Page 44 of 132 FirstFirst ... 344041424344454647485494 ... LastLast
Results 431 to 440 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #431
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake PayPal, BBB SPAM ...

    FYI...

    Fake PayPal SPAM – PDF malware
    - http://myonlinesecurity.co.uk/paypal...e-pdf-malware/
    12 May 2014 - "PayPal Notification of payment received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. These emails are absolutely identical to the genuine emails that you receive from PayPal when someone sends you money, especially after selling something on eBay . The difference is the link to the transaction goes to a fake site that tries to download a malware file to your computer, that appears to be a PDF...

    Screenshot: http://myonlinesecurity.co.uk/wp-con..._new_funds.png

    12 May 2014: PP_detalis_726716942049.pdf.exe ( 485 kb)
    Current Virus total detections: 0/51*
    This PayPal Notification of payment received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...265f/analysis/
    ___

    BBB SPAM - Washington Metro Area ...
    - http://threattrack.tumblr.com/post/8...etro-area-spam
    12 May 2014 - "Subjects Seen:
    RE:Case #2475314
    Typical e-mail details:
    Owner/Manager
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
    We look forward to your prompt attention to this matter.
    Sincerely, BBB of Metropolitan Washington DC and Eastern Pennsylvania


    Malicious File Name and MD5:
    Complaint.zip (F72C05A0A0C4C188B07ECE7806CC0F44)
    ComplaintToManager.scr (F89D06A787094FE2DC1AF6B2C0914C17)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...QFX1r6pupn.png

    Tagged: bbb, Upatre

    - http://myonlinesecurity.co.uk/better...e-pdf-malware/
    12 May 2014 - "Better Business Bureau Complaint with subject of RE:Case #8396880 pretending to come from Refugio Ratliff [Refugio_Ratliff@ bbb .org] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Email looks like:
    May 12, 2014
    Owner/Manager
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
    We look forward to your prompt attention to this matter.
    Sincerely,
    BBB of Metropolitan Washington DC and Eastern Pennsylvania


    12 May 2014 : Complaint.zip ( 7kb) Extracts to ComplaintToManager.scr
    Current Virus total detections: 2/52*
    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...2998/analysis/
    ___

    “Your Photos Are being Used” Phish
    - http://blog.malwarebytes.org/fraud-s...phishing-lure/
    May 12, 2014 - "We’re seeing some reports that an old favourite of scammers everywhere is currently in circulation on social media sites such as Tumblr. If you receive a message from a friend which says:
    OMG YOUR PHOTOS ARE BEING USED ON THIS SITE
    then be very careful should you happen to click the link, because you may well be sent to a fake login page. In this case, the scammers use some Javascript to bounce the victim from a Tumblr spam blog to a fake Facebook login which they’ll need to use to see the supposed photos. Anybody filling in their details and hitting enter will of course have their username and password sent to the attacker.
    > http://cdn.blog.malwarebytes.org/wp-.../05/tumblr.png
    ...
    > http://cdn.blog.malwarebytes.org/wp-...5/phish-fb.png
    This sort of scam is often seen on Twitter, and regularly puts in a guest appearance or twelve on other sites. Any urgent-sounding messages sent your way which suggest imminent personal embarrassment of some description should be treated with healthy skepticism until you’ve confirmed that a) the message is genuine and b) it really was worth saving up for a one way ticket to the Sahara desert all those years ago. It’s very likely you’re going to be fine – however, you won’t be able to say the same for accounts being handed over to a scammer using a little shock and awe (but mostly shock) as a bait to spirit away some logins."
    ___

    - http://blog.trendmicro.com/trendlabs...ltiple-emails/
    May 12, 2014 - "... Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones..."

    Last edited by AplusWebMaster; 2014-05-13 at 15:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #432
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Paypal Phish Flood, Fake invoice malware ...

    FYI...

    Paypal Phish Flood
    - http://blog.malwarebytes.org/fraud-s...hishing-flood/
    May 13, 2014 - "... noticed a trend in phishing scams over the last week, namely that a specific style of PayPal phish e-mail has been flooding potential victims. The text of the phishing e-mail includes:
    Dear Member,
    Recently, there's been activity in your PayPal account that seems unusual compared to your normal account activities. Pleaselog in to PayPal to confirm your identity and update your password and security questions.
    To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds,remove any bank accounts, or remove credit cards.
    Click here to login <- Phishing Page
    What's going on?
    We're concerned that someone is using your PayPal account without your knowledge. Recent activity on your account seems tohave occurred from a suspicious location or under circumstances that may be different than usual.
    What to do
    Log in to your PayPal account as soon as possible. We may ask you to confirm information you provided when you created your account to make sure you're the account holder. We'll then ask you to change your password and security questions...


    They then advise to wait until PayPal responds within 72 hours after all tasks are complete, however we know that by that time, any credit or accounts associated with your PayPal login are likely to be compromised. We have seen a massive amount of domains being employed to host the actual phishing page, which looks like this:
    > http://cdn.blog.malwarebytes.org/wp-...yPal_Phish.png
    In addition to the many locations this -scam- is being hosted, the amount of observed IP addresses sending the phishing attack is so far over 500. So keep an eye out for any such scam. In addition, there seems something oddly ‘phishy’ about the pattern of these attacks and as we uncover more we will update this post..."
    ___

    Fake Computer Support Services invoice – PDF malware
    - http://myonlinesecurity.co.uk/comput...e-pdf-malware/
    13 May 2014 - "Computer Support Services fake invoice with subject of Computer Support Services JJBCL0104291 pretending to come from Computer Support Services [Bishop.j@ blackjj .co .uk] < random names @ blacjj .co .uk > is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... email looks like
    Dear Carole We have created a new invoice for you. To view your statement including a pdf of this invoice please download the attachment.
    Invoice Details
    Invoice Number:
    Description: 1/4/14 – 30/4/14
    Amount: £67.80
    Payment Details
    Account Number: 01706454
    Sort Code: 400822
    Account Name: Computer Support Services
    Kind Regards, Jennifer Eden Computer Support Services T: 0161 8505080 F: 0161 929 0049 W: www. blackjj .co .uk


    13 May 2014 Report_ID30D74D9365D2AC998DC.zip (63 kb) : Extracts to invoice_65476859394857_pdf.exe
    Current Virus total detections: 0/52*
    This Computer Support Services fake invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...56e7/analysis/
    ___

    Citibank Commercial Banking Form Spam
    - http://threattrack.tumblr.com/post/8...king-form-spam
    May 14, 2014 - "Subjects Seen:
    Important - Commercial Form
    Typical e-mail details:
    Please scan attached document and fax it to +1 800-285-6016 .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-0106 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
    Yours faithfully
    Lilly Mccann
    Commercial Banking
    Citibank N.A
    Lilly.Mccann@ citibank .com


    Malicious File Name and MD5:
    CommercialForm.zip (5881899D33E80B0B33139BBDED43D9BB)
    CommercialForm.scr (F7F5269B1031FF35B8F4DF1000CBCBBB)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...VdL1r6pupn.png

    Tagged: Citibank, Upatre
    ___

    Microsoft Exchange Voice mail Spam
    - http://threattrack.tumblr.com/post/8...oice-mail-spam
    May 14, 2014 - "Subjects Seen:
    You have received a voice mail
    Typical e-mail details:
    You received a voice mail : VOICE933-947-8474.wav (24 KB)
    Caller-Id: 933-947-8474
    Message-Id: XA6TL3
    Email-Id: <email address>
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


    Malicious File Name and MD5:
    VoiceMail.zip (B41AF487FC1D362DF736EAC5E14CF5FF)
    VoiceMail.scr (DDBA4AD13DE7D5AE604729405C180D65)

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...QEg1r6pupn.png

    Tagged: Voicemail, Upatre

    Last edited by AplusWebMaster; 2014-05-15 at 00:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #433
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NatWest, 401K Fund SPAM ...

    FYI...

    Fake NatWest SPAM ...
    - http://myonlinesecurity.co.uk/natwest-statement/
    15 May 2014 - "NatWest Statement is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
    View Your April 2014 Online Financial Activity Statement
    Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It’s available for you to view at this secure site. Just click to select how you would like to view your statement:
    View/Download as a PDF
    View all EStatements
    So check out your statement right away, or at your earliest convenience...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...-statement.png

    15 may 2014 : Statement-pdf.zip (14 kb) : Extracts to Statement-pdf.scr
    Current Virus total detections: 7/53*
    This NatWest Statement is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...1030/analysis/

    - http://blog.dynamoo.com/2014/05/natw...ins-bitly.html
    15 May 2014 - "This -fake- NatWest spam sends victims to a malicious download via a bit.ly link... The link in the email goes to [donotclick]bit .ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53*...
    * https://www.virustotal.com/en-gb/fil...is/1400164292/
    ___

    Fake 401K Fund Spam
    - http://threattrack.tumblr.com/post/8...rformance-spam
    May 15, 2014 - "Subjects Seen:
    401k April 2014 Fund Performance and Participant Communication
    Typical e-mail details:
    Co-op 401k Plan Participants
    Attached you will find the April 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
    If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
    Please contact me if you have any questions.
    Elsie Mosley
    Employee Benefits/Plan Administrator...


    Malicious File Name and MD5:
    April-2014-401k-Fund.zip (B5B2231F7110B15F70DB7968134A5A98)
    April-2014-401k-Fund.scr (81928270710BAD7443BDBCAA253E4094)


    Screenshot: https://31.media.tumblr.com/eb6512d5...c4p1r6pupn.png

    Tagged: 401K, Upatre
    ___

    Fake justice .co.uk - REMINDER NOTICE ...
    - http://myonlinesecurity.co.uk/fake-j...notice-ignore/
    15 May 2014 - "Fake justice .co.uk REMINDER NOTICE DO NOT IGNORE is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... a spurious parking ticket, hoping to extort a large sum of money from you...

    UK central Police svc notice: http://www.actionfraud.police.uk/ale...e-emails-mar14

    Email looks like:
    REMINDER NOTICE DO NOT IGNORE
    To: submit@ thespykiller .co .uk Case: C5067787
    Please print attached form and fax it to +44 020 4869 0219 Your vehicle was recorded parked on our Clients Private Property driveways on the 15.05.2014 and remained on site for 2 hour 28 min. A notice was sent to you on 10.04.2014 which gave 28 days to pay full PARKING CHARGE or challenge the issue. The amount of £78.00 is now due...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...NOT-IGNORE.png

    15 May 2014: Form-STD-Vehicle-150514.zip ( 11kb) Extracts to Form-STD-Vehicle-150514.scr
    Current Virus total detections: 5/53*
    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...5ce4/analysis/

    Last edited by AplusWebMaster; 2014-05-15 at 19:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #434
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake TT PAYMENT SPAM, High Fashion Scams ...

    FYI...

    Fake TT PAYMENT COPY - SPAM ...
    - http://blog.dynamoo.com/2014/05/tt-p...copy-spam.html
    19 May 2014 - "This spam has a malicious attachment:
    Date: Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
    Subject: Re TT PAYMENT COPY
    please confirm the attachment payment Copy and get back to me?


    Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53*. Automated analysis tools... don't reveal what is happening, but you can guarantee it is nothing good."
    * https://www.virustotal.com/en-gb/fil...is/1400507439/
    ___

    High Fashion to High Risk ...
    - http://blog.malwarebytes.org/fraud-s...-to-high-risk/
    May 19, 2014 - "... Suffice to say that several Fashion Weeks have come and gone since 2014 started... more runway events have been announced and are already scheduled to happen within the next two to three weeks... it’s highly likely that you may encounter the sites we’ve found these past few days. We have also noted that such sites have increased in number, with most of them carrying the brands Louis Vuitton, Chanel, Gucci, Hermes, and Oakley.
    > http://cdn.blog.malwarebytes.org/wp-...uisvuitton.png
    ...
    > http://cdn.blog.malwarebytes.org/wp-...uccioutlet.png
    ... What fantasylouisvuitton, guccioutlet, and fashionshop-usa have in common goes beyond not having an easy way for anyone to verify the products they say for authenticity. All these sites redirect to random JS (JavaScript) scripts hosted on js(dot)users(dot)51(dot)la, a site that has been associated with many -malicious- activities in the past*. Google Safe Browsing flags it as “suspicious”... Meanwhile, Tumblr users have been inundated with spam posts from users claiming to be students who have put up their own personal fashion site and wishing others to visit it. This is an old Tumblr scam designed to encourage the clicking of adverts, which is often against the Terms of Service (ToS) of many advertising networks and can be seen as a form of click fraud. In this case, scammers specifically looked for those interested in fashion... When it comes to dealing with scams and potentially risky websites, users are always at the losing end. Thus, avoiding such sites, in general, and sticking to visiting legitimate and/or official selling sites of popular brands are best practices to keep in mind."
    * https://www.virustotal.com/en/domain...a/information/
    ___

    Targeted Attack Trends - 2H 2013
    - http://blog.trendmicro.com/trendlabs...ok-at-2h-2013/
    May 19, 2014 - "Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.
    Most commonly exploited vulnerabilities related to targeted attacks
    > http://blog.trendmicro.com/trendlabs.../tareport2.jpg
    ... Spear phishing* is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers. In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks... Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of. Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions..."
    > http://about-threats.trendmicro.com/...ify-in-2h-2013
    ... The latter half of 2013 also bore witness to a series of threat landscape updates that show the aggressive stance of present-day attackers... While bad actors prefer using tried-and-tested attack vectors-such as spear-pshing emails, vulnerabilities, and malware-research shows that they are on the move in terms of diversifying their victims all over the world..."
    * http://searchsecurity.techtarget.com...spear-phishing

    - http://www.secureworks.com/resources...cve-2014-1761/
    May 16, 2014

    - http://www.reuters.com/article/2014/...A4I09420140519
    May 19, 2014 - "The United States on Monday charged five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets, ratcheting up tensions between the two world powers over cyber espionage. China immediately denied the charges, saying in a strongly worded Foreign Ministry statement the U.S. grand jury indictment was "made up" and would damage trust between the two nations... Federal prosecutors said the suspects targeted companies including Alcoa Inc, Allegheny Technologies Inc, United States Steel Corp, Toshiba Corp unit Westinghouse Electric Co, the U.S. subsidiaries of SolarWorld AG, and a steel workers' union. Officials declined to estimate the size of the losses to the companies, but said they were "significant." The victims had all filed unfair trade claims against their Chinese rivals, helping Washington draw a link between the alleged hacking activity and its impact on international business. According to the indictment, Chinese state-owned companies "hired" Unit 61398 of the People's Liberation Army "to provide information technology services" including assembling a database of corporate intelligence..."
    ___

    E-On Energy Bill Spam
    - http://threattrack.tumblr.com/post/8...ergy-bill-spam
    May 19, 2014 - "Subjects Seen:
    Unable to process your most recent bill payment
    Typical e-mail details:
    Dear customer,
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
    Please check attached file for more detailed information on this transaction.
    IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
    If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
    We apologize for any inconvenience this may cause.


    Malicious File Name and MD5:
    Eonenergy-Bill-29052014.zip (73C46BEB4997D121D88E4DA220EB8E75)
    Eonenergy-Bill-29052014.scr (FE272CDACF8BB7C3A8B264BFDF3772FD)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...RJh1r6pupn.png

    Tagged: eon, Upatre

    - http://myonlinesecurity.co.uk/e-ener...-bill-payment/
    19 May 2014
    > http://myonlinesecurity.co.uk/wp-con...ll-payment.png

    * https://www.virustotal.com/en/file/a...6675/analysis/

    Last edited by AplusWebMaster; 2014-05-20 at 18:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #435
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Sage, LexisNexis Invoice SPAM ...

    FYI...

    Fake Sage Invoice SPAM leads to malware
    - http://blog.dynamoo.com/2014/05/fake...o-malware.html
    20 May 2014 - "This -fake- Sage spam leads to malware:
    Date: Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
    From: Sage [Wilbur.Contreras@ sage-mail .com]
    Subject: FW: Invoice_6895366
    Please see attached copy of the original invoice (Invoice_6895366).


    Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52*. The Malwr analysis** shows that it then goes on to download further components from [donotclick]protecca .com/fonts/2005UKdp.zip [108.163.165.122]..."
    * https://www.virustotal.com/en-gb/fil...is/1400575304/

    ** https://malwr.com/analysis/MWRiODI4N...hjZDFlNzRkMDI/

    - https://www.virustotal.com/en-gb/ip-...2/information/

    - http://myonlinesecurity.co.uk/fake-j...notice-ignore/
    Updated 20 May 2014 - "... Another big run of these this morning. See the notice on Justice .co.uk* and Action Fraud** where they are asking you to report these to them..."
    * https://www.justice.gov.uk/help/fraud

    ** http://www.actionfraud.police.uk/ale...e-emails-mar14

    Screenshot: http://myonlinesecurity.co.uk/wp-con...NOT-IGNORE.png

    - http://threattrack.tumblr.com/post/8...f-justice-spam
    May 20, 2014
    Tagged: UK Ministry of Justice, Upatre
    ___

    Fake LexisNexis Invoice – PDF malware
    - http://myonlinesecurity.co.uk/lexisn...e-pdf-malware/
    20 May 2014 - "LexisNexis Invoice Notification for May 2014 pretending to come from LexisNexis [einvoice.notification@ lexisnexis .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Email looks like:
    There was an invoice issued to your company: thespykiller .co.uk Please double click the PDF attachment to open or print your invoice.
    To view full invoice details or for any Online Account Management options, download PDF attachment.
    Account Number 278QCB
    Invoice Number 195709944451
    Invoice Date May 20, 2014
    Invoice Amount $3.809.00
    Account Balance $0.00
    You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...r-May-2014.png

    20 May 2014 LexisNexis_Invoice_05202014.zip (12 KB) Extracts to
    LexisNexis_Invoice_05202014.scr - Current Virus total detections: 0/52*
    This LexisNexis Invoice Notification for May 2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1400601699/
    ___

    SCAM: FIFA World Cup Tickets
    - http://blog.trendmicro.com/trendlabs...d-cup-tickets/
    March 20, 2014 - "As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted -fake- FIFA websites selling game tickets... For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for 8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website. At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email... This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe... remember that -only- FIFA is authorized to sell tickets for the World Cup games..."
    ___

    iBanking: Exploiting the Full Potential of Android Malware
    - http://www.symantec.com/connect/blog...ndroid-malware
    20 May 2014 - "Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model... iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile -botnets- and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection... One of the most active iBanking users is the Neverquest* crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula**. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe... Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection. Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data..."

    * http://malware.dontneedcoffee.com/20...ed-by-the.html

    ** http://www.symantec.com/security_res...112803-2524-99

    Last edited by AplusWebMaster; 2014-05-21 at 05:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #436
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 93.171.173.173, FireEye confirms DOJ’s findings on APT ...

    FYI...

    Something evil on 93.171.173.173 ...
    - http://blog.dynamoo.com/2014/05/some...173-sweet.html
    21 May 2014 - "93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of -hijacked- GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites. For example [donotclick]www.f1fanatic .co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
    [donotclick]adv.atlanticcity .house:13014/sysadmin/wap/fedora.php?database=3
    [donotclick]fphgyw.myftp .biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
    The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way)... The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves... The EK page itself has a VirusTotal detection rate of 0/53*, although hopefully some of the components it installs will trigger a warning."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1400664015/

    93.171.173.173: https://www.virustotal.com/en-gb/ip-...3/information/

    - http://centralops.net/co/DomainDossier.aspx
    93.171.173.173
    inetnum: 93.171.172.0 - 93.171.175.255
    country: RU ...
    origin: AS29182

    Diagnostic page for AS29182 (ISPSYSTEM-AS)
    - https://www.google.com/safebrowsing/...?site=AS:29182
    "Of the 16625 site(s) we tested on this network over the past 90 days, 264 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-05-22, and the last time suspicious content was found was on 2014-05-22... Over the past 90 days, we found 87 site(s) on this network... appeared to function as intermediaries for the infection of 393 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 260 site(s)... that infected 3562 other site(s)..."
    ___

    FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity
    - http://www.fireeye.com/blog/technica...-activity.html
    May 20, 2014 - "Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the -same- unit that Mandiant publicly unmasked last year in the APT1 report*. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property... Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are... "
    (More detail at the fireeye URL above.)
    * http://intelreport.mandiant.com/
    ___

    “Amazoon” Phishing
    - http://blog.malwarebytes.org/fraud-s...zoon-phishing/
    May 21, 2014 - "Be warned that there are some typo happy phishers looking out for login credentials... take a trip down the Amazoon:
    > http://cdn.blog.malwarebytes.org/wp-...5/amazoon1.jpg
    It reads:
    Verify your Amazoon account
    Dear Amazon user,
    We need to confirm your account information,
    you must confirm your amazon account before we close it.
    Click the link below to confirm your account information using our secure server.


    Clicking the “Manage” link will take victims to a page asking for username and password information:
    > http://cdn.blog.malwarebytes.org/wp-...5/amazoon2.jpg
    After this, they’re faced with a page asking for personal information (name, address, phone number and so on):
    > http://cdn.blog.malwarebytes.org/wp-...5/amazoon3.jpg
    The page after this one is broken – looks like the host has taken it down mid-blog so hopefully nobody else will be scammed by this one. Typically the pattern for this kind of thing would be login details, personal information then card data. While we can’t say for sure what lay in wait at step 3, we can say to be on your guard for any more emails from “Amazoon” and -never- hand over personal data such as card details in response to emails you’ve been sent."

    >> http://www.dilbert.com/2014-05-19/
    ___

    Fake Contrat Commercant SPAM – PDF malware
    - http://myonlinesecurity.co.uk/contra...e-pdf-malware/
    21 May 2014 - "Contrat Commercant N: 9579514 pretending to come from Rick Goddard [Rick.Goddard@ credit-agricole .fr] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This is written entirely in French...
    Email looks like :
    Bonjour,
    Enchante d’avoir fait votre connaissance. Je vous confirme que j’ai bien recupere les documents..
    Pouvez-vous me dire si vous souhaitez conserver le contrat commercant n°9579514 ? En effet, sans action de notre part, il sera automatiquement resilie le 22 mai 2014.
    Pour eviter automatiquement resilie accorder 2 minutes au service Credit Agricole en remplissant le formulaire ci-joint.
    Rick Goddard ...


    21 May 2014: Contrat_9579514.zip ( 8kb) Extracts to Contrat_210514.scr
    Current Virus total detections: 0/52* ...
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...bc09/analysis/
    ___

    PrimeAspire (primeaspire .com) spam
    - http://blog.dynamoo.com/2014/05/prim...ecom-spam.html
    21 May 2014 - "Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
    From: Team@ primeaspire .com
    To: donotemail@ wearespammers .com
    Date: 20 May 2014 13:32
    Subject: PrimeAspire - The Freelance Platform
    Hello,
    Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.
    The platform is completely free and used by talented people looking for freelance projects.
    Learn more
    Thanks,
    The PrimeAspire team ...


    Screenshot: http://4.bp.blogspot.com/-a2q8a983zh...rimeaspire.png

    .. CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service... Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239... promoting your startup through spam is always a very bad move..."

    Last edited by AplusWebMaster; 2014-05-26 at 22:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #437
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Browlock -redirects- via Google Image Search ...

    FYI...

    Browlock -redirects- via Google Image Search
    - http://blog.malwarebytes.org/fraud-s...-image-search/
    May 22, 2014 - "We saw a website offering up a downloadable version of what they claim is Telltale’s Back to the Future game. The site had apparently been -hacked- allowing those who compromised it to add redirect code onto the website. As a side effect of this, clicking on their image via the initial returned results from a Google image search while using Chrome will mean your browser is redirected to a Browlock scam page, complete with dire warnings placed on top of the preview image which is now adrift in a sea of fakery:
    > http://cdn.blog.malwarebytes.org/wp-...ocksearch1.png
    ... we’re looking at a typical “Your PC has been encrypted, pay us money to return your files” message – the translation of which can be seen over on the F-Secure website* – and depending on your browser set up, you may have a few problems getting rid of the page. For example:
    > http://cdn.blog.malwarebytes.org/wp-...ocksearch2.jpg
    Once the box is on the screen, there is no way to open another tab or indeed navigate to one that is already open. For similar reasons, you won’t be able to close the browser either. The browser is trapped in a loop of confirmation pop-up boxes and our old friend CTRL+ALT+DEL will be required to kill the browser in Task Manager. The end-user isn’t under too much risk here – the scam page is simply -pretending- that the PC has had all files encrypted, and wants them to pay up to get their hands back on valuable personal data. There have been instances in the past where Fake AV has taken advantage of image search and caused problems for Mac users, and here’s a Youtube video** of the Windows equivalent. In this case, if you’re ever able to get the popup out of the way AND close the image AND open up the vanilla website AND read the Russian text…you should close the browser via the wonder of Task Manager and go do something else anyway. Your data is safe, no need to hand over cash to scammers!"
    * http://www.f-secure.com/weblog/archives/00002698.html

    ** http://www.youtube.com/watch?v=1oxAK4TP6Uk
    ___

    Malvertising ads on popular site leads to Silverlight exploit, Zeus Trojan
    - http://blog.malwarebytes.org/exploit...t-zeus-trojan/
    May 22, 2014 - "Malicious ads displayed on legitimate websites (malvertising) are something we see a lot of these days... third-party content is always a bit iffy because you just can’t control it. Case in point, a popular website recently suffered a malvertising attack. Our honeypots detected the malicious redirection from a compromised ad in the wee hours of last Friday morning. We contacted both the site owners and the advertising agency and the malicious traffic stopped shortly after. Over the course of the weekend and the beginning of the week, we exchanged some further emails to get a better understanding about the attack, which turned out to be an Ad server compromise... the advertising agency had suffered a server compromise themselves. I managed to talk to them and they were willing to share information about the attack that affected them and in turn their customers. After browsing their log files they noticed a peculiar IP address that had logged in through SSH and had connected to their email server. But interestingly the attacker waited patiently before doing anything nefarious. It appears the attacker was reading their emails and simply waiting for something valuable to come up. Finally, a new ad campaign with a high volume website was started and details were shared via email. Almost immediately after, the attacker redirected the tracking for the ad server to his own malicious site (rotator)... The goal of this malvertising attack is to -redirect- unsuspecting users to an exploit kit landing page in order to infect their computers... Drive-by download through Angler exploit kit: The exploit kit landing page is heavily obfuscated to make detection harder... Following successful exploitation of the machine, a payload is dropped. This one is none other than the infamous Zeus/Zbot banking Trojan... The best defence is a layered one and it starts with browser protection. To stop the Silverlight exploit you need to be running the latest version of the software*... also another notable external connection to an IP (37.57.26.167) based in the Ukraine... good Anti-Malware protection running in the background can also protect you against the threat, either by blocking the malicious site or the dropped payload... Thanks to the advertising agency for sharing some of the details on their compromise. Hopefully this will be helpful to other website owners."
    (More detail at the malwarebytes URL above.)
    * http://www.microsoft.com/getsilverli...l/Default.aspx

    - http://atlas.arbor.net/briefs/
    Elevated Severity
    May 23, 2014
    Microsoft Silverlight vulnerabilities were recently targeted in a malvertising campaign redirecting victims to exploit kits.
    Analysis: Malicious ads in the AppNexus network redirected victims to malicious sites hosting the Angler Exploit Kit containing Silverlight exploits. Angler EK has shown a significant increase in attacks against Silverlight since late April... Like many other exploit kits, Angler EK makes use of disclosed, patched vulnerabilities rather than zero-days. The two Silverlight vulnerabilities exploited in this campaign, CVE-2013-0074 and CVE-2013-3896, both have available patches and published exploit code... Angler EK also contains exploits for other applications including Java and Flash, whose security issues are frequently discussed. Given the widespread and growing usage of Silverlight, including by popular video streaming site Netflix, it is likely that Silverlight will continue to be targeted. Users who have Silverlight installed should ensure that it is up-to-date.

    Last edited by AplusWebMaster; 2014-05-24 at 12:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #438
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Targeted attacks, Malware via Dropbox ...

    FYI...

    Targeted attacks against Taiwan gov't agencies
    - http://blog.trendmicro.com/trendlabs...nt-agencies-2/
    May 23, 2014 - "... We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware. The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable. In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference... We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks... We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012."
    (More detail at the trendmicro URL above.)
    ___

    Fake NatWest email downloads malware via Dropbox
    - http://blog.dynamoo.com/2014/05/fake...s-malware.html
    May 23, 2014 - "This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.
    From: NatWest .co.uk [noreply@ natwest .co.uk]
    Date: 23 May 2014 11:36
    Subject: NatWest Statement
    View Your May 2014 Online Financial Activity Statement
    Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
    View/Download as a PDF
    View all EStatements
    So check out your statement right away, or at your earliest convenience.
    Thank you for managing your account online.
    Sincerely,
    NatWest Bank ...


    The link in the email goes to [donotclick]dl.dropboxusercontent .com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52*. Automated analysis tools... show that it downloads a component from [donotclick]accessdi .com/wp-content/uploads/2014/04/2305UKmw.zip ... The Malwr analysis shows that it then downloads some additional EXE files:
    ibep.exe (VT 2/52, Malwr report)
    kuten.exe (VT 3/52, Malwr report)
    sohal.exe (VT 2/52. Malwr report)
    As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot."
    (More detail and links at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1400846756/
    ___

    Fake eBay Customer List is Bitcoin Bait
    - http://krebsonsecurity.com/2014/05/e...-bitcoin-bait/
    May 22, 2014 - "... an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds... There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five... the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it..."

    Last edited by AplusWebMaster; 2014-05-23 at 17:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #439
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Voice Msg – PDF malware ...

    FYI...

    Fake Voice Msg – PDF malware
    - http://myonlinesecurity.co.uk/voice-...e-pdf-malware/
    26 May 2014 - "Voice Message from < random number> pretending to come from message @ <random email address> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Today we are seeing a mass run of the common voice message malware theme. 2 different versions of these so far today. Loads of slightly different subjects
    Voice Message from +07720-160332
    Voice message transmission report: 2014.05.26_4B10694078
    Incoming voice message [2014_05_26_9E57221633]
    Incoming Voice Message [+07457706455]
    They all come via one of the bots and have an alleged sender of message@any name you can think of .com/co.uk/net etc. Emails look like:
    You have a new Voice Message!
    Sender: +07457706455
    Date: 2014-05-24 13:19:26 UTC
    ID: 2014-05-26_0D87942690


    26 May 2014: voice_message_2014-05-26_75555857A9.zip Extracts to voice_message_2014-05-26_3C51847781.exe
    Current Virus total detections: 2/53* . This Voice Message from is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1401119086/

    - https://www.virustotal.com/en/file/7...1e96/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #440
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down eBay phish, Mobile ransomware, iPhone hijacks? ...

    FYI...

    eBay phish ...
    - http://myonlinesecurity.co.uk/ebay-phishing/
    27 May 2014 - "... Today we started to receive eBay phishing emails that aren’t connected with the password reset that eBay are requesting all users to do, but a more typical -phish- with a message saying an eBay member has left you a message regarding item no #2389452906... always -ignore- the links in these emails and log in to your eBay account manually and check the My Messages link inside eBay. That is the -only- way to be guaranteed that it is the correct site. This one is quite well crafted and until you look very closely at the web address, you could quite easily believe that you are on the genuine eBay site.... Email looks like:
    Question about Item #2389452906- Respond Now
    eBay sent this message on behalf of an eBay member through My Messages.
    Dear member,
    eBay member timeautoparts has left you a message regarding item #2389452906
    Click here to view the message
    Regards,
    eBay


    Screenshot: http://myonlinesecurity.co.uk/wp-con...hish-email.png
    If you follow the links in the email, you end up on a page looking like this:
    Screenshot: http://myonlinesecurity.co.uk/wp-con...phish_site.png
    ... after giving your details are sent to a confirmation page that looks like this asking to conform your email address and email password. The phishers want 2 bites at the cherry and not only want your eBay account log in details but also your email account log in details so they can use that to spread their spam and malware:
    > http://myonlinesecurity.co.uk/wp-con...firm_email.png
    ... That then bounces you to the genuine eBay site where you don’t realise that you have given your details to a phishing site..."

    - http://www.hoax-slayer.com/ebay-pass...ications.shtml
    May 27, 2014 - "... the genuine eBay notification does -not- ask you to click a link. Instead, it asks that you go to eBay in your usual way and login to change your password..."
    ___

    Aussie Apple devices, including the iPhone, are being hijacked
    - http://www.theage.com.au/digital-lif...527-zrpbj.html
    May 27, 2014 - "Owners of Apple devices across Australia are having them digitally held for ransom by hackers demanding payment before they will relinquish control. iPad, iPhone and Mac owners in Queensland, NSW, Western Australia, South Australia and Victoria have reported having their devices held hostage. One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud "lost phone" message that said "Oleg Pliss" had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked... It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle. A similar name is listed on LinkedIN as a banking professional in Ukraine, while there are others in Russia. Affected users in Australia have been discussing the issue on Twitter and Apple's own support forum*."
    * https://discussions.apple.com/thread...art=0&tstart=0

    How to defend against... iCloud attack
    > http://blogs.computerworld.com/cyber...-icloud-attack
    May 27, 2014 - "... If you have a passcode for your device, then you don't have a problem -- just use the passcode to get into your device again, and change your iCloud password. Find My iPhone can only set its own code if you have not created your own passcode for the device... Some reports claim the following steps may help locked out users regain control of their device..."
    (More detail at the computerworld URL above.)

    - http://www.f-secure.com/weblog/archives/00002707.html
    May 27, 2014

    - http://www.databreaches.net/iphone-o...-their-phones/
    May 27, 2014
    ___

    Ransomware Moves to Mobile
    - http://blog.trendmicro.com/trendlabs...ves-to-mobile/
    May 26, 2014 - "Ransomware continues to make waves... it is now targeting mobile devices... cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware. This is detected as ANDROIDOS_LOCKER.A ... The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI. It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content. The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions... To -avoid- these threats, we strongly suggest that you -disable- your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy. This setting can be found under Security in the system settings of Android devices..."

    Last edited by AplusWebMaster; 2014-05-29 at 03:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •