Page 5 of 132 FirstFirst 1234567891555105 ... LastLast
Results 41 to 50 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #41
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SCAM and SPAM ...

    FYI... multiple entries:

    iPad SCAM ...
    - http://www.gfi.com/blog/twitter-dm-l...-to-ipad-scam/
    Oct 24, 2012 - "We have been reading reports of malware and phishing attacks by means of suspicious direct messages to get user systems infected or have user information and credentials stolen, a ploy that is fast becoming common in the Twittersphere now more than ever. One GFI Labs blog reader gave us the heads up on the latest DM currently making rounds on Twitter. The message says:
    did you see your pics with her facebook(dot)com/45569965114786…
    Users who click the embedded link are led to a Facebook app page, which then executes a PHP script—
    > http://www.gfi.com/blog/wp-content/u...nd-traffic.png
    ... —before redirecting them to this:
    > http://www.gfi.com/blog/wp-content/u...ge-300x181.jpg
    It appears to be a genuine Facebook event page; however, the URL has made obvious that it’s not at all related to the said social networking site.
    Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click - Click here.:
    > http://www.gfi.com/blog/wp-content/u...am-300x222.jpg
    ...
    > http://www.gfi.com/blog/wp-content/u...ge-300x285.png
    ... Others are redirected to this ad campaign page we’re probably familiar with:
    > http://www.gfi.com/blog/wp-content/u...ge-300x201.png
    We have determined that more than 4,500 Internet users have visited the dodgy Facebook app page; however, it is unclear how many have fallen victim to these scams... quick reminder to our readers: think before you click..."
    ___

    Contract SPAM / fidelocastroo .ru
    - http://blog.dynamoo.com/2012/10/cont...castrooru.html
    24 Oct 2012 - "This fake contact spam leads to malware on fidelocastroo .ru:
    Date: Tue, 23 Oct 2012 12:33:51 -0800
    From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
    Subject: Fw: Contract from Wilburn
    Attachments: Contract_Scan_DS23656.htm
    Hello,
    In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
    Best regards,
    Wilburn TIMMONS, secretary


    The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo .ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:

    202.3.245.13 (President of French Polynesia*)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNet, US)

    * http://blog.dynamoo.com/2012/10/pres...polynesia.html ..."
    ___

    Bogus Windows License SPAM - in the Wild
    - http://www.gfi.com/blog/bogus-window...s-in-the-wild/
    Oct 24, 2012 - "... Below is a screenshot of a new spam run in the wild... presents to recipients a very suspicious but very free license for Microsoft Windows that they can download. Sounds too good to be true? It probably is.
    > http://www.gfi.com/blog/wp-content/u...22-300x124.png
    From: {random email address}
    Subject: Re: Fwd: Order N [redacted]
    Message body:
    Welcome,
    You can download your Microsoft Windows License here -
    Microsoft Corporation

    Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.
    > http://www.gfi.com/blog/wp-content/u...ole-300x83.png
    This spam is a launchpad for a Blackhole-Cridex attack on user systems. This method is likewise being used by the most recent campaign of the “Copies of Policies” spam*, also in the wild..."
    * http://gfisoftware.tumblr.com/tagged/Copies-of-Policies
    ___

    Wire Transfer SPAM / ponowseniks .ru
    - http://blog.dynamoo.com/2012/10/wire...wseniksru.html
    24 Oct 2012 - "This fake wire transfer spam leads to malware on ponowseniks .ru:
    Date: Wed, 24 Oct 2012 04:26:12 -0500
    From: FedEx [info@emails.fedex.com]
    Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
    Attachments: Report_Trans99252.htm
    Dear Bank Operator,
    WIRE TRANSFER: FEDW-30126495944197210
    STATUS: REJECTED
    You can find details in the attached file.
    (Internet Explorer format)

    The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks .ru:8080/forum/links/column.php hosted on some familar IP addresses:
    202.3.245.13 (President of French Polynesia)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNet, US)"
    ___

    BBB SPAM / samplersmagnifyingglass .net
    - http://blog.dynamoo.com/2012/10/bbb-...gglassnet.html
    24 Oct 2012 - "This fake BBB spam leads to malware on samplersmagnifyingglass .net:
    Date: Wed, 24 Oct 2012 22:10:18 +0430
    From: "Better Business Bureau" [noreply@bbb.org]
    Subject: Better Business Beareau Appeal #42790699
    Attention: Owner/Manager
    Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
    Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
    On a website above please enter your complain id: 42790699 to review it.
    We are looking forward to hearing from you.
    -----------------------------------
    Faithfully,
    Rebecca Wilcox
    Dispute advisor
    Better Business Bureau


    The malicious payload is on [donotclick]samplersmagnifyingglass .net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking."

    Last edited by AplusWebMaster; 2012-10-24 at 23:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #42
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake UPS, Facebook, ADP emails lead to malware ...

    FYI... multiple entries:

    Fake UPS emails serve malware ...
    - http://blog.webroot.com/2012/10/25/y...serve-malware/
    Oct 25, 2012 - "... cybercriminals launched yet another massive spam campaign, impersonating the United Parcel Service (UPS), in an attempt to trick its current and prospective customers into downloading and executing the malicious attachment found in the email. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the victim’s host...
    Screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw.
    * https://www.virustotal.com/file/d9e1...is/1350581761/
    File name: UPS_Delivery_Confirmation.pdf.exe
    Detection ratio: 32/43
    Analysis date: 2012-10-18
    ___

    Fake Facebook emails lead to malware
    - https://www.net-security.org/malware_news.php?id=2302
    25.10.2012 - "If you receive an email seemingly sent by Facebook, sharing an offensive comment that has seemingly been left on your Wall by an unknown user, please don't be tempted to follow the link.
    > https://www.net-security.org/images/...nsive-scam.jpg
    ... If you do, you'll be -redirected- to a -fake- Facebook page hosting a malicious iFrame script that triggers the infamous Blackhole exploit kit, and if it finds a vulnerability to exploit, you will be automatically saddled with some or other malicious software. The attackers will try to hide the fact by automatically redirecting you to another legitimate Facebook page, belonging to a Facebook users that, according to Sophos*, does not seem to be related to the attack."
    * http://nakedsecurity.sophos.com/2012...alware-attack/
    ___

    ADP SPAM / openpolygons .net
    - http://blog.dynamoo.com/2012/10/adp-...lygonsnet.html
    25 Oct 2012 - "This fake ADP spam leads to malware on openpolygons .net:
    From: warning @adp .com
    Sent: Thu 25/10/2012 16:42
    Subject: ADP Instant Message
    ADP Pressing Communication
    Reference No.: 27711
    Respected ADP Client October, 25 2012
    Your Transaction Report(s) have been uploaded to the web site:
    Click Here to access
    Please overview the following information:
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This email was sent to existing users in your company that access ADP Netsecure.
    As general, thank you for using ADP as your business affiliate!
    Ref: 27711

    > https://lh3.ggpht.com/-xEHpgbIAYcs/U...0/adp-spam.png

    The malicious payload is at [donotclick]openpolygons .net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before. That IP also hosts the fake AV application win8ss .com and another malware site of legacywins .com...
    Plain list for copy-and-pasting:
    195.198.124.60
    openpolygons .net
    win8ss .com
    legacywins .com
    ..."
    ___

    "End of Aug. Statement required" SPAM / kiladopje .ru
    - http://blog.dynamoo.com/2012/10/end-...ired-spam.html
    25 Oct 2012 - "This spam leads to malware on kiladopje .ru:
    From: ZaireLomay @mail .com
    Sent: 24 October 2012 20:58
    Subject: Re: FW: End of Aug. Statement required
    Hi,
    as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
    Regards


    In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje .ru:8080/forum/links/column.php hosted on:
    79.98.27.9 (Interneto Vizija, Lithunia)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNet, US)
    The following IPs and domains are all related and should be blocked if you can:
    68.67.42.41, 72.18.203.140, 79.98.27.9, 84.22.100.108, 85.143.166.170, 132.248.49.112, 190.10.14.196, 202.3.245.13, 203.80.16.81, 209.51.221.247
    fidelocastroo .ru
    finitolaco .ru
    kennedyana .ru
    kiladopje .ru
    lemonadiom .ru
    leprasmotra .ru
    ponowseniks .ru
    secondhand4u .ru
    windowonu .ru
    ..."
    ___

    Vast email -malware- outbreaks – efaxCorporate and Xerox copiers
    - http://blog.commtouch.com/cafe/email...xerox-copiers/
    Oct 25, 2012 - "... huge of amounts of email-attached malware distributed – all with an “office” theme. The attacks pushed the amount of email up by several hundred percent and totaled near five billion emails sent worldwide.
    > http://blog.commtouch.com/cafe/wp-co...4-Oct-2012.jpg
    The first part of the day saw emails describing an attachment as being the scan from a Xerox Workcenter... Yesterday’s file was a zipped executable. The second part of the attack moved on to eFaxCorporate, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file is detected as W32/Trojan2.NTLB... The malware scans the infected system for FTP programs – no doubt looking for FTP credentials that can be stolen to access and compromise Web servers (which can then be used to serve malware links).
    > http://blog.commtouch.com/cafe/wp-co...ax-message.jpg ..."

    Last edited by AplusWebMaster; 2012-10-26 at 02:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #43
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus Skype, ADP emails lead to malware ...

    FYI... multiple entries:

    Share of malicious email by country
    - http://www.h-online.com/security/new...ew=zoom;zoom=1
    26 Oct 2012
    ___

    Bogus Skype emails lead to malware...
    - http://blog.webroot.com/2012/10/26/b...ad-to-malware/
    Oct 26, 2012 - "... millions of emails impersonating Skype, in an attempt to trick Skype users that their password has been successfully changed, and that in order to view their call history and change their account settings, they would need to execute the malicious attachment found in the emails...
    Screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....am_malware.png
    Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw. Upon execution, the malware opens a backdoor allowing the cybercriminals behind the campaign complete access to the affected user’s host..."
    * https://www.virustotal.com/file/d9e1...is/1350584221/
    File name: Skype_Password_inscturtions.pdf.exe
    Detection ratio: 32/43
    Analysis date: 2012-10-18
    ___

    apl.de.ap SPAM
    - http://blog.dynamoo.com/2012/10/apldeap-spam.html
    26 Oct 2012 - "I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap ( http://en.wikipedia.org/wiki/Apl.de.ap ) until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east. Although those look like tinyurl links, they're not... they go through a redirector at ykadl .net on 109.236.88.71, the same IP used to send the spam... here's the spam in case you really want to buy tickets from a shady bunch of spammers (NOT)...
    From: DNA alex @ ykadl .net
    Date: 26 October 2012 04:48
    Subject: Black Eyed Peas/ APL DE AP in Dubai
    Signed by: ykadl.net
    BLACK EYE PEAS founding member APL DE AP heads to Dubai
    BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
    Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
    APL DE AP and the other members of the Black Eyed Peas have been on a hiatus
    ..."
    ___

    ADP SPAM / steamedboasting .info
    - http://blog.dynamoo.com/2012/10/adp-...stinginfo.html
    26 Oct 2012 - "This fake ADP spam leads to malware on steamedboasting.info:
    From: ClientService @adp .com
    Sent: 26 October 2012 12:03
    Subject: ADP Instant Notification
    ADP Urgent Warning
    Reference #: 31344
    Dear ADP Client October, 25 2012
    Your Transfer Summary(s) have been uploaded to the web site:
    https ://www.flexdirect.adp .com/client/login.aspx
    Please take a look at the following information:
    • Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
    •Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
    This note was sent to existing users in your company that approach ADP Netsecure.
    As always, thank you for choosing ADP as your business companion!
    Ref: 31344


    The malicious payload is at [donotclick]steamedboasting .info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting .info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
    This is an alternative variant with the same malicious payload:
    Date: Fri, 26 Oct 2012 16:32:10 +0530
    From: "noreply @adp .com"
    Subject: ADP Prompt Communication
    ADP Speedy Notification
    Reference #: 27585
    Dear ADP Client October, 25 2012
    Your Transaction Statement(s) have been put onto the web site:
    Web site link
    Please see the following notes:
    • Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
    ?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
    This message was sent to operating users in your company that approach ADP Netsecure.
    As always, thank you for choosing ADP as your business partner!
    Ref: 27585 [redacted]
    ..."
    ___

    "Your Photos" SPAM / manekenppa .ru
    - http://blog.dynamoo.com/2012/10/your...ekenpparu.html
    26 Oct 2012 - "This fake "photos" spam leads to malware on manekenppa .ru:
    From: Acacia @redacted .com
    Sent: 26 October 2012 10:14
    Subject: Your Photos
    Hi,
    I have attached your photos to the mail
    (Open with Internet Explorer).

    In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa .ru:8080/forum/links/column.php hosted on some familiar looking IPs:
    79.98.27.9 (Interneto Vizija, Lithunia)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNet, US)
    We've seen these IPs before and they are well worth blocking."

    Last edited by AplusWebMaster; 2012-10-27 at 00:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #44
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BT-Business, Verizon emails lead to malware

    FYI...

    Fake BT-Business emails lead to malware ...
    - http://blog.webroot.com/2012/10/28/s...ad-to-malware/
    Oct 28, 2012 - "Over the past 24 hours, cybercriminals have been spamvertising millions of emails targeting customers of BT’s Business Direct in an attempt to trick its users into executing the malicious attachment found in the emails. Upon executing it, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host...
    Screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    Detection rate for the malicious attachment: MD5: 8d0e220ce56ebd5a03c389bedd116ac5 * ... Trojan-Ransom.Win32.Gimemo.ashm ..."
    * https://www.virustotal.com/file/8f42...7c48/analysis/
    File name: 8D0E220CE56EBD5A03C389BEDD116AC5.fil
    Detection ratio: 32/42
    Analysis date: 2012-10-25
    ___

    Fake Verizon Wireless emails serve client-side exploits and malware ...
    - http://blog.webroot.com/2012/10/27/c...s-and-malware/
    Oct 27, 2012 - "... For over a week now, cybercriminals have been persistently spamvertising millions of emails impersonating the company, in an attempt to trick current and prospective customers into clicking on the client-side exploits and malware serving links found in the malicious email. Upon clicking on any of the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    Spamvertised malicious URLs:
    hxxp ://coaseguros .com/components/com_ag_google_analytics2/notifiedvzn.html;
    hxxp ://clinflows .com/components/com_ag_google_analytics2/vznnotifycheck.html
    Client-side exploits serving URL: hxxp ://strangernaturallanguage .net/detects/notification-status_login.php?mzuilm=073707340a&awi=45&dawn=04083703023407370609&iwnjdt=0a000300040002
    Sample client-side exploits served: CVE-2010-0188
    Upon successful client-side exploitation, the campaign drops MD5: b8d6532dd17c3c6f91de5cc13266f374 * ... Trojan-Spy.Win32.Zbot.fkth
    Once executed, the sample phones back to tuningmurcelagoglamour .ru, tuningfordmustangxtremee .ru - 146.185.220.28, AS58014 ..."
    * https://www.virustotal.com/file/2d17...61f4/analysis/
    File name: b8d6532dd17c3c6f91de5cc13266f374.malware
    Detection ratio: 26/44
    Analysis date: 2012-10-09 ..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #45
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake British Airways emails serve malware

    FYI...

    Fake British Airways emails serve malware
    - http://blog.webroot.com/2012/10/29/c...serve-malware/
    Oct 29, 2012 - "Cybercriminals are currently mass mailing millions of emails in an attempt to trick British Airways customers into executing the malicious attachment found in the spamvertised emails. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the infected host...
    Screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    Detection rate for the malicious attachment: MD5: 4a3a345c24fda6987bbe5411269e26b7 * ... Trojan-Downloader.Win32.Andromeda.aey..."
    * https://www.virustotal.com/file/39f5...5c21/analysis/
    File name: BritishAirways-eticket.pdf.exe
    Detection ratio: 30/43
    Analysis date: 2012-10-23
    ___

    .com malware pretends to be naughty .com website
    - http://blog.commtouch.com/cafe/email...y-com-website/
    Oct 28, 2012 - "... The email doesn’t include much text – simply asking that you 'Pay attention at the attach':
    Screenshot: http://blog.commtouch.com/cafe/wp-co...ck-blurred.jpg
    ... As shown in the screenshot it’s www .——-face .com. Those tempted to double-click the “link” in order to visit a porn site would find themselves attacked by malware."

    Last edited by AplusWebMaster; 2012-10-29 at 15:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #46
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus Facebook notifications serve malware

    FYI...

    Bogus Facebook notifications serve malware
    - http://blog.webroot.com/2012/10/30/c...serve-malware/
    Oct 30, 2012 - "... cybercriminals spamvertised yet another massive email campaign, impersonating the world’s most popular social network – Facebook. It was similar to a previously profiled spam campaign imitating Facebook. However, in this case the cybercriminals behind it relied on attached malicious archives, compared to including exploits and malware serving links in the email...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....il_malware.png
    Detection rate for the malicious archive: MD5: 0938302fbf8f7db161e46c558660ae0b * ... Trojan.Generic.KDV.753880; Trojan-Ransom.Win32.Gimemo.arsu. Upon execution, the sample opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain full access to the affected host..."
    * https://www.virustotal.com/file/79f9...is/1350575670/
    File name: FacebookPhoto_album.jpeg.exe
    Detection ratio: 34/43
    Analysis date: 2012-10-18
    ___

    Blackhat SEO poisoning: Halloween tricks and holiday malware ...
    - http://blogs.computerworld.com/cyber...ware-interview
    Oct 29, 2012 - "... things like blackhat SEO poisoning to successfully infect devices. Blackhat SEO link poisoning, scams, tricks. Although the poisonous pranks and tainted tricks go far beyond Halloween, this seemed a great time to get insight into these trends as well as tips to avoid them. You might know about it, but how about your parents or other people who are not nearly so security-savvy? You might want to warn them that their simple searches could infect their computers... especially if you will be the one called upon to fix them for free ;-) ..."
    (More detail at the URL above.)

    Last edited by AplusWebMaster; 2012-10-30 at 23:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #47
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Twitter, Steam phish ...

    FYI... multiple entries:

    Twitter phish is selling drama
    - http://www.gfi.com/blog/new-twitter-...selling-drama/
    Oct 30, 2012 - "... new phish in Twitter... you won’t miss it once you visit your direct message (DM) inbox. The message content can be any of the following:
    - A horrible rumor is spreading about you
    - A nasty rumor is spreading about you
    - A terrible rumor is spreading about you
    - You see this video of someone taping you? [URL redacted] creep
    - Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on [URL redacted] sNqp


    Whatever the message, it carries a shortened URL that directs the recipient to the domain ivtwtter(dot)com once clicked. Fortunately, the domain is no longer active.
    > http://www.gfi.com/blog/wp-content/u...tter-phish.png
    Web browsers have also flagged the URL as a phishing site. If you receive any of these messages (or similar), the best way to handle it is to simply delete it from your DM inbox and warn your followers. In warning them, don’t copy and paste the entire message you received with the live link still in it — as some are prone to do — because this just increases the possibility of the nefarious link getting clicked..."
    ___

    "Your Apple ID has been disabled" phish
    - http://blog.dynamoo.com/2012/10/your...led-phish.html
    31 Oct 2012 - "I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam emails...
    From: Apple no_reply @ macapple .com
    Reply-To: no_reply @ macapple .com
    Date: 31 October 2012 06:08
    Subject: Your Apple ID has been disabled
    Apple ID Support
    Dear [redacted] ,
    This Apple ID has been disabled!
    For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
    To verify your Apple ID, we recommend that you go to:
    Verify Now >


    The phish is hosted at [donotclick]app.apple .com.proiectmaxim .ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name... It just goes to show that the bad guys will try to phish -anything- these days."
    ___

    HP ScanJet SPAM / donkihotik .ru
    - http://blog.dynamoo.com/2012/10/hp-s...kihotikru.html
    31 Oct 2012 - "This fake printer message leads to malware on donkihotik .ru:
    Date: Wed, 31 Oct 2012 05:06:42 +0300
    From: LinkedIn Connections
    Subject: Re: Fwd:Scan from a HP ScanJet #26531
    Attachments: HP-Scan-44974.htm
    Attached document was scanned and sent
    to you using a Hewlett-Packard Officejet PRO.
    Sent: by Bria
    Image(s) : 6
    Attachment: Internet Explorer file [.htm]
    Hewlett-Packard Officejet Location: machine location not set


    The malicious payload is at [donotclick]donkihotik .ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack* yesterday."
    * http://blog.dynamoo.com/2012/10/crai...ionadixru.html
    "... some familiar IPs:
    68.67.42.41 (Fibrenoire, Canada)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNET, United States)
    Additional name server IPs:
    50.22.102.132 (Softlayer, United States)
    62.76.186.190 (Clodo-Cloud, Russia)
    84.22.100.108 (Cyberbunker, Netherlands)
    213.251.171.30 (OVH, France)
    Plain list for copy-and-pasting:
    50.22.102.132
    62.76.186.190
    68.67.42.41
    84.22.100.108
    203.80.16.81
    209.51.221.247
    213.251.171.30
    manekenppa.ru
    kiladopje.ru
    lemonadiom.ru
    finitolaco.ru
    fidelocastroo.ru
    ponowseniks.ru
    dianadrau.ru
    windowonu.ru
    panalkinew.ru
    fionadix.ru
    ..."
    ___

    Steam phish steals more than credentials
    - http://www.gfi.com/blog/new-phish-st...m-credentials/
    Oct 31, 2012 - "... targeting players of the popular gaming platform, Steam. More than a year ago, Valve launched Steam Trading. The objective is to “allows you [the Steam account owner] to exchange In-game items and Gifts with everybody in the Steam Community.” It is a good move to get people within their large gaming community to engage with one another and form a bond of camaraderie. Upon its launch, Steam can only cater to a number of gamers. In particular, those who play Team Fortress 2, Portal, Spiral Knights, and other games from Three Rings and SEGA... phishing page that mimics the look and feel of the actual news page announcing the launch. The -bogus- page -baits- unknowing users with one free game this “Steam Happy Day”... at this time of writing Chrome flags the site as a phish... If you play Team Fortress 2, Portal, Spiral Knights plus other SEGA games on Steam and regularly trades items with other players, please avoid and block days(dot)steamgamesgift(dot)yzi(dot)me ... Be wary of free games and offers that would cost you more than you want to bargain for, especially if they’re hosted on dubious sites that use familiar strings in URLs you’d normally see in legitimate sites. To be safe, visit Steam directly* to double-check if they indeed have free offers..."
    * http://store.steampowered.com/

    Last edited by AplusWebMaster; 2012-10-31 at 20:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #48
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus BofA, Discover emails serve exploits and malware

    FYI...

    Bogus BofA ‘Online Banking Passcode Reset’ emails serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/01/b...s-and-malware/
    Nov 1, 2012 - "Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible...
    Screenshot of a sample spamvertised email:
    > https://webrootblog.files.wordpress....e_exploits.png
    ... Client-side exploits serving URL: hxxp ://the-mesgate .net/detects/signOn_go.php – 183.81.133.121, AS38442 ... Also responding to the same IP are the following malicious domains:
    stafffire .net – 183.81.133.121, AS38442
    hotsecrete .net – Email: counseling1 @ yahoo .com
    formexiting .net – suspended domain
    navisiteseparation .net – suspended domain ...
    Related malicious domains responding the these IPs:
    change-hot .net
    locksmack .net
    Money mule recruitment domains using the same IP as a mailserver:
    aurafinancialgroup .com
    epscareers .com
    As you can see, this campaign is great example of the very existence of the cybercrime ecosystem. Not only are they spamvertising millions of exploits and malware serving emails, they’re also multitasking on multiple fronts, as these two domains are recruiting money mules to process fraudulently obtained assets from the affected victims..."
    ___

    Discover card SPAM / netgear-india.net
    - http://blog.dynamoo.com/2012/11/disc...-indianet.html
    1 Nov 2012 - "This fake Discover Card spam leads to malware on netgear-india .net:
    From: Discover Account Notes [mailto:no-reply @ notify .discover .com]
    Sent: Thu 01/11/2012 15:32
    Subject: Great Details Changes in your Discover card Account Terms
    Account Services | Customer Care Services
    Account ending in XXX1
    An substantial communication regarding latest Declined Transfers is waiting for you.
    Log In to Read Information
    Honored Discover Client,
    There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.
    To ensure optimal privacy, please log in to view your message at Discover.com.
    Please click on this link if you have forgotten your UserID or Password.
    Add information @ service .discover .com to your address book to ensure delivery of these notifications.
    VITAL NOTE
    This message was delivered to [redacted] for Discover debit card account number ending with XXX1.
    You are receiving this e-mail because you have account at Discover.com.
    Log in to change your e-mail address or overview your account e-mail options.
    If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.
    Please DO NOT reply to this message. auto informer system cannot accept incoming email.
    DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
    Discover Banking Ltd.
    P.O. Box 84265
    Salt Lake City, SC 76433
    2012 Discover Bank, Member FDIC
    [redacted]
    ========
    From: Discover Account Notes [mailto:donotreply @service .discover .com]
    Sent: Thu 01/11/2012 16:36
    Subject: Substantial Information about your Discover Account
    Account Center | Customer Center
    Account ending in XXX9
    An significant message regarding latest Approved Activity is waiting for you.
    Log In to Overview Details
    Respective Cardholder,
    There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.
    To ensure optimal privacy, please sign in to read your data at Discover.com.
    Please visit discover .com if you have forgotten your Login ID or Password.
    Add discover @ information .discover .com to your trusted emails to ensure delivery of these messages.
    VITAL NOTIFICATION
    This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.
    You are receiving this e-mail because you member of Discover.com.
    Log in to change your e-mail address or view your account e-mail settings.
    If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.
    Please don't reply to this message. auto-notification system cannot accept incoming mail.
    DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
    Discover Banking Llc.
    P.O. Box 85486
    Seashore City, NV 91138
    2012 Discover Bank, Member FDIC
    [redacted]


    The malicious payload is at [donotclick]netgear-india .net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
    itracrions .pl
    radiovaweonearch .com
    steamedboasting .info
    solla .at
    netgear-india .net
    puzzledbased .net
    stempare .net
    questionscharges .net
    bootingbluray .net
    ..."
    ___

    Hurricane Sandy SPAMs lead to survey scams
    - http://nakedsecurity.sophos.com/2012...-survey-scams/
    Nov 1, 2012 - "... we began to see the first online criminals trying to cash in on the interest in Hurricane Sandy. The good news is they are not trying to spread malware (yet), but the bad news is they are trying to take advantage of a natural disaster affecting millions. The subject lines of the scam messages -- "Sandy Got you down? We've got you covered!", "Don't let the storm ruin your diner plans" and "Avoid the Storm, Eat at chilis!" -- appear to be targeting people who may need to file insurance claims related to damages from the "super storm" and other people who are simply hungry. The bodies of the emails aren't terribly interesting, but every place in the message is a link to a site called "remain watery." The domain was registered on October 15th, clearly in anticipation of creating more victims from this crisis... For those who are affected by the hurricane, stay safe, stay secure, and don't fall for it. The last thing you need right now is another thing to worry about cleaning up after."
    ___

    Hurricane Sandy pump and dump SPAM
    - http://blog.commtouch.com/cafe/anti-...rricane-sandy/
    Oct 31, 2012 - "... recipients are encouraged to buy into low-priced shares now that Hurricane Sandy has passed and trading has resumed.
    > http://blog.commtouch.com/cafe/wp-co...stock-spam.jpg
    ... we see less topical spam than we used to. In the past spammers would use current events in subjects and in the text of emails to create interest and generate visits to pharmacy and replica websites..."

    Last edited by AplusWebMaster; 2012-11-02 at 00:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #49
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP, inTuit SPAM emails lead to malware...

    FYI...

    Fake ADP SPAM emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/11/02/a...e-exploit-kit/
    Nov 2, 2012 - "... cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Client-side exploits serving URL: hxxp ://reasonedblitzing .net/detects/lorrys_implication.php – 195.198.124.60, AS3301 – Email: monteene_forbrich8029 @ mauritius.com; hxxp ://nfcmpaa .info/detects/burying_releases-degree.php – 195.198.124.60, AS3301 – Email: nevein_standrin35 @ kube93mail .com...
    Responding to the same IP are also the following malicious domains:
    win8ss .com – Email: fermetnolega @ hotmail .com
    legacywins .com – Email: fermetnolega @hotmail .com
    openpolygons .net – Email: cordey_yabe139 @ flashmail .net
    steamedboasting .info – Email: mauro_borozny655 @ medical .net.au
    Name servers part of the campaign’s infrastructure:
    Name Server: NS1.TOPPAUDIO .COM
    Name Server: NS2.TOPPAUDIO .COM
    We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives..."
    ___

    Fake "Payroll Account Cancelled by Intuit" email
    - http://security.intuit.com/alert.php?a=67
    11/2/2012 - "People are receiving emails with the title "Notification Only: Payroll Account Cancelled by Intuit." Below is a copy of the email people are receiving.

    Direct Deposit Service Informer
    Informational Only
    We processed your payroll on November 1, 2012 at 365 PM Pacific Time.
    Money would be revoked from the Checking account number ending in: XXX3 on November 2, 2012.
    total to be left: $2 465.98
    Paychecks would be deferred to your workforce' accounts on: November, 2, 2012
    Sign In to Overview Details
    Funds are typically departed before business banking hours so please be sure you have enough Cash on the account by 12 a.m. on the date Funds are to be withdrawn.
    Intuit must process your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your personnel will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


    This is the end of the fake email..."

    - http://blog.dynamoo.com/2012/11/intu...catesinfo.html
    2 Nov 2012 - "... fake Intuit spam leads to malware on savedordercommunicates .info:
    ... Subject: Notification Only: Transaction Received by Intuit"...
    The malicious payload is at [donotclick]savedordercommunicates .info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich .org. Blocking this IP would be wise."
    ___

    Wire Transfer SPAM / webmoniacs .ru
    - http://blog.dynamoo.com/2012/11/wire...moniacsru.html
    2 Nov 2012 - "This fake wire transfer spam leads to malware on webmoniacs .ru:
    Date: Fri, 2 Nov 2012 06:23:10 +0700
    From: service @ paypal .com
    Subject: RE: Wire Transfer cancelled
    Dear Sirs,
    The Wire transfer was canceled by the other bank.
    Canceled transaction:
    FED REFERENCE NUMBER: 628591160ACH34584
    Transaction Report: View
    The Federal Reserve Wire Network


    The malicious payload is at [donotclick]webmoniacs .ru:8080/forum/links/column.php hosted on:
    65.99.223.24 (RimuHosting, US)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNet, US)
    The following IPs and domain are all connected and should be blocked:
    50.22.102.132
    62.76.186.190
    65.99.223.24
    68.67.42.41
    79.98.27.9
    84.22.100.108
    85.143.166.170
    132.248.49.112
    203.80.16.81
    209.51.221.247
    213.251.171.30
    denegnashete .ru
    dianadrau .ru
    donkihotik .ru
    fidelocastroo .ru
    finitolaco .ru
    fionadix .ru
    forumibiza .ru
    kiladopje .ru
    lemonadiom .ru
    manekenppa .ru
    panacealeon .ru
    panalkinew .ru
    pionierspokemon .ru
    ponowseniks .ru
    rumyniaonline .ru
    webmoniacs .ru
    windowonu .ru
    ..."

    - https://www.ic3.gov/media/2012/121101.aspx
    Nov 1, 2012

    Last edited by AplusWebMaster; 2012-11-04 at 15:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #50
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Vodafone msg / Something evil on 31.193.12.3 ...

    FYI...

    Malware... as a Vodafone MMS message
    - http://h-online.com/-1743608
    5 Nov 2012 - "The phone number from which the message was supposedly sent varies... Cyber criminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer. The Vodafone email address used and the supposed telephone number sending the messages varies*; even the country code is changed based on the location being targeted...
    * http://www.h-online.com/security/new...ew=zoom;zoom=1
    The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched... VirusTotal*... To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown**..."
    * https://www.virustotal.com/file/bb2f...f9a7/analysis/
    File name: Vodafone_MMS.zip
    Detection ratio: 11/43
    Analysis date: 2012-11-05

    ** https://en.wikipedia.org/wiki/Filena...ecurity_issues
    "... default behavior of Windows Explorer... is for filename extensions -not- to be shown... without alerting the user to the fact that (it may be) a harmful computer program..."
    ___

    Wire Transfer & PayPal SPAM / forumibiza .ru
    - http://blog.dynamoo.com/2012/11/wire...umibizaru.html
    5 Nov 2012 - "These two spam campaigns lead to malware on forumibiza .ru:
    Date: Mon, 5 Nov 2012 12:54:44 +0530
    From: Declan Benjamin via LinkedIn ...
    Subject: Wire Transfer Confirmation (FED 27845UL095)
    Good afternoon,
    Your Wire Transfer Amount: USD 85,714.01
    Wire Transfer Report: View
    ELOISA STRICKLAND,
    The Federal Reserve Wire Network
    ==============
    From: JoyceMillwee @ mail .com
    Sent: 05 November 2012 01:48
    Subject: Welcome to PayPal - Choose your way to pay
    Welcome
    Hello [redacted],
    Thanks for paying with PayPal.
    We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
    Here is what we have on file for you. Take a second to confirm we have your correct information.
    Email
    [redacted]
    Confirmation Code
    5693-0930-8767-9350-6794
    Transfer Information
    Amount: 27380.54 $
    Reciever: Gracia Cooley
    E-mail: Gage97742 @[redacted] .com
    Accept Decline
    Help Center | Security Center
    Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
    Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
    PayPal Email ID PP6118


    The malicious payload in both cases is [donotclick]forumibiza .ru:8080/forum/links/column.php hosted on the following IPs:
    65.99.223.24 (RimuHosting, US)
    103.6.238.9 (Universiti Putra, Malaysia)
    203.80.16.81 (MYREN, Malaysia) ..."
    ___

    Something evil on 31.193.12.3
    - http://blog.dynamoo.com/2012/11/some...-31193123.html
    4 Nov 2012 - "These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK**) and suballocated to:
    person: Olexii Kovalenko
    address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
    phone: +1 570 343 2200
    fax-no: +1 570 343 9533
    nic-hdl: OK2455-RIPE
    source: RIPE # Filtered
    mnt-by: mnt-burst-au
    mnt-by: mnt-burst-mu

    The registration for the .asia and .eu domains is consistent in the ones I have checked:
    Registrant ID:DI_23063626
    Registrant Name: Javier
    Registrant Organization: n/a
    Registrant Address: Nevskaya street 41
    Registrant Address2:
    Registrant Address3:
    Registrant City: Belgorad
    Registrant State/Province: Belgorodskaya oblast
    Registrant Country/Economy: RU
    Registrant Postal Code:494980
    Registrant Phone:+007.9487728744
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant E-mail:007uyfo007 @mail .ru


    ... I've broken the list into three parts, it's a bit messy sorry... this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment. Many of these domains show as evil in Google's Safe Browsing Diagnostics (example*) and I can find -zero- legitimate domains on this IP..."
    * https://www.google.com/safebrowsing/...acutefile.asia

    ** https://www.google.com/safebrowsing/...?site=AS:29550

    ** https://www.google.com/safebrowsing/...?site=AS:51377
    ___

    Fake statistics domains lead to malware
    - http://blog.dynamoo.com/2012/11/fake...o-malware.html
    5 Nov 2012 - "The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

    bilingstats .org
    bombast-atse .org
    bombastatse .org
    ceastats .org
    colinstats .org
    expertstats .org
    informazionestatistica .org
    melestats .org
    nonolite .org
    statisticaeconomica .org
    statspps .org
    superbombastatse .org
    topbombastatse .org
    ufficiostatistica .org

    Hosting IPs:
    31.193.133.212 (Simply Transit, UK)
    91.186.19.42 (Simply Transit, UK)
    95.211.180.143 (Leaseweb, Netherlands) ..."
    ___

    Dynamic DNS sites you might want to block
    - http://blog.dynamoo.com/2012/11/dyna...t-want-to.html
    5 Nov 2012 - "These domains belong to ChangeIP .com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP .com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.
    There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them. The second one is a plain list of everything in case you want to block them completely. You might notice one of the domains is called b0tnet .com which is a peculiar name for a legitimate business to register..."
    (More detail at the URL above.)

    Last edited by AplusWebMaster; 2012-11-05 at 22:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •