Page 48 of 132 FirstFirst ... 384445464748495051525898 ... LastLast
Results 471 to 480 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #471
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BTinternet email - Phish

    FYI...

    Fake BTinternet email - Phish ...
    - http://www.hoax-slayer.com/expiratio...phishing.shtml
    Last updated: July 8, 2014 - "Message purporting to be from BTInternet claims that you must update all of your 'informations' via an attached form or risk the 'expiration' of your BTInternet email. The message is -not- from BT. It is a phishing scam designed to steal personal and financial information from BT customers.
    Screenshot: http://www.hoax-slayer.com/images/ex...ishing-pin.jpg
    According to this email, which claims to be from BTInternet, you are required to update all of your account information by filling in a form contained in an attached file. The message warns that your account will be disabled if you do not update your details as instructed... the email is -not- from BT and the claim that you must update details or risk account 'expiration' is a lie.
    In fact, the email is a typical phishing scam and is designed to steal your personal and financial data. The attached file contains a form that asks for a large amount of information, including your account login details, your name and contact data, and your credit card and bank account numbers. Opening the attachment loads the form in your web browser. Clicking the 'Submit' button on the -bogus- form sends all of the information to criminals who can then use it to commit financial fraud and identity theft... Any email that asks you to open an attached file or click a link to supply personal and financial information should be treated as suspicious..."

    - https://en.wikipedia.org/wiki/BT_Group
    ___

    Chinese hacks turned focus to U.S. experts on Iraq
    - http://www.reuters.com/article/2014/...0FC2E620140708
    Jul 8, 2014 - "A sophisticated group of hackers believed to be associated with the Chinese government, who for years targeted U.S experts on Asian geopolitical matters, suddenly began breaching computers belonging to experts on Iraq as the rebellion there escalated, a security firm said on Monday. CrowdStrike Inc said* that the group is one of the most sophisticated of the 30 it tracks in China and that its operations are better hidden than many attributed to military and other government units... China's Foreign Ministry repeated that the government opposed hacking and dismissed the report... Over the past three years, CrowdStrike said it has seen the group it calls "Deep Panda" target defense, financial and other industries in the United States. It has also gone after workers at think tanks who specialize in Southeast Asian affairs, including former government experts..."
    * http://www.crowdstrike.com/blog/deep...nks/index.html
    Jul 7, 2014

    - http://atlas.arbor.net/briefs/index#-308984771
    July 10, 2014
    A Chinese nation-state threat group called "Deep Panda" has been targeting national security think tanks, particularly individuals with ties to Iraq/Middle East policy issues.
    Analysis: The focus on these individuals began the same day as an ISIS-led attack on an oil refinery in Iraq, which provides a large amount of oil to China. [ http://www.crowdstrike.com/blog/deep...nks/index.html ] Advanced threat actors frequently target individuals who may have access to sensitive information, demonstrated recently again when hackers believed to be Chinese accessed some databases of the Office of Personnel Maintenance, which conducts background reviews for security clearances. [ http://www.nytimes.com/2014/07/10/wo...s-workers.html ] Many individuals are also targeted using information available via public sources such as social media. This information could then be used to conduct social engineering attacks to deliver malware, steal credentials, etc.
    ___

    SCAM: "All Company Formation" (allcompanyformation .com / businessformation247 .com)
    - http://blog.dynamoo.com/2014/07/scam...formation.html
    8 July 2014 - "Sometimes it isn't easy to see what a -scam- is, but this email hit my -spamtrap- advertising an outfit that can allegedly create offshore companies and acquire all sorts of trading licences and things like SSL certificates.
    From: All Company Formation [info@ allcompanyformation .com]
    Date: 7 July 2014 12:58
    Subject: [Info] Worldwide Company Formation Services - EV SSL Approval Services
    We have a team of agents in different countries we are providing Company Registration services...
    For order and need more informations kindly contact us : www .allcompanyformation .com
    Email: info@ allcompanyformation .com
    skype : companiesformations


    The spam originates from 209.208.109.225 which belongs to Internet Connect Company in Orlando, Florida.. Orlando being a hotbed of fraud which would make it ideal for twinning with Lagos. The spam then bounces through a WebSiteWelcome IP of 192.185.82.77. None of those IP's give a clue as the the real ownership of the site. The -spamvertised- site of allcompanyformation .com (also mirrored at businessformation247 .com) looks generic but professional:
    > https://3.bp.blogspot.com/-gHGjWYiHx...foundation.png
    It is plastered with logos from legitimate organisations, presumably to give it an air of respectability:
    > https://2.bp.blogspot.com/-l9ILGO4rF...formation3.png
    You can pay for these "services" using any one of a number of obscure payment methods:
    > https://2.bp.blogspot.com/-Gy9kjBDZe...formation4.png
    ... The contact information seems deliberately vague and there are no physical contact addresses or company registration details anywhere on the website:
    > https://3.bp.blogspot.com/-N7_7ubPgu...formation5.png
    The telephone number looks like a US one, but on closer examination appears to be a Bandwidth.com VOIP forwarder to another number (which could be anywhere in the world). These 315-944 numbers seem to be often abused by scammers. The WHOIS details are anonymous, and the website has been carefully excised of any identifying information. Most of the text (and indeed the whole concept) has been copy-and-pasted from Slogold.net who seem to be a real company with real contact details. They even go so far as to warn people of various scams using the Slogold name. The following factors indicate that this is a scam, and sending them money would be a hugely bad idea:
    - The site is promoted through spam (this sample was sent to a spamtrap)
    - The domain allcompanyformation .com has anonymous registration details and was created only in December 2013.
    - There are no real contact details anywhere on the site.
    - The text is copy and pasted (i.e. stolen) from other sites, primarily Slogold .net.
    -Avoid- "
    ___

    AVG Safeguard and Secure Search ActiveX control provides insecure methods
    - http://www.kb.cert.org/vuls/id/960193
    Last revised: 07 Jul 2014 - "... By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to download and execute arbitrary code with the privileges of the logged-on user.
    Solution: Apply an update: This issue is addressed in AVG Secure Search -toolbar- version 18.1.7.598 and AVG Safeguard 18.1.7.644. While these versions are still marked as Safe for Scripting, this version of the control has restrictions in place that prevent its use by web pages hosted by domains other than .avg .com or .avg.nation .com. Please also consider the following workaround:
    Disable the AVG ScriptHelper ActiveX control in Internet Explorer:
    The vulnerable AVG ScriptHelper ActiveX control can be -disabled- in Internet Explorer by setting the kill bit..."
    (More detail at the cert URL above.)
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-2956 - 9.3 (HIGH)

    > http://www.avg.com/us-en/secure-search
    "... connection times out
    > http://inst.avg.com/serve/dl.php?pid...b0:productpage
    "... connection times out

    Last edited by AplusWebMaster; 2014-07-11 at 13:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #472
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Incoming Fax, E-Z Pass Spam ...

    FYI...

    Fake Incoming Fax – PDF malware
    - http://myonlinesecurity.co.uk/new-in...e-pdf-malware/
    9 July 2014 - "New Incoming Fax pretending to come from Incoming Fax <noreply@ fax-reports .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
    Dear Customer,
    You have received a new fax.
    Date/Time: 2014:08:09 12:28:09
    Number of pages:2
    Received from: 08447 53 54 56
    Regards,
    FAX


    9 July 2014: fax9999999999.zip(168 kb) Extracts to fax0010029826052014.scr
    Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1404915722/
    ___

    E-Z Pass Spam
    - http://threattrack.tumblr.com/post/9.../e-z-pass-spam
    July 9, 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...QOy1r6pupn.png
    Subjects Seen:
    Indebted for driving on toll road
    Typical e-mail details:
    Dear customer,
    You have not paid for driving on a toll road. This invoice is sent repeatedly,
    please service your debt in the shortest possible time.
    The invoice can be downloaded here.


    Malicious URLs:
    krsk .info/components/api/aHZ/WVeiJ0vWJCZzh9O0pXzmah/NtSjknz1hSYIcsqQ=/toll

    91.193.224.60
    : https://www.virustotal.com/en/ip-add...0/information/

    Tagged: E-Z Pass, Kuluoz

    Last edited by AplusWebMaster; 2014-07-10 at 01:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #473
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Shylock takedown, Fake "TT PAYMENT COPY" SPAM ...

    FYI...

    Shylock takedown - Europol
    - http://www.nationalcrimeagency.gov.u...hylock-malware
    10 July 2014 -"An international operation involving law enforcement agencies and private sector companies is combating the threat from a type of malicious software (malware) used by criminals to steal from bank accounts. In the first project of its kind for a UK law enforcement agency, the National Crime Agency has brought together partners from the law enforcement and private sectors, including the FBI, Europol, BAE Systems Applied Intelligence, GCHQ, Dell SecureWorks, Kaspersky Lab and the German Federal Police (BKA) to jointly address the Shylock trojan. As part of this activity, law enforcement agencies are taking action to disrupt the system which Shylock depends on to operate effectively. This comprises the seizure of servers which form the command and control system for the trojan, as well as taking control of the domains Shylock uses for communication between infected computers. This has been conducted from the operational centre at the European Cybercrime Centre (EC3) at Europol in The Hague. Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to coordinate action in their respective countries, in concert with counterparts in Germany, Poland and France. Shylock - so called because its code contains excerpts from Shakespeare’s Merchant of Venice - has infected at least 30,000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere. The NCA is therefore coordinating international action against this form of malware. Victims are typically infected by clicking on malicious links, and then unwittingly downloading the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers..."
    ___

    MS cybercrime bust frees 4.7 million infected PCs
    - http://www.reuters.com/article/2014/...0FF2CU20140710
    July 10, 2014 - "Microsoft Corp said it has freed at least 4.7 million infected personal computers from control of cyber crooks in its most successful digital crime-busting operation, which interrupted service at an Internet-services firm last week. The world's largest software maker has also identified at least another 4.7 million infected machines, though many are likely still controlled by cyber fraudsters, Microsoft's cybercrime-fighting Digital Crimes Unit said on Thursday. India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico have the largest number of infected machines, in the first high-profile case involving malware developed outside Eastern Europe. Richard Domingues Boscovich, assistant general counsel of the unit, said Microsoft would quickly provide government authorities and Internet service providers around the world with the IP addresses of infected machines so they can help users remove the viruses... The operation is the most successful of the 10 launched to date by Microsoft's Digital Crimes Unit, based on the number of infected machines identified, Boscovich said. Microsoft located the compromised PCs by intercepting traffic headed to servers at Reno, Nevada-based Vitalwerks Internet Solutions, which the software maker said criminals used to communicate with compromised PCs through free accounts on its No-IP.com services. Vitalwerks criticized the way Microsoft handled the operation, saying some 1.8 million of its users lost service for several days. The Internet services firm said that it would have been glad to help Microsoft, without interrupting service to legitimate users. Microsoft has apologized, blaming "a technical error" for the disruption, saying service to customers has been restored... The operation, which began on June 30 under a federal court order, targeted malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways and were written and distributed by developers in Kuwait and Algeria."
    ___

    Fake "TT PAYMENT COPY" SPAM - malicious attachment
    - http://blog.dynamoo.com/2014/07/tt-p...copy-spam.html
    10 July 2014 - "We've seen spam like this before. It comes with a malicious attachment.
    Date: Thu, 10 Jul 2014 00:09:28 -0700 [03:09:28 EDT]
    From: "PGS Global Express Co, Ltd." [pgsglobal1960@ gmail .com]
    Subject: Re TT PAYMENT COPY
    ATTN:
    Good day sir,here is the copy of the transfer slip ,kindly find the attach copy and please check with your bank to confirm the receipt of the payment and do the needful by dispatching the material as early as possible.
    We hope you will do the needful and let us know the dispatch details.
    (purchase) Manager.
    ------sent from my iphone5s-------


    It comes with an attachment TT PAYMENT COPY.ZIP containing the malicious executable TT PAYMENT COPY.exe which has a VirusTotal detection rate of 19/54*. According to Malwr** this appears to be a self-extractive archive file which then drops (inter alia) a file iyKwmsYRtDlN.com which has a very low detection rate of 1/52***. It isn't clear what this file does according to the report**."
    * https://www.virustotal.com/en-gb/fil...is/1405000247/

    ** https://malwr.com/analysis/NThjMzU0M...U0OWM0YzM0OTA/

    *** https://www.virustotal.com/en-gb/fil...is/1405000668/
    ___

    Fake E100 MTB ACH SPAM – PDF malware
    - http://myonlinesecurity.co.uk/e100-m...e-pdf-malware/
    10 July 2014 - "E100 MTB ACH Monitor Event Notification is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    You have received a secure message from M&T Bank
    At M&T Bank,we understand the importance of protecting confidential information. That’s why we’ve developed this email messaging system, which will allow M&T to securely send you confidential information via email.
    An M&T Bank employee has sent you an email message that may contain confidential information. The sender’s email address is listed in the from field of this message. If you have concerns about the validity of this message, contact the sender directly.
    To retrieve your encrypted message, follow these steps:
    1. Click the attachment, securedoc.html.
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
    2. Enter your password.
    If you are a first time user, you will be asked to register first.


    10 July 2014: Securedoc.zip ( 284kb): Extracts to Securedoc.pdf.scr
    Current Virus total detections: 0/38 * . This E100 MTB ACH Monitor Event Notification is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1405013243/
    ___

    Fake Money Transfer - PDF malware
    - http://myonlinesecurity.co.uk/import...e-pdf-malware/
    10 July 2014 - "Important Notice – Incoming Money Transfer is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    An Incoming Money Transfer has been received by your financial institution for thespykiller .co .uk. In order for the funds to be remitted on the correct account please complete the “A136 Incoming Money Transfer Form”.
    Fax a copy of the completed “A136 Incoming Money Transfer Form” to +1 800 722 4969.
    To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
    Thank you,
    Trevor.Mcdowell
    Senior Officer Level III
    Cash Management Verification ...


    10 July 2014: A136_Incoming_Money_Transfer_Form.zip (10kb): Extracts to
    A136_Incoming_Money_Transfer_Form.exe.exe - Current Virus total detections: 2/53 * . This Important Notice – Incoming Money Transfer is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
    * https://www.virustotal.com/en/file/2...is/1405013171/
    ___

    Symantec in talks with Chinese government after software ban report
    - http://www.reuters.com/article/2014/...0FF1V320140710
    July 10, 2014 - "U.S. security software maker Symantec Corp said it is holding discussions with authorities in Beijing after a state-controlled Chinese newspaper reported that the Ministry of Public Security had banned use of one of its products. The China Daily reported last week that the ministry had issued an order to its branches across the nation telling them to uninstall Symantec's data loss prevention, or DLP, products from their systems and banning their future purchase, saying the software 'could pose information risks'..."

    Last edited by AplusWebMaster; 2014-07-11 at 02:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #474
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Citibank SPAM, SCAMS - Free Movies ...

    FYI...

    Fake Citibank Commercial Form email – PDF malware
    - http://myonlinesecurity.co.uk/fw-imp...e-pdf-malware/
    11 July 2014 - "FW: Important – Commercial Form is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Commercial Banking Form
    To: < redacted >
    Case: C1293101
    Please scan attached document and fax it to +1 800-285-5021 .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-6575 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
    Yours faithfully
    Leanne Davis Commercial Banking Citibank N.A Leanne.Davis@ citibank .com
    Copyright © 2014 Citigroup Inc.


    11 July 2014: C1293101.zip (9kb): Extracts to C100714.scr
    Current Virus total detections: 0/53 * . This FW: Important – Commercial Form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1405086057/
    ___

    A cunning way to deliver malware
    - http://blog.malwarebytes.org/malvert...liver-malware/
    July 11, 2014 - "Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org* shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc... Here is an example of an unwanted warning pushed as a pop-up:
    > http://cdn.blog.malwarebytes.org/wp-...07/message.png
    ... The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.
    > http://cdn.blog.malwarebytes.org/wp-...7/download.png
    It is worth noting that this webpage was totally unsolicited and is in fact very misleading... In other words, the program they want you to download bundles other applications, something we know all too well. Attempting to close the page brings up yet another warning:
    > http://cdn.blog.malwarebytes.org/wp-...14/07/sure.png
    We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download... two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen... We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors."
    1) https://www.virustotal.com/en/file/d...15c2/analysis/

    2) https://www.virustotal.com/en/file/4...5fbb/analysis/

    * https://www.cert.org/blogs/certcc/post.cfm?EntryID=199
    7/07/2014 - "... depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure, these may be annoyances, but there's an even more important security aspect to these types of applications: attack surface..."
    ___

    Fake 'E-ZPass Unpaid Toll' SPAM - links to Malware
    - http://www.hoax-slayer.com/e-zpass-u...-malware.shtml
    July 11, 2014 - "Email purporting to be from US toll collection system E-ZPass claims that the recipient has not paid for driving on a toll road and should click a link to download an invoice... The email is -not- from E-ZPass. It is a criminal ruse designed to trick you into downloading malware... If you receive this message, do -not- click any links or open -any- attachments that it contains..."
    > http://www.hoax-slayer.com/images/e-...-malware-1.jpg

    Ref: http://stopmalvertising.com/spam-sca...to-asprox.html
    9 July 2014 - E-ZPass themed emails lead to Asprox
    ___

    GameOver Zeus mutates - launches Attacks
    - http://blog.malcovery.com/blog/break...r-zeus-returns
    July 10, 2014 - "... -new- trojan based heavily on the GameOver Zeus binary. It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed... we saw spam messages claiming to be from NatWest...
    > https://cdn2.hubspot.net/hub/241665/...r_Return_2.png
    ... we saw spam messages with the subject “Essentra PastDue” like these:
    > https://cdn2.hubspot.net/hub/241665/...r_Return_4.png
    ... The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing as of this writing.
    > https://cdn2.hubspot.net/hub/241665/...r_Return_7.png
    The three spam campaigns each had a .zip attachment. Each of these contained the same file in the form of a “.scr” file with the hash:
    MD5: 5e5e46145409fb4a5c8a004217eef836
    At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal is 10/54:
    > https://cdn2.hubspot.net/hub/241665/...r_Return_8.png
    Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information “webinject” files from the server. The Domain Generation Algorithm is a method for a criminal to regain access to his botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists... Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy... This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history..."

    - http://www.nationalcrimeagency.gov.u...cious-software
    13 June 2014
    ___

    SCAMS: Free Movies - Reel Deal? ...
    - http://blog.malwarebytes.org/online-...the-reel-deal/
    July 11, 2014 - "... We often see Netflix themed sites used as a -bait- so this one immediately caught our eye... The end user is presented with a number of surveys and offers, one of which has to be completed to obtain the “free account”. They lead to a variety of places:
    > http://cdn.blog.malwarebytes.org/wp-...4/07/flix3.jpg
    Another one:
    > http://cdn.blog.malwarebytes.org/wp-...4/07/flix4.jpg
    We tried to “unlock” the supposed text file to see what happened next, by installing two separate offers – a “TV toolbar” and a “We love games community toolbar”.
    > http://cdn.blog.malwarebytes.org/wp-...4/07/flix5.jpg
    > http://cdn.blog.malwarebytes.org/wp-...4/07/flix6.jpg
    In both cases, nothing was unlocked and we saw no evidence of text files. What we did have, were two potentially unwanted programs which a regular user would only have installed to get the text file in the first place. You’re better off avoiding sites which promise “free” signups to websites and services, and buying directly from the real thing. More often than not, you can never be sure if what you’re receiving is legit or will be shut down by the service provider. And of course, in many cases what you’ll be getting your hands on after signing up to offers or downloading programs will be little more than thin air..."

    Last edited by AplusWebMaster; 2014-07-11 at 21:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #475
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ZeuS GameOver reloaded ...

    FYI...

    ZeuS GameOver Reloaded
    - http://stopmalvertising.com/spam-sca...-reloaded.html
    12 July 2014 - "Yesterday we received an unsolicited email appearing to be from the M&T Bank, an American commercial bank headquartered in Buffalo. The emails arrive with the subject line "E100 MTB ACH Monitor Event Notification".
    Screenshot: http://stopmalvertising.com/research.../new-gmo16.jpg
    The recipient is informed that an M&T Bank employee has sent them an email message that may contain confidential information. To retrieve the encrypted message the addressee is invited to save the attachment "securedoc.html" and open the file in a Web browser. The attachment isn’t a HTML file as stated by the spammed out message but a ZIP archive containing an executable named SECUREDOC.PDF.SCR. The file with a double extension (.pdf.scr) poses as a PDF document... -never- trust a file by its icon and make sure that Windows Explorer is set to show file extensions... The new instance of SECUREDOC.PDF.SCR will create a random named folder in the %TEMP% directory and will drop a copy of itself in the new folder using a random file name with an EXE extension... The payload is similar to ZeuS GameOver without the Necurs rootkit component... This version doesn’t rely on P2P communications but uses a different Domain Generation Algorithm (DGA) compared to the ZeuS GameOver version we know. The DGA domains are hosted on a Fast Flux infrastructure. This release generates .COM, .NET, .ORG and .BIZ domains, apparently between 21 and 28 alphanumeric characters long (without the domain extension). The threat performs around 500 DNS lookups to see if any of the DGA domains resolve to an IP, pauses 5 minutes and starts all over again...
    Update: Additional Information - Although the rootkit component has been left out in this new release of ZeuS GameOver, from a technical point of view the code shares more similarities with the ZeuS GameOver with Necurs variant than with the version before the rootkit introduction. Both versions share the same compiler and compile settings. The new version mostly uses the same classes as ZeuS GameOver with Necurs and the same zlib and pcre library versions. The content of the encrypted string table is identical in both versions. The new release also uses RSA to verify the authenticity of the server’s response, the content is decrypted using RC4 and VisualDecrypt... IP Details
    zi7sh2zoptpb14w9mgxugkey2 .com - 69.61.18.148
    9zusnu3rh65o1nal2ty1fbb5o0 .net - 86.124.164.25
    ... The IP 86.124.164.25 is a known CryptoLocker IP. According to VirusTotal* several malware samples communicate with this IP but at the time of the write-up I'm unable to tell if this is yet another sinkhole.
    Update July 13, 2014: this IP is a sinkhole..."
    (More detail at the stopmalvertising.com URL above.)
    * https://www.virustotal.com/en/ip-add...5/information/ - Still active 2014-07-16

    69.61.18.148: https://www.virustotal.com/en/ip-add...8/information/ - Still active 2014-07-16

    Cutwail botnet spam email containing the new Gameover Zeus variant
    - http://www.secureworks.com/assets/im...ver.zeus.1.png

    - http://www.secureworks.com/resources...er-capability/
    July 11, 2014 - "... Previous Gameover Zeus versions relied primarily on the P2P component for communication but reverted to a DGA if no peers could be contacted. The new DGA used in this version generates 1,000 domains per day..."

    - http://net-security.org/malware_news.php?id=2804
    July 11, 2014
    > http://www.net-security.org/images/a...olocker-bd.jpg
    ___

    Gameover Zeus Variant Resumes Activity
    - https://atlas.arbor.net/briefs/index#170748218
    17 Jul 2014
    A new variant based on the GameOver Zeus Trojan has been identified distributing spam.
    Analysis: While the original GameOver Zeus was taken down by law enforcement last month, this new variant suggests that cyber criminals will continue to leverage this malware. Past law enforcement operations on active botnets, while temporarily successful, have done little to fully disrupt malicious activity, as criminals frequently find new available malware and tools. [ http://blog.malcovery.com/blog/break...r-zeus-returns , http://nakedsecurity.sophos.com/2014...from-the-dead/ ]

    Last edited by AplusWebMaster; 2014-07-18 at 15:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #476
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Internal Only SPAM ...

    FYI...

    Fake Important Internal Only SPAM – PDF malware
    - http://myonlinesecurity.co.uk/import...e-pdf-malware/
    14 July 2014 - "Important – Internal Only that pretends to come from administrator @ your domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    File Validity: 07/14/2014
    File Format: Office – Excel ,PDF
    Name: Internal Only
    Legal Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: Internal Only.pdf
    ********** Confidentiality Notice **********.
    This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s)...


    14 July 2014: Internal Only – thespykiller.co.uk.zip: Extracted file name: Internal Only.scr
    Current Virus total detections: 3/54 * . This Important – Internal Only is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1405352721/

    - http://blog.dynamoo.com/2014/07/impo...only-spam.html
    14 July 2014 - "This spam comes with a malicious payload:
    Date: Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
    Subject: Important - Internal Only
    File Validity: 07/14/2014
    File Format: Office - Excel ,PDF
    Name: Internal Only
    Legal Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: Internal Only.pdf ...

    Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54* which indicates that this is a variant of Upatre... This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54** .."
    * https://www.virustotal.com/en/file/7...is/1405363103/

    ** https://www.virustotal.com/en/file/e...is/1405363781/

    82.98.160.242: https://www.virustotal.com/en/ip-add...2/information/

    194.58.101.96: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Email Messages distributing Malicious Software - July 14, 2014
    - http://tools.cisco.com/security/cent...?alertId=34782
    Version: 9
    First Published: 2014 June 30 11:59 GMT
    Last Published: 2014 July 14 18:48 GMT
    "... significant activity related to spam email messages distributing malicious software... sample of the email message that is associated with this threat outbreak: Subject: 10 messages..."
    (More detail at the cisco URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #477
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBB SPAM ...

    FYI...

    Fake BBB SPAM – PDF malware
    - http://myonlinesecurity.co.uk/bbb-sb...e-pdf-malware/
    15 July 2014 - "BBB SBQ Form #862054929(Ref#85-862054929-0-4) pretending to come from BBB Accreditation Services <Emmanuel_Hastings@ newyork .bbb .org> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Thank you for supporting your Better Business Bureau (BBB). As a service to BBB Accredited
    Businesses, we try to ensure that the information we provide to
    potential customers is as accurate as possible. In order for us to
    provide the correct information to the public, we ask that you review
    the information that we have on file for your company.
    We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)...
    Thank you again for your support, and we look forward to receiving this updated information.
    Sincerely,
    Accreditation Services


    15 July 2014:BBB SBQ Form.zip (7kb) : Extracted file name: BBB SBQ Form.exe.exe
    Current Virus total detections: 2/53 * . This BBB SBQ Form #862054929(Ref#85-862054929-0-4) is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1405433104/
    ___

    Fake Notice to Appear in Court Email - Malware
    - http://www.hoax-slayer.com/green-win...-malware.shtml
    15 July 2014 - "Email purporting to be from Green Winick Attorneys at Law claims that you are required to appear in court and should click a link to view a copy of the court notice... The email is -not- from Green Winick or any legitimate legal entity. The link in the email opens a webpage that harbours -malware- ...
    > http://www.hoax-slayer.com/images/co...-july-2014.jpg
    ... The email claims that you are required to appear in court and should therefore -click- a link to download the court notice and 'read it thoroughly'. The message warns that, if you fail to appear as requested, the judge may hear the case in your absence... If you click the link in the email, you will be taken to a website that harbours a version of the notorious Asprox/Kulouz malware. Once downloaded and installed, the malware attempts to download further malware and allows criminals to maintain control of the infected computer and join it to a botnet..."

    Ref: ASProx botnet, aka Kulouz
    - http://garwarner.blogspot.ro/2014/07...eenwinick.html
    July 13, 2014
    Screenshot: https://3.bp.blogspot.com/-_s_nBGLFq...reenWinick.jpg

    - https://www.virustotal.com/en/file/1...is/1405216664/
    ___

    Fake Virgin Airlines Calls ...
    - http://www.hoax-slayer.com/virgin-au...am-calls.shtml
    15 July 2014 - "A number of people in different parts of Australia have reported receiving 'prize' calls claiming to be from Virgin Australia. The callers claim that the 'lucky' recipient of the call has won a cash prize or 999 frequent-flyer points. Supposedly, winners were randomly drawn from the names of people who have flown with the airline in the past. 'Winners' are then told that they must provide their credit card details to claim their prize... the calls are certainly -not- from Virgin Australia and recipients have won nothing at all. The calls are a criminal ruse designed to steal credit card information. Virgin Australia has issued a statement* warning people about the scam..."
    * http://www.virginaustralia.com/au/en...travel-alerts/
    ___

    .pif files, Polish spam from Orange, and Tiny Banker (Tinba)
    - http://garwarner.blogspot.com/2014/0...range-and.html
    July 15, 2014 - "... we saw 1,440 copies of a spam message claiming to be from "orange .pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names... I was surprised to see that the file was actually TinBa or "Tiny Banker"!... email that was distributed so prolifically this morning:
    > http://4.bp.blogspot.com/-ycco03W9wC....orange.pl.jpg
    In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:
    If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www .orange .pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www .orange .pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.

    The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53)* detection rate. The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange .com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal... more malware, disquised as an invoice but actually a .pif file. The current detection at VirusTotal for that campaign is 33 of 53** detections. Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message..."
    * https://www.virustotal.com/en/file/1...e8c6/analysis/

    ** https://www.virustotal.com/en/file/a...61d8/analysis/

    Last edited by AplusWebMaster; 2014-07-15 at 20:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #478
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Fax / Secure msg SPAM

    FYI...

    Fake Fax / Secure msg SPAM
    - http://blog.dynamoo.com/2014/07/youv...-have-new.html
    16 July 2014 - "This -pair- of spam messages leads to a malicious ZIP file downloaded via goo .gl (and -not- Dropbox as the spam says):
    From: Fax [fax@ victimdomain]
    Date: 16 July 2014 16:12
    Subject: You've received a new fax
    New fax at SCAN7905518 from EPSON by https ://victimdomain
    Scan date: Wed, 16 Jul 2014 23:12:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can download your fax message at:
    https ://goo .gl/8AanL9
    (Dropbox is a file hosting service operated by Dropbox, Inc.)
    -------------
    From: NatWest [secure.message@ natwest .com]
    Date: 16 July 2014 14:47
    Subject: You have a new Secure Message
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at:
    https ://goo .gl/8AanL9
    (Dropbox is a file hosting service operated by Dropbox, Inc.)


    I have seen three goo .gl URLs leading to three different download locations, as follows
    https ://goo .gl/1dlcL3 leads to
    http ://webbedenterprisesinc .com/message/Document-6936124.zip
    https ://goo .gl/8AanL9 leads to
    http ://rollermodena .it/Document-2816409172.zip
    https ://goo .gl/pwgQID leads to
    http ://www.vetsaudeanimal .net/Document-9879091.zip
    - In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54*. The Malwr report** shows that this then downloads components form the following locations (hosted by OVH France):
    http ://94.23.247.202 /1607h/HOME/0/51Service%20Pack%203/0/
    http ://94.23.247.202 /1607h/HOME/1/0/0/
    An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54***. The Malwr report for that is inconclusive.
    Recommended blocklist:
    94.23.247.202
    vetsaudeanimal .net
    rollermodena .it
    webbedenterprisesinc .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1405523997/

    ** https://malwr.com/analysis/ZDJmNTFlZ...kzOTBmNWJjMjg/

    *** https://www.virustotal.com/en-gb/fil...is/1405524493/

    94.23.247.202: https://www.virustotal.com/en/ip-add...2/information/

    - http://threattrack.tumblr.com/post/9...e-message-spam
    July 16, 2014 - "Subjects Seen:
    You have a new Secure Message
    Typical e-mail details:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at:
    goo .gl/1dlcL3


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...zgJ1r6pupn.png

    Malicious URLs:
    webbedenterprisesinc .com/message/Document-6936124.zip
    lavadoeimagen .com/Document-09962146.zip

    Malicious File Name and MD5:
    Document-<random>.scr (2A835747B7442B1D58AB30ABC90D3B0F)
    Document-<random>.zip (323706E66968F4B973870658E84FEB69)


    Tagged: NatWest, Upatre

    Last edited by AplusWebMaster; 2014-07-16 at 21:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #479
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Take a look at this picture' email – malware

    FYI...

    Fake 'Take a look at this picture' email – malware
    - http://myonlinesecurity.co.uk/take-l...e-pdf-malware/
    17 June 2014 - "'You should take a look at this picture' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very simple email with the subject of 'You should take a look at this picture' and the body just containing a smiley face.
    17 July 2014: IMG3384698174-JPG.zip (24 kb) : Extracts to IMG4563693711-JPG.scr
    Current Virus total detections: 3/54 * ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1405605234/

    Last edited by AplusWebMaster; 2014-07-18 at 02:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #480
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 5.135.211.52/195.154.69.123, Law Firm Spam

    FYI...

    Something evil on 5.135.211.52 and 195.154.69.123
    - http://blog.dynamoo.com/2014/07/some...21152-and.html
    18 July 2014 - "This is some sort of malware using insecure OpenX ad servers to spread... don't know quite what it is, but it's running on a bunch of -hijacked- GoDaddy subdomains and is triggering a generic Javascript detection on my gateway... The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT*] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT**]. This second IP has also been used to host "one two three" malware sites back in May***.
    Recommended blocklist:
    * 5.135.211.52: https://www.virustotal.com/en-gb/ip-...2/information/
    ** 195.154.69.123: https://www.virustotal.com/en-gb/ip-...3/information/
    somerspointnjinsurance .com
    risleyhouse .net
    ecofloridian .info
    ecofloridian .com
    trustedelderlyhomecare .net
    trustedelderlyhomecare .org
    trustedelderlyhomecare .info
    theinboxexpert .com
    "
    *** http://blog.dynamoo.com/2014/05/one-...ns-center.html
    ___

    Law Firm Spam
    - http://threattrack.tumblr.com/post/9.../law-firm-spam
    July 18, 2014 - "Subjects Seen:
    Notice of appearance
    Typical e-mail details:
    Notice to Appear,
    To view copy of the court notice click here. Please, read it thoroughly. Note: If you do not attend the hearing the judge may hear the case in your absence.


    Malicious URLs:
    encoretaxcpa .com/wp-content/plugins/pm.php?notice=rAKMA0yBTjJaHycjLxYiPxWIuHzgUE6cEU/ZGGio7m4=


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...8BS1r6pupn.png

    Tagged: Law firm, Kuluoz

    Last edited by AplusWebMaster; 2014-07-18 at 18:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •