Page 45 of 132 FirstFirst ... 354142434445464748495595 ... LastLast
Results 441 to 450 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #441
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AMEX SPAM, Dropbox malware, Threat Outbreak Alerts ...

    FYI...

    Fake AMEX SPAM - Activity Report – PDF malware
    - http://myonlinesecurity.co.uk/americ...e-pdf-malware/
    28 May 2014 - "Recent Activity Report – Incident #TCC6CVXM02FYBAE pretending to come from American Express [Whitney.Clinton@ americanexpress .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
    As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
    Please review the “Suspicious Activity Report” document attached to this email.
    Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at http ://www.americanexpress .com/phishing
    Thank you for your Cardmembership.
    Sincerely,
    Whitney.Clinton
    Tier III Support
    American Express Account Security
    Fraud Prevention and Detection Network
    Copyright 2014 American Express Company. All rights reserved.


    28 May 2014: Incident_TCC6CVXM02FYBAE.zip (10 kb): Extracts to Incident_1BBWHVO9AR3E263.scr (25kb)
    Current Virus total detections: 4/52*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...9d51/analysis/
    ___

    Fake eFax message SPAM - downloads malware from Dropbox
    - http://blog.dynamoo.com/2014/05/efax...nown-spam.html
    28 May 2014 - "This -fake- eFax message downloads malicious content from a Dropbox link.
    From: eFax [message@ inbound .efax .com]
    Date: 28 May 2014 13:12
    Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643
    Fax Message [Caller-ID: 1-949-698-5643
    You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.
    * The reference number for this fax is atl_did1-1400166434-95058563842-154.
    Click here to view this fax using your PDF reader...


    The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent .com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr. This binary has a VirusTotal detection rate of 6/53*. Automated reporting tools... show a download from landscaping-myrtle-beach .com/wp-content/uploads/2014/05/2805UKdw.dkt ... This last one makes a connection to innogate .co .kr for unknown reasons.
    Recommended blocklist:
    landscaping-myrtle-beach .com
    innogate .co.kr
    "
    * https://www.virustotal.com/en/file/2...is/1401279784/

    - http://myonlinesecurity.co.uk/update...e-pdf-malware/
    28 May 2014 - "... links to Dropbox in the spoofed Corporate eFax message email rather than the more usual attachment..."
    - https://www.virustotal.com/en-gb/fil...c29b/analysis/
    Screenshot: http://myonlinesecurity.co.uk/wp-con...3/12/efax2.png
    ___

    "TPPCO" PPI SMS spam
    - http://blog.dynamoo.com/2014/05/tppco-ppi-sms-spam.html
    28 May 2014 - "Despite some high-profile recent cases* where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.

    Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO

    I have no idea who "TPPCO" are, but they are a common sender of these spam messages. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible. If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.
    You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine."
    * http://ico.org.uk/news/latest_news/2...sages-22052014
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Invoice Notice Email Messages - 2014 May 28
    Fake Product Purchase Order Request Email Messages - 2014 May 28
    Fake Invoice Notice Email Messages - 2014 May 28
    Fake Court Appearance Request Email Messages - 2014 May 28
    Fake Product Purchase Order Request Email Messages - 2014 May 28
    Fake Shipping Documents Attachment Email Messages - 2014 May 28
    Fake Product Purchase Order Request Email Messages - 2014 May 28
    Fake Financial Transaction Notification Email Messages - 2014 May 28
    Fake Scanned Image Notification Email Messages - 2014 May 28
    Fake Financial Documents Email Messages - 2014 May 28
    Fake Product Sample Order Email Messages - 2014 May 28
    Fake Product Invoice Notification Email Messages - 2014 May 28
    Fake Fax Delivery Email Messages - 2014 May 28
    Fake Bank Account Statement Email Messages - 2014 May 28
    Fake Shipping Order Information Email Messages - 2014 May 28
    Fake Bank Payment Transfer Notification Email Messages - 2014 May 28
    Fake Unpaid Debt Invoice Email Messages - 2014 May 28
    Fake Product Order Email Messages - 2014 May 28
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2014-05-29 at 02:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #442
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down More eFax-Dropbox malware SPAM, Fake Facebook accounts ...

    FYI...

    More eFax / Dropbox malware SPAM
    - http://blog.dynamoo.com/2014/05/more...ware-spam.html
    29 May 2014 - "This -fake- eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:
    From: Incoming Fax [no-reply@ efax .co.uk]
    Date: 29 May 2014 10:26
    Subject: INCOMING FAX REPORT : Remote ID: 499-364-9797...
    Date/Time: Thu, 29 May 2014 18:26:56 +0900
    Speed: 4360bps
    Connection time: 07:09
    Pages: 9
    Resolution: Normal
    Remote ID: 915-162-0353
    Line number: 0
    DTMF/DID:
    Description: Internal report
    We have uploaded fax report on dropbox, please use the following link to download your file:
    https ://www.dropbox .com/meta_dl/[redacted]


    The malicious download is from [donotclick]www.dropbox .com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr . This binary has a VirusTotal detection rate of 6/53* and the Malwr report shows that it downloads a file from soleilberbere .com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51**. Automated reports... are pretty inconclusive as to what this does."
    * https://www.virustotal.com/en-gb/fil...is/1401357330/

    ** https://www.virustotal.com/en-gb/fil...is/1401357905/

    - http://myonlinesecurity.co.uk/malware-via-dropbox/
    29 May 2014 - "... Instead of the usual malware attachment to an email or a link to an infected file on a compromised or hacked server and website, the bad guys have started to deliver malware via Dropbox... 'bad guys appear to be doing this, because of the way many mail servers now block attachments or scan and disinfect them to stop users being infected... 'bad guys often create one malicious file & use 4, 5 or even 10 different email subjects and contents to entice a user to read the mail, open any attachment or follow the link & get infected. We try to post as many of the current emails here as we can, to alert you to what is a fake, but some just slip past."
    ___

    Iranian hackers use fake Facebook accounts to spy on U.S., others
    - http://www.reuters.com/article/2014/...0E90A220140529
    May 29, 2014 - "In an unprecedented, three-year cyber espionage campaign, Iranian hackers created false social networking accounts and a fake news website to spy on military and political leaders in the United States, Israel and other countries, a cyber intelligence firm said on Thursday. ISight Partners*, which uncovered the operation, said the hackers' targets include a four-star U.S. Navy admiral, U.S. lawmakers and ambassadors, members of the U.S.-Israeli lobby, and personnel from Britain, Saudi Arabia, Syria, Iraq and Afghanistan. The firm declined to identify the victims and said it could not say what data had been stolen by the hackers, who were seeking credentials to access government and corporate networks, as well as infect machines with malicious software..."
    * https://www.isightpartners.com/2014/...-social-media/
    May 28, 2014 - "... Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign. At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas. This campaign, working undetected since 2011, targets senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel, as well as others..."
    ___

    Fake COPY OF PMNT/ORDER CONFIRMATION - PDF malware
    - http://myonlinesecurity.co.uk/copy-p...e-pdf-malware/
    29 May 2014 -"COPY OF PAYMENT REMITTANCE and ORDER CONFIRMATION is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like this:
    Good evening,
    Attached is the 30% remittance copy for our first Order and our specifications approval documents. Please confirm payment as soon as received at your end and also confirm order processing time according to your invoice. Awaiting your kind response.
    Kind regards,
    Eddie Martinez CTM International Giftware Inc/ CTM International Hardware Inc. Phone: (614) 384-0636 Fax: (614) 883-1748 ...


    29 May 2014: PAYMENT SWIFT CONFIRMATION.zip : Extracts to PAYMENT SWIFT CONFIRMATION.zip.scr
    Current Virus total detections: 2/53*... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...e46a/analysis/
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    (MANY -new- with today's date - there were -21- new entries as of date/time of this post. More info and links at the cisco URL above.)
    ___

    Chromebook touchpads borked by update
    - http://www.theinquirer.net/inquirer/...rome-os-update
    May 29 2014 - "... reports that large numbers of Chromebooks have been borked by the latest version of Chrome OS*. The problem stems from the touchpad and its "Touch to Click" feature, which seems to have stopped registering clicks after the upgrade. This is particularly crucial as some models of Chromebook have done away with the mechanical touchpad buttons altogether. The problem is a huge embarrassment for Google in its efforts to get Chrome OS recognised as a viable alternative to Windows. Posters to the Chromium community forums are fuming**... Google rolled out Chrome OS version 35 last week, including organisation options for the app launcher, universal activation of the "OK Google" voice control command and better control for logging in to public WiFi hotspots. Google's Chrome OS community manager Andrea Mesterhazy has acknowledged the problem in the forums***..."
    * http://googlechromereleases.blogspot...chrome-os.html
    May 20, 2014

    ** https://code.google.com/p/chromium/i...tail?id=377165

    *** https://productforums.google.com/for...al/3siG0D2clb0[101-125-false]
    May 28, 2014

    Last edited by AplusWebMaster; 2014-05-30 at 03:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #443
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake HMRC PDF malware, Flash exploit in-the-wild, Phish leads to Cryptolocker ...

    FYI...

    Fake HMRC Application – PDF malware
    - http://myonlinesecurity.co.uk/hmrc-a...e-pdf-malware/
    30 May 2014 - "HMRC Application – < your domain or company name > pretending to come from HMRC .gov.uk [application@ hmrc .gov.uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... The reference numbers amounts change in each email. Email reads:
    Please print this information, sign and send to application@ hmrc .gov.uk.
    Date Created: 30 May 2014
    Business name: thespykiller .co.uk
    Acknowledgement reference: 0220014
    VAT Registration Number is 0220014.
    Repayment of Input Tax
    Before the business starts to make taxable supplies they may provisionally claim repayment of VAT they are charged as input tax. The general rules about VAT, including Input Tax, Partial Exemption, are explained in VAT Notices 700 and 706, available on the HMRC website...
    Change of Circumstances
    If your client no longer intends to make taxable supplies, or there is any other change of circumstances affecting their VAT registration (including any delay in starting to make taxable supplies), they must notify HMRC within 30 days of the change...
    By law, your client must send their VAT returns to HMRC online and make any payments due electronically.
    Before they can submit VAT returns to HMRC online they’ll have to enrol for the VAT online service. Further information on how to do this can be found on the HMRC website
    If you will be completing and submitting the online VAT returns on your client’s behalf, you will have to enrol for the VAT for Agents online service and be authorised to act as their agent before you can do this...
    If you will be completing and submitting the online VAT returns on your client’s behalf, you will have to enrol for the VAT for Agents online service and be authorised to act as their agent before you can do this.
    To download a copy of the form, follow the link below...


    30 May 2014: Application_0220014.zip ( 8KB) Extracts to Application_05302014.scr
    Current Virus total detections: 2/53* . This HMRC Application is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...25f7/analysis/
    ___

    Exploit for Flash vuln targets users in Japan for financial info
    - http://www.symantec.com/connect/blog...al-information
    Updated: 30 May 2014 - "... research now indicates that the attacks are being performed on a massive scale and that majority of them are focused on Japan. Back in April, CVE-2014-0515 was originally being exploited in watering-hole attacks against specific organizations or industries. Later in the same month, Adobe released a patch* for the vulnerability. However, just a few weeks later Symantec telemetry indicated that instead of the initial targets, the exploit was now being used to target a wider range of Internet users.
    > http://www.symantec.com/connect/site...Figure1_12.png
    ... more than 90 percent of the attacks exploiting the vulnerability are targeting Japanese users. The attacks are typically carried out through drive-by-download and leverage compromised legitimate websites to host malicious code. The websites then redirect traffic to a malicious site prepared by the attacker... Once the browsers are redirected to the malicious site, which has the IP address 1.234.35.42**, they render the exploit code that attempts to exploit CVE-2014-0515. If an older version of the software is installed on the computer, the attack will execute a series of malicious files to compromise the computer...
    Cumulative number of attacks on Japanese users:
    > http://www.symantec.com/connect/site.../Figure3_6.png
    Infostealer.Bankeiya.B monitors the Web browsers Google Chrome, Mozilla Firefox and Microsoft Internet Explorer. The Trojan gathers specific user data typically found in online banking transactions. The malware can also update itself, enabling it to target more banks and add more capabilities in order to perform additional malicious actions..."
    * https://helpx.adobe.com/security/pro...apsb14-13.html

    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-0515 - 10.0 (HIGH)
    "... as exploited in the wild in April 2014..."
    > Most recent version:
    - https://helpx.adobe.com/security/pro...apsb14-14.html
    May 13, 2014 - "... Flash Player 13,0,0,214..."
    Available here: https://www.adobe.com/products/flash...ribution3.html

    >> https://www.adobe.com/software/flash/about/

    ** 1.234.35.42: https://www.virustotal.com/en/ip-add...2/information/
    Last: 2014-06-03

    - http://www.reuters.com/article/2014/...0EB02M20140531
    May 30, 2014 10:02pm EDT

    - http://blog.trendmicro.com/trendlabs...ts-japan-hard/
    June 2, 2014
    ___

    Fake Credit Card report - PDF malware
    - http://myonlinesecurity.co.uk/credit...e-pdf-malware/
    30 May 2014 - "Credit Card- Suspicious Recent Transactions is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear credit card holder,
    A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused.
    Please carefully review electronic report for your card. For more details please see the attached transaction report.
    Chauncey.Burton Data Protection Officer CREDIT AMERICA LIMITED 1 Sheldon Square New York W2 6WH (858)433-5208...


    30May 2014: Credit_card_Report.zip (42kb) Extracts to Credit_card_Report.zip.scr
    Current Virus total detections: 0/53* . Analysis: This Credit Card- Suspicious Recent Transactions is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/b...7f27/analysis/
    ___

    Fake Electric Bill - Phish leads to Cryptolocker
    - https://isc.sans.edu/diary.html?storyid=18185
    Last Updated: 2014-05-30 13:44:46 UTC - "... Phishing e-mail... claims to come from "Energy Australia", an actual Australian utility company, and the link leads to: hxxp ://energymar .com/ data/ electricity/ view/get/ energy.php ?eid=[long number] . Note the somewhat plausible domain name (energymar .com). The actual domain name for Energy Australia is "www .energyaustralia .com.au".The first screen presented to the user asks the user to solve a very simple CAPTCHA. This is likely put in place to hinder automatic analysis of the URL:
    > https://isc.sans.edu/diaryimages/ima...21_55%20AM.png
    The layout of the page matches the original very well. Users are confronted with CAPTCHAs regularly in similar sites, so I doubt this will raise suspicion. Next, we are asked to download the file, again using a similar layout.
    > https://isc.sans.edu/diaryimages/ima...21_45%20AM.png
    The "bill" itself is a ZIP file that includes a simple ZIP file that expands to an EXE. Virustotal shows spotty detection 15/53*:
    * https://www.virustotal.com/en/file/a...f875/analysis/
    ... Once downloaded and unzipped, the malware presents itself as a PDF... as soon as the malware is launched, it does reveal it's true nature:
    > https://isc.sans.edu/diaryimages/ima...49_22%20AM.png
    After launching the malware, the system connected via https to 151.248.118.193.( vps.regruhosting .ru )...."
    151.248.118.193
    - http://centralops.net/co/DomainDossier.aspx
    role: Reg.Ru Network Operations
    address: Russia, Moscow, Vassily Petushkova st., house 3, Office 326
    remarks: NOC e-mail: noc@ reg .ru
    remarks: User support: support@ reg .ru ...
    Information related to '151.248.118.0/24AS197695'...
    Diagnostic page for AS197695 (REGRU)
    - https://www.google.com/safebrowsing/...site=AS:197695
    "... over the past 90 days, 47 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... The last time Google tested a site on this network was on 2014-05-30, and the last time suspicious content was found was on 2014-05-30..."
    ___

    New Trojan compiled from Zeus and Carberp ...
    - http://atlas.arbor.net/briefs/index#424058024
    29 May 2014
    Source: http://securityintelligence.com/new-...s-zbot-carberp
    Analysis: It is not uncommon for attackers to take pieces of code from various malware, creating new variants of known threats. In particular, when source code of popular Trojans like Zeus and Carberp leaks, new variants quickly begin to appear, contributing to the rapidly evolving threat landscape. As antivirus solutions may -lag- behind newer forms of malware, additional security measures are needed to help detect such threats.

    Last edited by AplusWebMaster; 2014-06-03 at 13:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #444
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake British Airways SPAM, Ransomware 4096...

    FYI...

    Fake British Airways SPAM ...
    - http://www.hoax-slayer.com/british-a...-malware.shtml
    June 2, 2014 - "Email purporting to be from British Airways claims that your flight ticket has not been activated and asks you to open an attached file and fill in a form to complete the ticket activation... The email is -not- from British Airways. The attached .zip file hides a .exe file that, if opened, could install information-stealing malware on your computer...
    > http://www.hoax-slayer.com/images/br...-malware-1.jpg
    ... The emails claim that your British Airways flight ticket has not yet been activated and advise you to open an attached file to complete a ticket activation form. The emails also claim that you can cancel your flight and request a refund via the attached form... The emails have no connection to British airways. If you open the attached .zip file, you will find a .exe file hidden inside. Opening this .exe file can install malware on your computer. Once installed, the malware may collect your passwords and other sensitive personal data and send it to online criminals. It may also download and install further malware and allow criminals to control your computer... In recent years, similar malware campaigns have used the names of several airlines, including Delta Airlines, American Airlines, and Qantas... do not open any attachments that it contains. Do not click any links in the email..."
    ___

    Molerats, here for Spring
    - http://www.fireeye.com/blog/technica...or-spring.html
    June 2, 2014 - "Between 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial institution and -multiple- European government organizations... Molerats activity has been tracked and expanded to a growing target list, which includes:
    Palestinian and Israeli surveillance targets
    Government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the U.S., and the UK
    The Office of the Quartet Representative
    The British Broadcasting Corporation (BBC)
    A major U.S. financial institution
    Multiple European government organizations
    Previous Molerats campaigns have used several garden-variety, freely available backdoors such as CyberGate and Bifrost, but, most recently, we have observed them making use of the PIVY and Xtreme RATs. Previous campaigns made use of at least one of three observed -forged- Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors. There also appears to be a habitual use of lures or decoy documents – in either English or Arabic-language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats’ flavor of the week..."
    ___

    Ransomware now uses Windows PowerShell
    - http://blog.trendmicro.com/trendlabs...ws-powershell/
    Jun 1, 2014 - "... We recently encountered another variant that used the Windows PowerShell feature in order to encrypt files. This variant is detected as TROJ_POSHCODER.A. Typically, cybercriminals and threat actors have used Windows Powershell to go undetected on an affected system, making detection and analysis harder... in this case, using PowerShell made it easier to detect as this malware is also hardcoded... Since it uses Powershell, TROJ_POSHCODER.A is script-based, which is not common for ransomware. It uses AES to encrypt the files, and RSA4096 public key cryptography to exchange the AES key. When executed, it adds registry entries, encrypts files, and renames them to {filename}.POSHCODER. It also drops UNLOCKYOURFILES.html into -every- folder. Once all files on the infected system are encrypted, it displays the following image:
    Instructions on how users can -supposedly- retrieve their files
    > http://blog.trendmicro.com/trendlabs...poshcoder1.png
    Once users followed the instructions stated in the ‘ransom note,’ they will see the image below informing them to install the Multibit application that will allow them to have their own Bitcoin-wallet account for 1 Bitcoin. When they purchase the application, they are instructed to submit the form that contains information like email address, and BTC address and ID. Users will supposedly get the decryptor that will help encrypt the files.
    Users need to fill this form...
    > http://blog.trendmicro.com/trendlabs...poshcoder2.png
    ... POSHCODER uses English for its ransom notes and primarily affects users in the United States..."
    ___

    USPS Spam delivering Asprox variant
    - http://research.zscaler.com/2014/05/...k-variant.html
    May 29, 2014 - "UPDATE: The botnet which is described here is called 'Asprox'. I've compared research with that seen from StopMalvertising*... Recent email spam has begun taking advantage of user's need to snail mail something. The attacker will forward a message supposedly from USPS in order to get victim's to click on a link purported to be a shipping receipt, which actually leads to a malicious file. If the user is unfortunate enough to click the link in the spam mail, a zip file containing a variant of Asprox is downloaded.
    > https://2.bp.blogspot.com/-Hkt85w-JU...p_download.png
    Once the file makes it way onto the desktop, it feigns a document icon in order to trick the user into thinking it is safe to view. This is actually the malicious executable... VirusTotal scans**... Attackers are leveraging nonstandard HTTP ports in order to bypass some security solutions."
    * http://stopmalvertising.com/malware-...on-scheme.html

    ** https://www.virustotal.com/en/file/9...0416/analysis/

    Last edited by AplusWebMaster; 2014-06-02 at 14:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #445
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake email “Balance sheet” contains malicious .scr...

    FYI...

    Fake email with “Balance sheet” contains malicious .scr file
    - http://blog.mxlab.eu/2014/06/03/emai...sheet_pdf-zip/
    June 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Balance sheet”. This email is sent from the spoofed address and has the following short body:

    Please save the attached file to your hard drive before deleting this message. Thank you.

    The attached ZIP file has the name Balance_sheet_pdf.zip and contains the XXX kB large file Balance_sheet_pdf.scr. The trojan is known as Trojan.Ranapama.AU, W32/Trojan.APUP-2842, W32/Trojan3.INJ, HEUR/Malware.QVM20.Gen or Trojan.Cryptodefense. At the time of writing, 12 of the 51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information..."
    * https://www.virustotal.com/en/file/d...17d3/analysis/

    ** https://malwr.com/analysis/YTdmMWQwM...I1Y2Q1MTFiZGQ/

    78.110.175.80: https://www.virustotal.com/en/ip-add...0/information/

    85.214.32.141: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2014-06-03 at 14:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #446
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon SPAM, FTC actions, Facebook scam, China attacks Google ...

    FYI...

    Fake Amazon SPAM / order.zip
    - http://blog.dynamoo.com/2014/06/amaz...-orderzip.html
    4 June 2014 - "This fake Amazon spam has a malicious attachment:

    Screenshot: https://4.bp.blogspot.com/-q9c7GWP-3...00/amazon3.png

    Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51*. Automated analysis tools... shows the malware altering system files and creating a -fake- csrss.exe and svhost.exe to run at startup. The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:
    91.226.212.0/23
    193.203.48.0/22
    "
    * https://www.virustotal.com/en-gb/fil...is/1401876273/

    Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
    - https://www.google.com/safebrowsing/...?site=AS:48031
    "Of the 1782 site(s) we tested on this network over the past 90 days, 26 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-06-03, and the last time suspicious content was found was on 2014-06-03... Over the past 90 days, we found 6 site(s)... that appeared to function as intermediaries for the infection of 15 other site(s)..."
    ___

    Targeted Attack exploits - Japan ...
    - http://blog.trendmicro.com/trendlabs...vulnerability/
    June 4, 2014 - "... We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan... Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990*) detected as TROJ_TARODROP.FU. When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:
    %Startup%\AntiVir_Update.URL
    %Temp%\~Proc75c.DAT
    Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL... Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage. In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network..."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-5990 - 9.3 (HIGH)
    ___

    FTC charges - selling Bogus Debt Relief Services ...
    - http://www.ftc.gov/news-events/press...elief-services
    June 3, 2014 - "The Federal Trade Commission charged an Irvine, California-based scheme with billing consumers as much as $10,000 after making deceptive claims that it would provide legal advice, settle consumers’ debts, and repair their credit in three years or less. Instead, the scheme often left consumers in financial ruin, the agency charged. The FTC alleged that the DebtPro 123 LLC defendants told consumers to stop paying and communicating with their creditors. As a result, although consumers hired the defendants in hopes of improving their financial situation, their debt often increased, causing them to lose their homes, have their wages garnished, lose their retirement savings, or file for bankruptcy, according to the complaint. Although the defendants promised to refund unsatisfied customers, they rarely did... Ringleader Bryan Taylor and three other individuals, along with DebtPro 123 and five other companies marketed their -bogus- debt relief services through telemarketing calls, website ads, promotional videos and marketing companies that acted as lead generators, according to the complaint. Promising that in as little as 18 months consumers could “become debt free and enjoy financial independence,” the defendants claimed their “Legal Department” would “leverage their existing relationships with all of the major creditors to negotiate the best possible resolution.” The defendants claimed that consumers could reduce the amount they owed by 30 to 70 percent. The complaint alleges that the defendants violated the Federal Trade Commission Act, the Telemarketing Sales Rule, and the Credit Repair Organizations Act, not only through their -false- promises, but also by providing their affiliate marketing companies with -deceptive- materials to deceive consumers and by collecting an advance fee for their bogus debt relief services. For more information about how to handle robocalls and debt relief offers, see Robocalls*, and Avoiding Debt Relief Scams**..."
    * http://www.consumer.ftc.gov/features...0025-robocalls

    ** http://www.consumer.ftc.gov/blog/avo...t-relief-scams

    FTC Summary - 2013 Financial Acts Enforcement and Related Research ...
    - http://www.ftc.gov/news-events/press...cement-related
    June 3, 2014
    ___

    Fake Facebook - Big W pages - "Prizes for Sharing"
    - http://www.hoax-slayer.com/big-w-fac...axy-scam.shtml
    June 3, 2014 - "Facebook pages claiming to be associated with Australian department store chain Big W, advise users that they can win Dell computers, Samsung Galaxy phones, or other expensive prizes just by liking and sharing page posts... are -scams- and are -not- associated with Big W in any way. The -fake- pages are designed to gather large numbers of page likes and to trick users into participating in -bogus- online surveys. There are -no- prizes... do not like, share or comment on it... do -not- click any links that it contains. Example:
    > http://www.hoax-slayer.com/images/bi...axy-scam-2.jpg
    ... Some versions also ask users to click a link to claim their prize... You can help by reporting scam pages to Facebook..."
    ___

    China escalating attack on Google
    - http://www.nytimes.com/2014/06/03/bu...-heats-up.html
    June 2, 2014 - "The authorities in China have made Google’s services largely inaccessible in recent days, a move most likely related to the government’s broad efforts to stifle discussion of the 25th anniversary of the crackdown on pro-democracy demonstrators in Tiananmen Square on June 3 and 4, 1989. In addition to Google’s search engines being blocked, the company’s products, including Gmail, Calendar and Translate, have been affected..."
    - http://www.reuters.com/article/2014/...0EF0CA20140604
    Jun 4, 2014
    - http://www.reuters.com/video/2014/06...eoId=313180863
    Video 1:20

    Last edited by AplusWebMaster; 2014-06-04 at 23:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #447
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Netflix phish, FIFA Scam ...

    FYI...

    Fake Netflix Cancellation - phish
    - http://www.hoax-slayer.com/netfix-ac...ing-scam.shtml
    June 5, 2014 - "Message purporting to be from video streaming service Netflix claims that, due to a payment issue, your account will be cancelled unless you click a link and update credit card details. The message is a phishing scam and Netflix did -not- send it. Clicking the link will take you to a fake Netflix website that asks for login credentials, credit card details, and other personal information. This information will be collected by criminals and used for credit card fraud and identity theft. Example:
    > http://www.hoax-slayer.com/images/ne...ing-scam-1.jpg
    Like many other users, you may have recently received an account cancellation message claiming to be from online video streaming service Netflix. The message claims that, because of a problem processing your credit card, you must click a link to update card details to keep your account active. However, the message is -not- from Netflix and you do -not- need to update credit card details as claimed. The message is a typical phishing scam..."
    ___

    Fake email Fax msg - leads to malicious file on Dropbox
    - http://blog.mxlab.eu/2014/06/05/emai...le-on-dropbox/
    June 5, 2014 - "... new trojan distribution campaign by email with the subject “Fax Message at 2014-05-06 08:55:55 EST”. This email is send from the spoofed address “Fax Message <message@ inbound .efax .com>” and has the following body:

    Screenshot: http://img.blog.mxlab.eu/2014/201406...message_j2.gif

    The embedded URL leads to hxxps ://www .dropbox .com/meta_dl/**SHORTENED**
    The downloaded ZIP file has the name Fax-932971.zip and contains the 146 kB large file Fax-932971.scr. The trojan is known as PE:Malware.XPACK-HIE/Heur!1.9C48. At the time of writing, only 1 of the 51* AV engines did detect the trojan at Virus Total so this is a potential risk. Use the Virus Total permalink* and Malwr permalink** for more detailed information..."
    * https://www.virustotal.com/en/file/0...is/1401979986/

    ** https://malwr.com/analysis/NjllNWZjZ...QzNmY4NzkyOTc/

    192.64.115.91: https://www.virustotal.com/en/ip-add...1/information/
    5/52 2014-06-09 01:05:06 http ://newsbrontima .com/hcgaryuo4nuf
    4/52 2014-06-08 09:42:07 http ://newsbrontima .com/
    6/52 2014-06-07 11:18:52 http ://newsbrontima .com/9j3yr9i7zw477
    6/52 2014-06-07 11:18:45 http ://newsbrontima .com/a98n76ah7609y
    6/52 2014-06-07 11:18:44 http ://newsbrontima .com/z7ekevxgm20zdz

    - http://centralops.net/co/DomainDossier.aspx
    192.64.115.91
    Registrar URL: http://www.godaddy.com
    Registrar Abuse Contact Email: abuse@godaddy.com
    Registrant Name: Registration Private - ?
    Registrant Organization: Domains By Proxy, LLC
    Registrant City: Scottsdale
    Registrant State/Province: Arizona ..

    efax Spam Containing Malware
    - https://isc.sans.edu/diary.html?storyid=18225
    2014-06-08
    > https://isc.sans.edu/diaryimages/ima...%20Message.PNG

    - http://www.efax.com/privacy?tab=reportSpam
    ___

    Hacking Apple ID?
    - http://blog.trendmicro.com/trendlabs...king-apple-id/
    June 5, 2014 - "... Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals... How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult. We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers** with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users... Our advice is similar to those for any other credential that needs to be protected:
    - Don’t reuse your password.
    - Use a secure password/passphrase.
    - Enable security features like two-factor authentication, if possible.
    To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass*), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals..."
    * https://itunes.apple.com/us/app/dire...598904988?mt=8

    ** http://blog.trendmicro.com/trendlabs...-turn-hostile/

    iCloud: https://www.apple.com/icloud/setup/ios.html
    ___

    dedicatedpool .com.. spam or Joe Job?
    - http://blog.dynamoo.com/2014/06/dedi...r-joe-job.html
    5 June 2014 - "... received a number of spam emails mentioning a Bitcoin mining website dedicatedpool .com, subjects spotted are:
    Subject: Bitcoins are around you - don't miss the train!
    Subject: Dedicatedpool .com business proposal (Save up on taxes)
    Subject: Make money with darkcoin and bitcoin now! ...
    ... the pattern of the spam looks like a Joe Job* rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
    1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
    2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
    3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
    In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool .com themselves, but is sent out by someone wanting to disrupt their business.
    Note 1: I have seen the following IPs as originating the spam..
    188.54.89.107
    92.83.156.130
    31.192.3.89
    37.99.127.11
    87.109.78.213
    "
    * https://en.wikipedia.org/wiki/Joe_job
    ___

    Scammers bait users with FIFA Coins
    - http://blog.malwarebytes.org/fraud-s...th-fifa-coins/
    June 4, 2014 - "To all gamers and enthusiasts of FIFA 14: Please be wary of sites claiming to generate coins for you for nothing. As the saying goes — If it sounds too good to be true, it probably is. Recently, we found one such site: fifa14cheats(dot)cheathacktool(dot)com.
    > http://cdn.blog.malwarebytes.org/wp-...ksforemail.png
    Once visited, it asks for an email address, and then, if provided, lets users decide on how many coins they want handed to them.
    > http://cdn.blog.malwarebytes.org/wp-.../03-finito.png
    After users press “Finish Hack”, they are then presented with a survey -scam- that, as we may already know, will eventually lead to zero coins. There are -still- users who do not know this and had to find out the hard way unfortunately..."

    Last edited by AplusWebMaster; 2014-06-09 at 13:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #448
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice xls malware, Malvertising ...

    FYI...

    Fake Invoice - xls malware
    - http://myonlinesecurity.co.uk/june-i...e-xls-malware/
    6 June 2014 - "June Invoice with a subject line of inovice <random number> June is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Note the spelling mistake in the subject line of the email inovice 9667444 June rather than invoice. Email simply says:

    This email contains an invoice file attachment

    6 June 2014: invoice_9667444.zip ( 49kb) : Extracts to June_invoice_7846935978.xls.exe
    Current Virus total detections: 1/51*
    This June Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls ( Microsoft excel spread sheet) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...58a7/analysis/
    ___

    Malicious major website ads lead to ransomware
    Cisco said the attacks can be traced to advertisements on Disney, Facebook and The Guardian newspaper
    - http://www.computerworld.com/s/artic..._to_ransomware
    June 6, 2014 - "Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found*... Cisco's investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog*... The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers... many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as "apps.facebook .com," "awkwardfamilyphotos .com," "theguardian .co.uk" and "go .com," a Disney property, among many others. Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains. The style of attack, known as "malvertising," has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren't foolproof... The 90 domains the malicious advertisements pushed traffic to had also been hacked..."
    * https://blogs.cisco.com/security/rig...it-strikes-oil
    June 5, 2014 - "... we have seen RIG using malvertising to perform a drive-by attack on visitors to high profile, legitimate websites. This accounts for the high amount of traffic we have seen in the last month... Requests for RIG landing pages April 24 - May 22:
    > http://blogs.cisco.com/wp-content/up...rt-550x314.png
    ___

    Fake Pirate Bay uses tricks to push PUS
    - http://www.f-secure.com/weblog/archives/00002711.html
    June 6, 2014 - "This is piratebay.com
    > http://www.f-secure.com/weblog/archi...atebay_com.png
    It's a cheap knockoff imitation of The Pirate Bay*. If you "search" for something — you'll be offered a custom named executable to download. Buried at the bottom of the page is this disclaimer:
    > http://www.f-secure.com/weblog/archi...disclaimer.png
    "Additional software may be offered to you"? Yeah… indeed it will. And the "decline" button is white text on gray on more gray. Very duplicitous.
    > http://www.f-secure.com/weblog/archi..._discovery.png
    In all, several applications are installed. Given the target audience, this probably takes advantage of kids. Lame. To be avoided..."
    * http://en.wikipedia.org/wiki/The_Pirate_Bay
    ___

    Preying on Insecurity: Placebo Applications ...
    - http://www.fireeye.com/blog/technica...mazon-com.html
    June 4, 2014 - "FireEye mobile security researchers recently uncovered, and notified Google and Amazon to take down, a series of anti-virus and security configuration apps that were nothing more than scams. Written easily by a thieving developer with just a few hundred lines of code then covered with a facade of images and progress bars, the seemingly useful apps for Android’s operating environment charge for installation and upgrade but do nothing. In other words, placebo applications. Fortunately all the applications have been removed from the Google Play store due to our discovery. Up to 50,000 downloads in some cases, these -fake- apps highlight how cybercriminals are exploiting the security concerns consumers have about the Android platform. In this case, we found five (!) fake antivirus apps that do nothing other than take a security-conscious user’s money, leaves them unprotected from mobile threats, and earns a criminal thousands of dollars for little work... the paid versions of the apps were available for Google Play customers outside the US and UK, while users in the UK and US could choose the free versions with in-app upgrade options. Also available in third party markets such as appbrain.com[1] and amazon.com[2], the fraudulent apps ranged in price from free to $3.99. The applications included:
    Anti-Hacker PLUS (com.minaadib.antihackerplus) Price $3.99
    JU AntiVirus Pro (com.minaadib.juantiviruspro) Price $2.99
    Anti-Hacker (com.minaadib.antihacker) Free
    Me Web Secure (com.minaadib.mewebsecurefree) Free
    Me Web Secure Pro (com.minaadib.mewebsecure) Price $1.99
    Taking full advantage of the legacy, signature-based approach mobile antivirus apps have adopted, that makes it hard for a user to tell if it really is working, total charges for these “security” apps ran into the thousands of US dollars in the Google Play store alone. This old security model puts users relying on such applications at risk, either because it incites them to download apps that simply don’t have functionality – as we see in this case – or they don’t provide adequate protection against today’s threats. Ultimately, users simply cannot tell when they are protected..."
    ___

    Six governments tap Vodafone calls
    - http://www.reuters.com/article/2014/...0EH0UK20140606
    Jun 6, 2014 - "The world's second-biggest mobile phone company Vodafone revealed government agencies in six unidentified countries use its network to listen to and record customers' calls, showing the scale of telecom eavesdropping around the world... While most governments needed legal notices to tap into customers' communications, there were six countries where that was not the case, it said... Vodafone did not name the six for legal reasons... The Vodafone report, which is incomplete because many governments will not allow it to disclose requests, also linked to already-published national data which showed Britain and Australia making hundreds of thousands of requests. It showed that of the countries in which it operates, EU member Italy made the most requests for communication data. Germany, which expressed outrage when it was revealed last year that U.S. intelligence services had listened into the calls of Angela Merkel, also made requests to listen in to conversations and collect the data around them, such as where the calls were made and how long they lasted. Vodafone received no requests from the government of the United States because it does not have an operating licence there. It exited a joint mobile venture with Verizon last year..."

    Last edited by AplusWebMaster; 2014-06-07 at 14:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #449
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ACH, Invoice SPAM, Barclays phish ...

    FYI...

    Fake ACH report – PDF malware
    - http://myonlinesecurity.co.uk/ach-tr...e-pdf-malware/
    9 June 2014 - "ACH transaction failure report is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...

    ACH PAYMENT REJECTED
    The ACH Transaction (ID: 78751236216395), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason: See details in the acttached report.
    Transaction Report: report_78751236216395.pdf (Adobe Reader PDF)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association


    9 June 2014; report_78751236216395.zip(310kb) : Extracts to report_46240876034052.scr
    Current Virus total detections: 10/52* . This ACH transaction failure report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...cd2d/analysis/
    ___

    Fake inovice 2110254 SPAM
    - http://blog.dynamoo.com/2014/06/inov...june-spam.html
    9 June 2014 - "This terse but badly-spelled spam has a malicious attachment:
    Date: Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
    From: Ladonna Gray [wtgipagw@ airtelbroadband .in]
    Subject: inovice 2110254 June
    This email contains an invoice file attachment


    Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52*. Automated analysis tools are not able to determine exactly what the malware does."
    * https://www.virustotal.com/en-gb/fil...is/1402318500/
    ___

    Barclays Phish - “For Security Purposes, Your Account has been Locked”
    - http://blog.malwarebytes.org/fraud-s...arclays-phish/
    June 9, 2014 - "... simple phishing email currently in circulation which claims to be from Barclays:
    > http://cdn.blog.malwarebytes.org/wp-...laysphish0.jpg
    It reads:
    For security purposes, your online account has been locked.
    To restore your account, please click : Sign into My Barclays Account and proceed with the verification process.


    Clicking the link will take the victim to a page most likely hosted on a compromised website.
    > http://cdn.blog.malwarebytes.org/wp-...aysphish11.jpg
    It asks for name, 5 digit passcode, DOB, telephone passcode, account number, sort code and debit card number. After filling in the relevant information and sending it to the phisher, the victim is redirected to a (legitimate) Barclays page about mortgages. If you or someone you know falls for this one, be sure to contact your bank as soon as possible so they can take the appropriate action. Phishing emails tend to have a little more effort put into them than this one, but the -fake- Barclays page is about as good as any other in terms of looking like the real thing. As always, avoid."
    ____

    - http://msmvps.com/blogs/bradley/arch...n-android.aspx
    Jun 8, 2014 - "... The best patching tool is still the human brain. Did you expect that email? Is it wise to open that attachment?
    The bad guys know we have a hard time patching the human."
    S. Bradley

    Last edited by AplusWebMaster; 2014-06-10 at 00:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #450
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Company Tax Return, Dropbox malware, KULUOZ SPAM...

    FYI...

    Fake Company Tax Return – PDF malware
    - http://myonlinesecurity.co.uk/compan...e-pdf-malware/
    10 June 2014 - "Company Tax Return – CT600_4938297 June is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

    This email contains an Company Tax Return form file attachment

    10 June 2014: invoice_4938297.zip (55kb) Extracts to CT600_june_4323432432.pdf.exe
    Current Virus total detections: 1/52* . This Company Tax Return – CT600_4938297 June is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...e389/analysis/
    ___

    Fake Voice mail SPAM - downloads malware from Dropbox
    - http://blog.dynamoo.com/2014/06/you-...mail-spam.html
    10 June 2014 - "Another -fake- voice message spam, and another malware attack downloading from Dropbox.
    From: Microsoft Outlook [no-reply@ victimdomain]
    Date: 10 June 2014 15:05
    Subject: You have received a voice mail
    You received a voice mail : VOICE437-349-3989.wav (29 KB)
    Caller-Id: 437-349-3989
    Message-Id: U7C7CI
    Email-Id: [redacted]
    Download and extract the attachment to listen the message.
    We have uploaded fax report on dropbox, please use the following link to download your file:
    https ://www.dropbox .com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
    Sent by Microsoft Exchange Server


    The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52*. Automated analysis... indicates that it downloads files from the following domains:
    newsbrontima .com
    yaroshwelcome .com
    granatebit .com
    teromasla .com
    rearbeab .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1402407401/

    Dropbox phishing: Cryptowall, Bitcoins, and You
    - http://phishme.com/inside-look-dropb...tcoins/#update
    Updated June 10 - "... the attackers have changed their tactics... the email is disguised as a voicemail notification..."
    - http://phishme.com/beware-phishing-e...dropbox-links/
    June 2, 2014
    ___

    News Headlines for KULUOZ SPAM ...
    - http://blog.trendmicro.com/trendlabs...pam-campaigns/
    June 10, 2014 - "Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy... a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself... Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets...How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.
    KULUOZ spam sample with “Knife attack at South China Station”
    > http://blog.trendmicro.com/trendlabs...9comment01.jpg
    ... we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.
    KULUOZ spam sample with “Thai Coup news item”
    > http://blog.trendmicro.com/trendlabs...9comment02.jpg
    ... this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root. The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them..."

    Last edited by AplusWebMaster; 2014-06-11 at 12:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •