwarebytes.org/wp-...04/bingad1.png
    ... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."

    Last edited by AplusWebMaster; 2014-04-16 at 23:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #422
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook Chat Verification used for SPAM

    FYI...

    Fake Facebook Chat Verification used for SPAM
    - http://blog.trendmicro.com/trendlabs...used-for-spam/
    Apr 17, 2014 - "Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”. The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
    > http://blog.trendmicro.com/trendlabs...chat-spam1.jpg
    The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer). Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users... From the get-go, users should know that there is -no- product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced* that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site. Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning** notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things”..."
    * http://mashable.com/2014/04/09/faceb...ing-messenger/

    ** https://www.facebook.com/selfxss
    ___

    Zeus with your coffee ...
    - https://www.securelist.com/en/blog/8...th_your_coffee
    Apr 16, 2014 - "Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on -fake- messages supposedly from coffee chain Starbucks combined the two.
    > https://www.securelist.com/en/images..._starbucks.jpg
    The detected distribution claimed... a recipient's friend made an order for him to celebrate a special occasion in a Starbucks coffee shop. That mysterious friend wished to remain anonymous, enjoying the intrigue he was creating, but was sending out invitations with details of a special menu, which is available in the attachment. In the end they wished the recipient an awesome evening. All the messages were sent out with high importance. Besides, the addresses, created on the Gmail and Yahoo! free mail services, changed from letter to letter and seemed to be randomly generated combinations like incubationg46@, mendaciousker0@ and so on. The attachment was a .exe file and the cybercriminals made no effort to mask it with an archive or double filename extension. They seemed to be sure a happy recipient would open the attachment without any suspicion. Kaspersky Lab detects the attached file as Rootkit.Win32.Zbot.sapu - a modification of one of the most notorious spyware family Zbot (ZeuS). These applications are used by cybercriminals to steal confidential information. This version of Zbot is able to install a rootkit Rootkit.Win32.Necurs or Rootkit.Win64.Necurs, which disrupts the functioning of antiviruses or other security solutions."
    ___

    Google patches Android icon Hijacking vuln
    - http://www.securityweek.com/google-p...-vulnerability
    Apr 15, 2014 - "Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites. According to FireEye*, the issue allows a malicious app with 'normal' protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners..."
    * http://www.fireeye.com/blog/technica...n_android.html
    Apr 14, 2014

    - https://atlas.arbor.net/briefs/index#-561580891
    Elevated Severity
    17 Apr 2014

    Last edited by AplusWebMaster; 2014-04-18 at 20:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #423
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Santander Bank SPAM – word doc malware

    FYI...

    Fake Santander Bank SPAM – word doc malware
    - http://myonlinesecurity.co.uk/santan...d-doc-malware/
    Apr 22, 2014 - "March Invoice pretending to be from Santander bank with a sender address of Sarah Gandolfo [sgand0395@ aol.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 271201 Account No 56024641.
    Thanks very much
    Sarah


    22April 2014: March invoice 5291.zip ( 10kb) Extracts to March invoice 8912.exe
    Current Virus total detections: 1/51* . This March Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...5fbe/analysis/
    ___

    Visa Card phish ...
    - http://www.hoax-slayer.com/visa-card...ing-scam.shtml
    Apr 22, 2014 - "... email purporting to be from Visa claims that the recipient's card access has been limited because 'unusual activity' has been detected... The email is -not- from Visa. It is a -scam- designed to steal the recipient's credit card data. A link in the email opens a -fake- website that asks for the user's credit card number, and other information pertaining to the recipient's Visa account...
    Example:
    Subject: Access to your Visa card has been blocked
    Visa Card Status Notification
    We are contacting you to Inform you that our Visa Card security department identified some unusual activity in your card. In accordance with Visa Card User Agreement and to ensure that your Visa Card has not been accessed from fraudulent locations, access to your Visa Card has been limited. Your Visa Card access will remain limited until this issue has been resolved please Click My Visa Card Activity to continue.
    My Visa Card Activity
    We take your online safety seriously, which is why we use state of the art notification systems to identify unusual activity and a challenge process to validate your details.
    Thanks for banking with Visa.
    Customer Finance Department
    © Visa & Co, 2014.


    Screenshot: http://www.hoax-slayer.com/images/vi...ing-scam-1.jpg

    The message invites users to -click- a link to resolve the issue and restore access... the message is -not- from Visa and the claim that the account has been limited is a lie... the email is a typical phishing scam designed to extract financial information from users. The email's links open a -bogus- website created to closely mirror the look and feel of a genuine Visa webpage. The fake page will include a 'verification form' that requests users to supply their credit card number and other account details. After supplying the requested information, users will be taken to a second fake page that informs them that the problem has been resolved and restrictions have been removed... of course, there was no problem with the card to begin with..."
    ___

    Fake 'Paintball Booking' SPAM ...
    - http://blog.mxlab.eu/2014/04/22/pain...r-with-trojan/
    Apr 22, 2014 - "... new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”. This email is sent from the spoofed address “”ipguk52@ paintballbookingoffice .com” <ipguk@ paintballbookingoffice .com>” and has the following body:
    Dear client,
    Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
    Please view the attached booking confirmation, map and important game day documents prior to attending.
    Kind regards,
    Leigh Anderson
    Event Co-ordinator...


    The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe. The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen. At the time of writing, 4/51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
    SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe "
    * https://www.virustotal.com/en/file/4...5fbe/analysis/

    ** https://malwr.com/analysis/YmI4MmFlN...U1ODMyMmMyZGQ/

    Last edited by AplusWebMaster; 2014-04-22 at 16:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #424
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Massive cyber wire fraud attacks on US Companies

    FYI...

    Massive cyber wire fraud attacks on US Companies
    - https://www.trustedsec.com/april-201...-us-companies/
    April 25, 2014 - "... a number of US companies have been impacted, and unfortunately, a number of companies that are still unaware they were victim of this attack. A major offensive is currently happening on a number of United States based companies, mostly involving those that have international components. TrustedSec notified law enforcement that multiple companies are affected, and these attacks are aimed at extracting money from the companies. An ongoing and active case is in progress working with the companies affected and investigating the incidents... high success rate. They appear to have different escalation models and ways to force organizations to perform the transfer without triggering suspicion. They use a combination of social-engineering (both email and phone), compromising trusted partners/third parties, and spoofing email addresses in order to accomplish their goals...
    What you can do:
    1. Notify your financial and accounts payable departments of these attacks and the techniques.
    2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
    3. Provide enhanced education and awareness of these types of attacks.
    4. If you have fallen victim to this attack, notify your local FBI office immediately...
    Measures should be taken right -now- in order to educate your finance and accounts payable departments as well as an emphasize in controls in place for your third party partners and vendors."
    (More detail at the trustedsec URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #425
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 146.185.213.69 ...

    FYI...

    Something evil on 146.185.213.69 ...
    - http://blog.dynamoo.com/2014/05/some...21369-and.html
    1 May 2014 - "146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious... you can probably assume that all those domains are malicious (even without the ads. prefix)... The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past*, and I tend to lean towards blocking them... frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it..." [146.185.213.*]
    * http://blog.dynamoo.com/2011/10/some...-to-block.html
    (More detail at the dynamoo URL above.)
    ___

    Fake Malwarebytes 2.0 ...
    - http://blog.malwarebytes.org/securit...re-2-0-abound/
    May 1, 2014 - "... we already started seeing fake executable files purporting to be free versions of our product being hosted on unfamiliar sites.
    A small sample of rogue files we found in the wild:
    > http://blog.malwarebytes.org/wp-cont...04/samples.png
    One of the many sites that host MBAM PUPs:
    > http://blog.malwarebytes.org/wp-cont.../fake-site.png
    ... we found that these files have common behaviours: they all enable themselves to run whenever Windows is restarted or the system is turned on and they’re capable of accessing private information that browsers store whenever we go online, such as data pertaining to cookies, browsing history, and list of restricted sites... Several of these samples also create entries to IE’s restricted sites zone, consequently blocking users from accessing specific domains...
    Sample of MBAM Installation GUI (taken from malwr.com):
    > http://blog.malwarebytes.org/wp-cont...MWB-sample.png
    For anyone interested in trying out MBAM 2.0, the wisest thing to do is still to go to our official download site*..."
    * https://www.malwarebytes.org/downloads/

    Last edited by AplusWebMaster; 2014-05-02 at 05:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #426
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Android Police-Locker ransomware, BoA SPAM ...

    FYI...

    Android "Police Locker" ransomware ...
    - http://net-security.org/malware_news.php?id=2759
    5.05.2014 - "Android users might soon become victims of "Police Locker" ransomware, if they haven't already, warns the researcher behind the Malware don't need Coffee blog*. "The 'Reveton team' has diversified its locking activity," he informs us. "The advert is old (2014-02-18) but i decided to write about it today as I found a Traffic Distribution System (TDS) using almost all features proposed by this affiliate including the Android locker." Other options for malware delivery include system lockers, fake AV, fake codecs, and Browlock ransomware. The researcher discovered a threat actor that uses a TDS that employs almost all features: if you land on a malicious site using Internet Explorer, a variant of the Winlock ransomware is served. If you land with with another browser on Windows, Linux or Mac, you'll get Brownlock. Finally, if you land on it with Android, you will be redirected to a fake adult website that will automatically push the download of a malicious APK file masquerading as a video downloader app (and using the icon of the legitimate BaDoink Video Downloader). The good news is that the user must approve the installation... The 'fine' US users are asked to pay in order to get their phones unlocked is $300, payable via Money Pak... The malware is detected... as Trojan Koler**, and the researcher has already spotted another threat actor delivering it. In this case, the malicious APK masquerades as the popular BSPlayer video player for Android."
    * http://malware.dontneedcoffee.com/20...-for-your.html

    ** https://www.virustotal.com/en/file/e...is/1399286001/
    Detection ratio: 4/52
    ___

    Bank of America CashPro Spam
    - http://threattrack.tumblr.com/post/8...a-cashpro-spam
    May 5, 2014 - "Subjects Seen:
    FW: Important account documents
    Typical e-mail details:
    Please scan attached document and fax it to +1 (888) 589-1001.
    Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
    Yours faithfully
    Vince Blue


    Malicious File Name and MD5:
    Account_Documents.zip (40E7BB684935A7B86E5D8E480974F691)
    Account Documents.scr (6E40CD3BB6F1F531CDCE113A8C684B08)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...gvd1r6pupn.png

    Tagged: Bank of America, Upatre
    ___

    Encrypting Ransomware ...
    - http://www.webroot.com/blog/2014/05/...ng-ransomware/
    May 5, 2014 - "... big change in the encrypting ransomware family... For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.
    Cryptolocker:
    > https://www.webroot.com/blog/wp-cont...ptolocker5.png
    (Other samples at the first webroot URL above.)
    In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Crytpolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.
    CryptoDefense:
    > https://www.webroot.com/blog/wp-cont...ptolocker7.png
    (Other samples at the first webroot URL above.)
    In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.
    DirCrypt:
    > https://www.webroot.com/blog/wp-cont...5/dircrypt.png
    In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or webpage once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues..."

    Last edited by AplusWebMaster; 2014-05-05 at 22:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #427
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Hacked WordPress site, BT Digital File SPAM, Fake MMS message, Payment error SPAM

    FYI...

    Hacked WordPress site - ccccooa .org
    - http://blog.dynamoo.com/2014/05/cccc...ress-site.html
    6 May 2014 - "ccccooa .org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got -82- of these all at the same time..
    From: Linkedln Email Confirmation [emailing@ compumundo .info]
    Reply-To: emailing@ compumundo .info
    To: topsailes@ gmail .com
    Date: 6 May 2014 13:41
    Subject: Please confirm your email address
    Linkedln
    Click here to confirm your email address.
    You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
    We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.
    If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
    Thank you for using Linkedln!
    --The Linkedln Team
    This email was intended for [redacted]. Learn why we included this...


    One example landing URL is [donotclick]www.ccccooa .org/buyphentermine/ which leads to a sort of intermediary landing page..
    > https://3.bp.blogspot.com/-yHYRE10WZ.../fake-rx-1.png
    This is turn goes to a -redirected- at [donotclick]stylespanel .com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online .com/search.html?q=phentermine which is a -fake- pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina. Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date."
    ___

    BT Digital File - SPAM
    - http://blog.dynamoo.com/2014/05/impo...file-spam.html
    6 May 2014 - "This -fake- BT spam comes with a malicious attachment:
    Date: Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
    From: Santiago Biggs [Santiago.Biggs@ bt .com]
    Subject: Important - BT Digital File
    BT Digital Vault BT
    Dear Customer,
    This email contains your BT Digital File. Please scan attached file and reply to this email.
    If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt .com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.
    Thank you for choosing BT Digital Vault.
    Kind regards,
    BT Digital Vault Team ...
    Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address...


    Screenshot: https://2.bp.blogspot.com/-3lQPEJML0...Q/s1600/bt.png

    Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52*. Automated analysis tools... show that this malware downloads additional components from the following locations:
    [donotclick]realtech-international .com/css/0605UKdp.rar
    [donotclick]biz-ventures .net/scripts/0605UKdp.rar
    Blocking those URLs or monitoring for them may help to prevent further infection."
    * https://www.virustotal.com/en/file/8...is/1399371324/
    ___

    Fake MMS message – jpg malware
    - http://myonlinesecurity.co.uk/new-mm...e-jpg-malware/
    6 May 2014 - "... message pretending to come from 01552521415@ mmsreply.t-mobile .co .uk [NBdnO_0K0Cb8VYiYEpV8ozYauXw7swqpIiIs6nK3@ mmsreply.t-mobile .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Email reads:
    our message:
    Guess what I forgot *handoverface*, see attached pic
    Sending a reply:
    You can reply by email to this mobile number within the next 7 days.
    The total message size should not exceed 300kb.
    You can only reply once, and it must be within 7 days of receiving this message...


    Todays Date: PIC000444182547.zip (53 kb) Extracts to PIC000983339211.jpeg.exe
    Current Virus total detections: 6/52*
    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is... look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
    * https://www.virustotal.com/en/file/b...47fd/analysis/
    ___

    Fake Payment error SPAM – malware
    - http://myonlinesecurity.co.uk/paymen...92410-malware/
    6 May 2014 - "Payment error #25393592410 pretending to come from Orville Creasy [payment@ rachelwarne .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Email looks like :
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment #570475658997219860277606
    Please check attached file for more detailed information on this transaction.
    Pay To Account Number: 8843867223806343
    Date: 2014-05-05 15:19:19 UTC.
    Transaction ID: 25393592410
    Amount Due: £ 1060.45
    Orville Creasy,
    +07957419543


    The number on the email subject is different in every email as are the transaction numbers, the pay to account number, the amount due and alleged sender and his/her phone number. The email senders are all different and the only thing in common is that they all pretend to be sent from payment @ some random named but real company. The companies have not been hacked. They just use the name of a company from a long list... unless you have “show known file extensions enabled“, will look like a file with an icon of a £ sign pretending to be a specialised invoice instead of the .exe file it really is..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #428
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake invoice, Fake Lloyds Banking BACs SPAM, Google+ phish

    FYI...

    Fake invoice file attachment SPAM
    - http://blog.dynamoo.com/2014/05/this...oice-file.html
    7 May 2014 - "Another case of a very terse spam with a malicious email attachment:
    Date: Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
    From: Accounts Dept [menopausaln54@ jaygee .co .uk]
    Subject: Email invoice: 1888443
    This email contains an invoice file attachment


    ... The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52*. Automated analysis tools of this binary... shows that it downloads a further component... This "111.exe" binary has an even lower VirusTotal detection rate of 3/51**. Automated analysis of this... shows the malware installs itself deeply into the target system. There is a further dowload of a malicious binary from files.karamellasa .gr/tvcs_russia/2.exe which has a detection rate of 5/50*** and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system..."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1399448792/

    ** https://www.virustotal.com/en-gb/fil...is/1399450008/

    *** https://www.virustotal.com/en-gb/fil...is/1399450683/
    ___

    Fake Lloyds Banking BACs – fake PDF malware
    - http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
    7 May 2014 - "Lloyds Commercial Banking Important BACs pretending to be from Lloyds Commercial Banking [Ora.Hutchison@ lloydsbank .com]is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
    Important account documents
    Reference: C96 Case number: 0746481
    Please review attached BACs documents and fax it to +44 (0) 845 600 9454.
    Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
    Yours faithfully
    Adrienne Mcdermott Senior Manager, Lloyds Commercial Banking ...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...rtant-BACs.png

    7 May 2014 : LloydsCase-8948231.zip ( 11kb) Extracts to LloydsCase-07052014.scr
    Current Virus total detections: 3/51*
    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is... make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
    * https://www.virustotal.com/en/file/1...56c3/analysis/
    ___

    Fake "TNT UK Limited" SPAM
    - http://blog.dynamoo.com/2014/05/tnt-...ited-spam.html
    7 May 2014 - "This -fake- TNT spam has a malicious attachment:
    Date: Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
    From: TNT COURIER SERVICE [tracking@tnt.co.uk]
    Subject: TNT UK Limited - Package tracking 236406937389
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: GB5766211
    Your package have been picked up and is ready for dispatch. Please print attached form
    and pick up at the nearest office.
    Connote # : 236406937389
    Service Type : Export Non Documents - Intl
    Shipped on : 07 Apr 13 00:00
    Order No : 5766211
    Status : Driver's Return Description : Wrong Postcode ...


    The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52*. Automated analysis tools... show a UDP connection to wavetmc .com and a further binary download from demo.providenthousing .com/wp-content/uploads/2014/05/b01.exe . This second executable has a VirusTotal detection rate of 20/51**. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).
    Recommended blocklist:
    83.172.8.59
    wavetmc .com
    demo.providenthousing .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1399452001/

    ** https://www.virustotal.com/en-gb/fil...is/1399452578/
    ___

    More PUPs - using Instagram as Lure
    - http://blog.malwarebytes.org/securit...agram-as-lure/
    May 7, 2014 - "... In the case of Instagram, what we’ve seen out there could pose greater risk than, say, your average phishing site. Doing a Google search surely yields sites where one can download several programs involving Instagram. Some of which can either be classed as “image viewers” or “image and video downloaders” publicly-accessible accounts. Most of the files I sampled below belong to the latter:
    > http://blog.malwarebytes.org/wp-cont.../instagram.png
    Since Instagram can be visited via Web browsers, we can easily say that these downloads target any Windows computer user who just want to keep copies of photos and videos that are likely not their own. We ran these potentially unwanted programs (PUPs) on VirusTotal and got the following...
    1) https://www.virustotal.com/en/file/d...is/1398865443/
    2) https://www.virustotal.com/en/file/d...is/1398865443/
    3) https://www.virustotal.com/en/file/d...is/1398864970/
    (More listed at the malwarebytes URL at the top.)
    ... Internet slowdown, unwanted redirection to sites and possible installation of other programs without the user’s consent are just some of the obvious signs users may experience once these programs are installed. Like what we always advise our blog readers, please avoid downloading such programs onto your system as doing so will increase its security risks..."
    ___

    Fake Google+ Survey - Phish ...
    - http://www.hoax-slayer.com/fraudulen...ing-scam.shtml
    May 7, 2014 - "Email purporting to be from the 'All Domain Mail Team' at Google+ asks recipients to participate in a 'spam and fraudulent verification survey'. The email is -not- from Google+ or anybody else at Google. It is a phishing scam designed to trick users into giving their Google account login details to criminals...

    Screenshot: http://www.hoax-slayer.com/images/fr...ing-scam-1.jpg

    ... claims to be from the 'All Domain Mail Team' at Google's social network Google+. It claims that the team is running a 'spam and fraudulent verification survey' and asks users to click a link to participate. It warns that if the verification survey is 'not gotten' within 24 hours, the team will assume that the recipient is a 'fraulent user' and his or her email account will be shut down... These login details will be collected by criminals and used to hijack the Google accounts belonging to the victims. The one set of login credentials can be used to access many different Google services. Thus, the criminals may be able to steal private information stored in various Google applications as well as use Gmail and Google+ accounts to launch further spam and scam campaigns..."

    Last edited by AplusWebMaster; 2014-05-07 at 22:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #429
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Infected malformed PDF, Ransomware on Android ...

    FYI...

    Infected malformed PDF attachments to emails
    - http://myonlinesecurity.co.uk/infect...hments-emails/
    8 May 2014 - "We are now seeing lots of infected -malformed- PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are -malformed- and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser. They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader. They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit... It is vital that you make sure Adobe PDF reader is updated to the latest version 11.0.6* and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe... these malformed PDFs do -not- preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser... it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out..."
    * https://helpx.adobe.com/security/pro...apsb14-01.html
    ___

    Koler Trojan or other ransomware on Android
    - http://blog.malwarebytes.org/mobile-...re-on-android/
    May 7, 2014 - "A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app. Uncovered by security researcher Kafeine*, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device. Traced back to the team that brought us the Reverton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.
    > http://cdn.blog.malwarebytes.org/wp-.../akoler04b.jpg
    While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window. Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds. This causes removal problems because you don’t have enough time to uninstall through normal methods. Removal: The good news is you don’t have to pay the ransom to remove. First off, Malwarebytes Anti-Malware Mobile** detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device. However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed... Safe Mode: The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove..."
    (See the Complete procedure at the malwarebytes URL above.)
    * http://malware.dontneedcoffee.com/20...-for-your.html

    ** https://www.malwarebytes.org/mobile/

    Related: http://www.webroot.com/blog/2014/05/...ed-ransomware/
    May 7, 2014
    - http://blog.kaspersky.com/new-ransomware-for-android/
    May 8, 2014

    Last edited by AplusWebMaster; 2014-05-09 at 20:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #430
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake HMRC, Fake Trusteer SPAM

    FYI...

    Fake HMRC SPAM / VAT0781569.zip
    - http://blog.dynamoo.com/2014/05/hmrc...781569zip.html
    9 May 2014 - "This -fake- HMRC spam comes with a malicious attachment:
    Date: Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
    From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
    Subject: Successful Receipt of Online Submission for Reference 0781569
    Thank you for sending your VAT Return online. The submission for reference 0781569 was
    successfully received on Fri, 9 May 2014 12:47:49 +0530 and is being processed. Make VAT
    Returns is just one of the many online services we offer that can save you time and
    paperwork.
    For the latest information on your VAT Return please open attached report.
    The original of this email was scanned for viruses by the Government Secure Intranet
    virus scanning service supplied by Cable&Wireless Worldwide in partnership with
    MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
    certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for
    legal purposes.


    It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52*. This is part one of the infection chain. Automated analysis... shows that components are then downloaded from the following locations:
    [donotclick]bmclines .com/0905UKdp.rar
    [donotclick]gamesofwar .net/img/icons/0905UKdp.rar
    [donotclick]entslc .com/misc/farbtastic/heap170id3.exe
    [donotclick]distrioficinas .com/css/b01.exe
    The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52**. Automated analysis... shows that this makes a connection to a server at 94.23.32.170 (OVH, France). The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52***. Analysis of this shows... that it attempts to connect to several different email services, presumably to send out spam."
    * https://www.virustotal.com/en-gb/fil...is/1399629443/

    ** https://www.virustotal.com/en-gb/fil...is/1399629644/

    *** https://www.virustotal.com/en-gb/fil...is/1399629683/
    ___

    Fake Trusteer Security Update – PDF malware
    - http://myonlinesecurity.co.uk/truste...e-pdf-malware/
    9 May 2014 - "... pretending to be from Trusteer Support is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Email reads:
    Customer Number: 4086477
    Important Security Update
    Online Banking Protection Software Update from Trusteer
    — THIS IS AN AUTOMATED RESPONSE. NO REPLY IS NECESSARY —
    Please be sure to restart your computer after installing the new update
    Sincerely, Trusteer Technical Support
    Your internet banking account is valuable to fraudsters. That’s why criminals are always looking for new ways to get your online banking details and penetrate your account. Anti-virus and firewalls can’t detect the latest attacks, leaving you vulnerable.
    To protect you against online fraud, please take a moment to Update Rapport – dedicated online banking security software from the experts at Trusteer. It only takes a few minutes to download and install, and there’s no need to restart your computer...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...ity-Update.png

    9 May 2014: derek_RaportUpdate.zip (24 kb) Extracts to Trusteer Update Now.scr
    Current Virus total detections: 8/52* ...
    This Important Security Update is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/b...2aff/analysis/

    - http://threattrack.tumblr.com/post/8.../trusteer-spam
    May 9, 2014
    Tagged: Trusteer, Upatre

    Last edited by AplusWebMaster; 2014-05-09 at 19:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •