Page 53 of 132 FirstFirst ... 34349505152535455565763103 ... LastLast
Results 521 to 530 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #521
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake DHL invoice, Overdue invoice SPAM ...

    FYI...

    Fake DHL invoice SPAM
    - http://blog.dynamoo.com/2014/09/geir...st-dhl-no.html
    10 Sep 2014 - "Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simply be deleted.
    From: Geir Myklebust (DHL NO) [Geir.Myklebust@ dhl .com]
    Date: 10 September 2014 10:35
    Subject: FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
    Dear Sir.
    The attached invoice from Villmarksmessen 2014 has still not been settled.
    Please advise as soon as possible.
    Thank you and regards,
    Geir
    Med vennlig hilsen/ Kind Regards
    Geir Myklebust
    Product Manager, Avd. Trade Fairs & Events
    DHL Global Forwarding (Norway) AS
    Avd. Trade Fairs & Events
    Messeveien 14
    2004 Lillestrøm ...


    Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report** shows an attempted connection to voladora .com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending..."
    * https://www.virustotal.com/en-gb/fil...is/1410342283/

    ** http://camas.comodo.com/cgi-bin/subm...a704a26cac5038

    "UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53***..."
    *** https://www.virustotal.com/en-gb/fil...is/1410353017/

    92.43.17.6: https://www.virustotal.com/en/ip-add...6/information/

    - http://myonlinesecurity.co.uk/fw-cus...e-pdf-malware/
    10 Sep 2014
    - https://www.virustotal.com/en/file/f...is/1410350810/
    ___

    Fake Overdue invoice SPAM – doc malware
    - http://myonlinesecurity.co.uk/overdu...e-doc-malware/
    10 Sep 2014 - "'Overdue invoice #1197419584' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good afternoon,
    I was hoping to hear from you by now. May I have payment on invoice #1197419584 today please, or would you like a further extension?
    Best regards,
    Cherish Schaunaman
    +07540 61 15 69

    ... or like this one:
    This email contains an invoice file in attachment.

    10 September 2014 : bill_2014-09-10_09-16-23_1197419584.arj :
    Extracts to: bill_2014-09-10_09-16-23_1197419584.exe
    Current Virus total detections: 6/55*
    Alternative version 10 September 2014 : Invoice4777_2C7.zip :
    Extracts to: attachment_scaned.doc .exe
    Current Virus total detections: 2/54**
    This 'Overdue invoice #1197419584' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1410342531/

    ** https://www.virustotal.com/en/file/8...is/1410341816/
    ___

    'Outstanding Warrant' Phone SCAMS
    - http://www.hoax-slayer.com/outstandi...ne-scams.shtml
    Sep 10, 2014 - "Scammers posing as law-enforcement officers are cold-calling people and tricking them into paying over the phone to resolve supposedly outstanding warrants. The scammers warn victims that, if they don't pay the requested fee, police may come to their home and arrest them... The scammers are reportedly quite skilled at impersonating police officers and are often able to convince victims that they are legitimate. When victims call back on the number provided, the scammers may identify their 'office' as a seemingly legitimate entity such as the 'County Warrants Department'. This simple -ruse- may further convince victims that the scammer's claims are true... This type of -scam- is certainly nothing new and has been around in various forms for many years... a flurry of reports from several US states suggests that these scammers are currently quite active. The scammers are also using variations of the old jury duty phone scam to steal money from victims. Police will -never- call you and demand an immediate payment to resolve an outstanding warrant. If you receive such a suspect call, do -not- give the caller any personal and financial information and do -not- comply with their instructions. If in doubt, call your local police to check. Do -not- use a phone number provided by the caller. Find a number for police in a local phone directory..."
    ___

    Malvertisements - YouTube, Amazon and Yahoo
    - http://www.computerworld.com/article...and-yahoo.html
    Sep 9, 2014 - "Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said*... When encountered, the malicious advertisements cause the user to be -redirected- to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X... Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims... Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads. When a victim is -redirected- by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file. 'The attackers are purely relying on social engineering techniques in order to get the user to install the software package,' Pelkmann wrote. 'No drive-by exploits are being used thus far'..."
    * http://blogs.cisco.com/security/kyle-and-stan/

    Last edited by AplusWebMaster; 2014-09-10 at 18:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #522
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake job offer, Fake picture, Fake eFax SPAM ...

    FYI...

    Fake job offer SPAM - llcinc .net
    - http://blog.dynamoo.com/2014/09/llc-...job-offer.html
    11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
    Date: Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
    From: LLC INC
    Reply-To: recruiter@ llcinc .net
    Subject: EMPLOYMENT OFFER
    Hello,
    Good day to you overthere we will like to inform you that our company is currently
    opening an opportunity for employment if you are interested please do reply with your resume
    to recruiter@ llcinc .net
    Thanks
    Management LLC INC


    This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
    Avoid."
    ___

    Fake eFax SPAM leads to Cryptowall
    - http://blog.dynamoo.com/2014/09/efax...ryptowall.html
    11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
    From: eFax [message@ inbound .efax .com]
    Date: 11 September 2014 20:35
    Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
    Fax Message [Caller-ID: 1-865-537-8935
    You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
    * The reference number for this fax is atl_did1-1400166434-52051792384-154.
    Click here to view this fax using your PDF reader.
    Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
    Thank you for using the eFax service! ...


    ... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
    188.165.204.210
    193.19.184.20
    193.169.86.151
    goodbookideas .com
    mtsvp .com
    suspendedwar .com
    "
    * https://www.virustotal.com/en-gb/fil...is/1410467960/

    ** http://www.dynamoo.com/files/analysi...0a381ad91f.pdf

    *** https://www.virustotal.com/en-gb/fil...is/1410468901/
    ___

    Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
    - http://blog.dynamoo.com/2014/09/mali...n-sending.html
    11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
    176.58.100.98
    178.62.254.78
    "

    176.58.100.98: https://www.virustotal.com/en-gb/ip-...8/information/

    178.62.254.78: https://www.virustotal.com/en-gb/ip-...8/information/
    ___

    Fake Employee Important Address UPDATE/SPAM – PDF malware
    - http://myonlinesecurity.co.uk/employ...e-pdf-malware/
    11 Sep 2014 - "'To All Employee’s – Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    To All Employee’s:
    The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...


    11 September 2014: Documents.zip: Extracts to: Documents.scr
    Current Virus total detections: 0/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    *https://www.virustotal.com/en/file/6...is/1410456657/

    - http://blog.dynamoo.com/2014/09/to-a...t-address.html
    11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
    From: Administrator [administrator@ victimdomain .com]
    Date: 11 September 2014 22:25
    Subject: To All Employee's - Important Address UPDATE
    To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...


    The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
    * http://blog.dynamoo.com/2014/09/efax...ryptowall.html
    ___

    Fake picture or video SPAM – jpg malware
    - http://myonlinesecurity.co.uk/new-pi...e-jpg-malware/
    11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
    > http://myonlinesecurity.co.uk/wp-con...ot-showing.png
    The email looks like:
    You have received a picture message from mobile phone number +447586595142 picture
    Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


    There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
    You have received a picture message from mobile phone number +447557523496 click here to view picture message
    Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


    ... there will be hundreds of different sites. The zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same # and detection rate as the pif file earlier submitted to virus total*

    11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to: IMG_00005_09112014.jpeg.pif
    Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1410430034/

    ** https://www.virustotal.com/en/file/1...is/1410427007/
    ___

    Fake 'new order' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/new-or...e-pdf-malware/
    11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
    > http://myonlinesecurity.co.uk/wp-con...ot-showing.png
    The email looks like:
    Warmest regards,
    > http://myonlinesecurity.co.uk/wp-con.../new-order.png


    11 September 2014: 2014.09.11.zip : Extracts to: 2014.09.11.pdf.pif
    Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
    * https://www.virustotal.com/en/file/1...is/1410427007/

    Last edited by AplusWebMaster; 2014-09-12 at 05:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #523
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM, PoS RAM Scrapers ...

    FYI...

    Fake Invoice SPAM - contains malicious VBS script
    - http://blog.mxlab.eu/2014/09/12/fake...us-vbs-script/
    Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
    S.A.R.L LWS
    4, rue galvani
    75838 PARIS Cedex 17
    Paris le, 10/09/2014
    Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
    Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
    http ://www .rarlab .com/download.htm
    Merci pour la confiance que vous nous accordez,
    Le service comptabilité LWS ...


    The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
    * https://www.virustotal.com/en/file/a...96a5/analysis/
    ___

    Fake Household Improvement SPAM - Zbot Malware
    - https://blog.malwarebytes.org/fraud-...-zbot-malware/
    Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
    Screenshot: https://blog.malwarebytes.org/wp-con.../kitchens1.jpg
    ... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot. Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**... there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
    * http://myonlinesecurity.co.uk/m-m-ki...d-doc-malware/

    ** https://www.virustotal.com/en/file/9...4f73/analysis/

    *** http://blog.mxlab.eu/2014/09/12/fake...ntains-trojan/
    ___

    Data Breaches and PoS RAM Scrapers
    - http://blog.trendmicro.com/trendlabs...-ram-scrapers/
    Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
    Evolution of the PoS RAM scraper family
    > http://blog.trendmicro.com/trendlabs...igure-3-01.png
    ... Of the six new variants discovered in 2014, four were discovered between June and August.
    - Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
    - BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
    - Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
    - BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."

    Last edited by AplusWebMaster; 2014-09-12 at 17:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #524
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phish - Paypal ...

    FYI...

    Phish - Paypal ...
    - http://myonlinesecurity.co.uk/paypal...hear-phishing/
    14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal


    This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
    > http://myonlinesecurity.co.uk/wp-con...shing-scam.png
    This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #525
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Termination, Overdue invoice, Sage SPAM ...

    FYI...

    Fake Termination SPAM – malware
    - http://myonlinesecurity.co.uk/termin...ation-malware/
    15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
    Policy violation #59892665326
    Termination due to policy violation #33205939124
    Termination #59147901198
    All the alleged infringements or violations have different numbers... The email looks like:
    Hello,
    We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
    - 0A4 44 12.09.2011
    - 0A4 46 12.09.2011
    - 0A4 85 12.09.2011
    You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
    Sincerely,
    Pauletta Stephens ...


    15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
    Extracts to: disturbance_2014-09-15_08-38-12_33205939124.exe
    Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...c4ef/analysis/
    ... Behavioural information
    TCP connections:
    187.45.193.139: https://www.virustotal.com/en/ip-add...9/information/
    213.186.33.87: https://www.virustotal.com/en/ip-add...7/information/
    23.62.99.33: https://www.virustotal.com/en/ip-add...3/information/
    66.96.147.117: https://www.virustotal.com/en/ip-add...7/information/
    UDP communications:
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    LinkedIn feature exposes Email Addresses
    - http://krebsonsecurity.com/2014/09/l...ail-addresses/
    Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
    (More at the krebsonsecurity URL above.)
    ___

    Fake Overdue invoice SPAM - malicious .arj attachment
    - http://blog.dynamoo.com/2014/09/over...-spam-has.html
    15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
    From: Mauro Reddin
    Date: 15 September 2014 10:32
    Subject: Overdue invoice #6767390
    Morning,
    I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
    Best regards,
    Mauro Reddin ...


    The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
    * https://www.virustotal.com/en-gb/fil...is/1410773681/
    ___

    Fake Sage 'Outdated Invoice' SPAM ...
    - http://blog.dynamoo.com/2014/09/sage...e-spam_15.html
    15 Sep 2014 - "... another -fake- Sage email leading to malware:

    Screenshot: http://4.bp.blogspot.com/-knPfcbJT0Q...s1600/sage.png

    ... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
    188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
    188.165.204.210/1509uk1/NODE01/1/0/0/
    green-fuel .us/upload/box/1509uk1.ltc
    www .green-fuel .us/upload/box/1509uk1.ltc
    Recommended blocklist:
    188.165.204.210
    green-fuel .us
    petitepanda .net
    florensegoethe .com.br
    coursstagephoto .com
    vicklovesmila .com
    flashsavant .com
    "
    * https://www.virustotal.com/en/file/9...is/1410779812/
    ___

    Fake 'secure' NatWest SPAM – PDF malware
    - http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
    15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    [ NatWest logo ]
    You have a new private message from NatWest
    To view/read this your secure message please click here
    Email Encryption Provided by NatWest. Learn More.
    Email Security Powered by Voltage IBE
    Copyright 2014 National Westminster Bank Plc. All rights reserved.
    Footer Logo NatWest
    To unsubscribe please click here ...


    15 September 2014: SecureMessage.zip ( 8kb) : Extracts to: SecureMessage.scr
    Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/9...is/1410779812/

    - http://threattrack.tumblr.com/post/9...e-message-spam
    Sep 15, 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...u2c1r6pupn.png
    ___

    Phish - LLoyds 'Secure' SPAM...
    - http://myonlinesecurity.co.uk/lloyds...sage-phishing/
    15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    - There have been unauthorised or suspicious attempts to log in to your account, please verify
    - Your account has exceeded its limit and needs to be verified
    - Your account will be suspended !
    - You have received a secure message from < your bank>
    - New Secure Message
    - We are unable to verify your account information
    - Update Personal Information
    - Urgent Account Review Notification
    - We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    - Confirmation of Order
    This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
    [ Lloyds TSB logo ]
    (New users may need to verify their email address)
    If you do not see or cannot click “Read Message” / click here
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...re_message.png

    This one wants your personal details and bank details..."
    ___

    Fake Fax SPAM - malware attachment
    - http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
    15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a new fax. This fax was received by Fax Server.
    The fax has been downloaded to dropbox service (Google Inc).
    To view your fax message, please download from the link below. It’s
    operated by Dropbox and safety...
    Received Fax Details
    Received on:1 5/09/2014 10:14 AM
    Number of Pages: 1 ...


    15 September 2014: Docs0972.zip ( 8kb): Extracts to: Docs0972.scr
    Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/b...is/1410804563/
    ___

    Twitch users shook by money spending malware
    - http://www.theinquirer.net/inquirer/...ending-malware
    15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
    More detail here:
    * http://www.f-secure.com/weblog/archives/00002742.html

    Last edited by AplusWebMaster; 2014-09-15 at 23:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #526
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Payments, Photo SPAM ...

    FYI...

    Fake 'Payments' SPAM ...
    - http://blog.mxlab.eu/2014/09/16/troj...ding-payments/
    Sep 16, 2014 - "... intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
    Dear sir,
    Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
    Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
    Cont. #42 EXSQI013/MAY/13 US$29,154.66
    Total Remittance: US$ 51,704.97
    Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
    Thank you very much.
    Best regards,
    Me


    The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
    * https://www.virustotal.com/en/file/d...c686/analysis/
    The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
    The attached TT copy is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully,
    Global Payments and Cash Management
    Bank of America (BOA)
    This is an auto-generated email, please DO NOT REPLY. Any replies to this
    email will be disregarded...


    The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
    ** https://www.virustotal.com/en/file/f...1635/analysis/
    ___

    Fake 'My new photo ' SPAM - malware attachment
    - http://blog.mxlab.eu/2014/09/16/emai...zor-2o-trojan/
    Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ”. This email is sent from a spoofed address and has the following short body in very poor English:
    my new photo
    if you like my photo to send me u photo


    The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/8...17cb/analysis/
    ... Behavioural information
    TCP connections:
    131.253.40.1: https://www.virustotal.com/en/ip-add...1/information/
    137.254.60.32: https://www.virustotal.com/en/ip-add...2/information/
    134.170.188.84: https://www.virustotal.com/en/ip-add...4/information/
    157.56.121.21: https://www.virustotal.com/en/ip-add...1/information/
    91.240.22.62: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake USPS SPAM - word doc malware
    - http://myonlinesecurity.co.uk/usps-p...d-doc-malware/
    16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Screenshot: http://myonlinesecurity.co.uk/wp-con...on-service.png

    16 September 2014: Label.zip ( 82 kb): Extracts to: Label.exe
    Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1410841682/
    ___

    Fake 'inovice' SPAM ...
    - http://blog.dynamoo.com/2014/09/inov...mber-spam.html
    16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
    Example subjects:
    inovice 8958508 September
    inovice 7682161 September
    inovice 4868431 September
    inovice 0293991 September
    Body text:
    This email contains an invoice file attachment


    The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block- .arj files at the mail perimeter then it is probably a good idea to do so."
    * https://www.virustotal.com/en-gb/fil...is/1410860283/
    ... Behavioural information
    TCP connections:
    208.91.197.27: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake FAX SPAM... again
    - http://blog.dynamoo.com/2014/09/youv...-fax-spam.html
    16 Sep 2014 - "... a facsimile transmission...
    From: Fax
    Date: 16 September 2014 11:05
    Subject: You've received a new fax
    New fax at SCAN0204102 from EPSON by ...
    Scan date: Tue, 16 Sep 2014 15:35:59 +0530
    Number of pages: 2
    Resolution: 400x400 DPI
    You can download your fax message at: ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.) ...


    The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
    188.165.204.210
    brisamarcalcados .com.br
    triera .biz.ua
    yerelyonetisim .org.tr
    ngujungwap .mobi.ps
    "
    * https://www.virustotal.com/en-gb/fil...is/1410862754/
    ... Behavioural information
    TCP connections
    188.165.204.210: https://www.virustotal.com/en/ip-add...0/information/
    198.143.152.226: https://www.virustotal.com/en/ip-add...6/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake forgeries 'Copied invoices' SPAM
    - http://blog.dynamoo.com/2014/09/kifi...ices-spam.html
    16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
    From: Kifilwe Shakong [kshakong@ cashbuild .co.za]
    Date: 16 September 2014 12:17
    Subject: Copied invoices
    The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
    This outbound email has been scanned by the IS Mail Control service.
    For more information please visit http ...
    The attached invoices are copies. We will not be able to pay them. Please send clear invoices...


    Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
    golklopro .com
    94.100.95.109
    31.134.29.175
    176.213.10.114
    176.8.72.4
    176.99.191.49
    78.56.92.46
    195.114.159.232
    46.98.234.76
    46.185.88.110
    46.98.122.183
    46.211.198.56
    195.225.147.101
    176.53.209.231
    ..."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1410866733/
    ... Behavioural information
    DNS requests
    golklopro .com
    cosjesgame .su
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
    - http://blog.dynamoo.com/2014/09/unpa...pam-leads.html
    16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
    From: Christie Foley [christie.foley@ badinsky .sk]
    Reply-to: Christie Foley [christie.foley@ badinsky .sk]
    Date: 16 September 2014 13:55
    Subject: Unpaid invoice notification ...


    Screenshot: https://1.bp.blogspot.com/-4dVURai9z...00/invoice.png

    The link in the email goes to:
    [donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
    Which in turn goes to an Angler EK landing page at:
    [donotclick]108.174.58.239:8080 /wn8omxftff
    You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
    * http://urlquery.net/report.php?id=1410873578924

    - http://myonlinesecurity.co.uk/notifi...ploit-malware/
    16 Sep 2014
    ___

    Fake 'PAYMENT SCHEDULE' email - 419 SCAM
    - http://myonlinesecurity.co.uk/reyour...gozi-o-iweala/
    16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
    Attn:Beneficiary,
    My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
    Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
    you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
    therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
    authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
    Teller Machine System( ATM CARD).
    Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
    Reply also to : fminister88 @gmail .com
    Your faithfully.
    Dr Mrs Ngozi O. Iweala.
    Finance Of Minister.


    [Arrgghh...]
    ___

    Fake Nat West SPAM - PDF malware
    - http://myonlinesecurity.co.uk/nat-we...e-pdf-malware/
    16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 4933.00
    Please find details at our secure link below: ...


    This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * http://myonlinesecurity.co.uk/natwes...e-pdf-malware/

    - https://www.virustotal.com/en/file/8...is/1410862754/
    ... Behavioural information
    TCP connections
    188.165.204.210: https://www.virustotal.com/en/ip-add...0/information/
    198.143.152.226: https://www.virustotal.com/en/ip-add...6/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Dhl Delivery' SPAM - contains trojan
    - http://blog.mxlab.eu/2014/09/16/fake...ntains-trojan/
    Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
    We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
    The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
    You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
    If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
    Airway Bill No: 7808130095
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    Print this label to get this package at our depot/office.
    Thank you
    © 2014 Copyright© 2013 DHL. All Rights Reserved...


    The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/5...is/1410870424/

    Last edited by AplusWebMaster; 2014-09-16 at 18:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #527
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FAX, UKFast SPAM ...

    FYI...

    Fake FAX SPAM - malware
    - http://blog.dynamoo.com/2014/09/youv...ou-havent.html
    17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
    From: Fax [fax@ victimdomain .com]
    Date: 17 September 2014 09:32
    Subject: You've received a new fax
    New fax at SCAN6405035 from EPSON by https ://victimdomain .com
    Scan date: Wed, 17 Sep 2014 16:32:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.)


    The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
    denis-benker .de/teilen/1709uk1.hit
    188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
    188.165.204.210/1709uk1/NODE01/1/0/0/
    188.165.204.210/1709uk1/NODE01/41/5/4/
    Recommended blocklist:
    188.165.204.210
    denis-benker .de
    estudiocarraro .com.br
    "
    * https://www.virustotal.com/en-gb/fil...is/1410943351/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en-gb/ip-...1/information/

    188.165.204.210: https://www.virustotal.com/en-gb/ip-...0/information/
    ___

    Fake ADP Invoice SPAM – PDF malware
    - http://myonlinesecurity.co.uk/adp-invoice-pdf-malware/
    17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

    Screenshot: http://myonlinesecurity.co.uk/wp-con...icious-pdf.png

    17 September 2014: adp_invoice_46887645.pdf
    Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1410974477/
    ___

    Android Malware uses SSL for Evasion
    - http://blog.trendmicro.com/trendlabs...l-for-evasion/
    Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
    (More detail at the trendmicro URL above.)
    ___

    Fake UKFast invoice SPAM – malware attachment
    - http://myonlinesecurity.co.uk/ukfast...e-pdf-malware/
    17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...st-invoice.png

    17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to: Invoice 17009106-001.exe
    Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1410939664/
    ___

    Fake Invoice SPAM ...
    - http://myonlinesecurity.co.uk/straba...e-pdf-malware/
    17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
    Dear Sir,
    Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
    Thank you,
    Darragh


    This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * http://myonlinesecurity.co.uk/ukfast...e-pdf-malware/

    Last edited by AplusWebMaster; 2014-09-17 at 21:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #528
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NatWest, eFax SPAM ...

    FYI...

    Fake NatWest SPAM - malware attached
    - http://blog.dynamoo.com/2014/09/impo...oice-spam.html
    18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
    From: NatWest Invoice [invoice@ natwest .com]
    Date: 18 September 2014 11:06
    Subject: Important - New account invoice
    Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here or follow the link below ...
    Thank you for choosing NatWest...


    The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
    Recommended blocklist:
    188.165.204.210
    liverpoolfc .bg
    bnsoutlaws .co.uk
    "
    * https://www.virustotal.com/en-gb/fil...is/1411032337/
    ... Behavioural information
    TCP connections
    91.215.216.52: https://www.virustotal.com/en-gb/ip-...2/information/
    188.165.204.210: https://www.virustotal.com/en-gb/ip-...0/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en-gb/ip-...1/information/

    UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
    From: Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date: 18 September 2014 11:45
    Subject: Important - Commercial Documents
    Important account documents
    Reference: C146
    Case number: 68819453
    Please review BACs documents.
    Click link below, download and open document. (PDF Adobe file) ...


    - http://myonlinesecurity.co.uk/nat-we...e-pdf-malware/
    18 Sep 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...nt-invoice.png
    ___

    Fake eFax SPAM - PDF malware
    - http://myonlinesecurity.co.uk/efax-r...e-pdf-malware/
    18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    INCOMING FAX REPORT
    Date/Time: Thursday, 18.09.2014
    Speed: 353bps
    Connection time: 08:02
    Page: 4
    Resolution: Normal
    Remote ID: 611-748-177946
    Line number: 3
    DTMF/DID:
    Description: Internal only ...


    18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
    Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1411049220/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Line Voice Message Spam
    - http://threattrack.tumblr.com/post/9...e-message-spam
    18 Sep 2014 - "Subjects Seen:
    You have a voice message
    Typical e-mail details:
    LINE Notification
    You have a voice message, listen it now.
    Time: 21:12:45 14.10.2014, Duration: 45sec


    Malicious URLs:
    iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
    Malicious File Name and MD5:
    LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
    LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...mds1r6pupn.png

    Tagged: Line.me, Kuluoz

    147.202.201.24: https://www.virustotal.com/en/ip-add...4/information/

    Last edited by AplusWebMaster; 2014-09-18 at 23:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #529
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'voice mail' SPAM, Apple Phish...

    FYI...

    Fake 'voice mail' SPAM ...
    - http://blog.dynamoo.com/2014/09/this...-leads-to.html
    19 Sep 2014 - "This -fake- voice mail message leads to malware:
    From: Microsoft Outlook [no-reply@ victimdomain .com]
    Date: 19 September 2014 11:59
    Subject: You have received a voice mail
    You received a voice mail : VOICE976-588-6749.wav (25 KB)
    Caller-Id: 976-588-6749
    Message-Id: D566Y5
    Email-Id: <REDACTED>
    Download and extract to listen the message.
    We have uploaded voicemail report on dropbox, please use the following link to download your file...
    Sent by Microsoft Exchange Server


    The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
    * http://blog.dynamoo.com/2014/09/natw...yet-again.html
    19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
    Screenshot: https://2.bp.blogspot.com/-Oo5Lnrowt...00/natwest.png

    192.185.97.223: https://www.virustotal.com/en/ip-add...3/information/

    - http://myonlinesecurity.co.uk/natwes...e-pdf-malware/
    19 Sep 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...-statement.png
    Current Virus total detections: 1/54*
    * https://www.virustotal.com/en/file/a...is/1411120481/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Police Suspect' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/city-l...e-pdf-malware/
    19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: London City Police
    Sending Location: GB – London – London City Police
    Bulletin Case#: 14-62597
    Bulletin Author: BARILLAS #1169
    Sending User #: 92856
    APBnet Version: 684593
    The bulletin is a pdf attachment to this email.
    The Adobe Reader (from Adobe .com) will display and print the bulletin best.
    You can Not reply to the bulletin by clicking on the Reply button in your email software.


    Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
    19 September 2014: Homicide-case#15808_pdf.zip : Extracts to: Homicide-case#15808_pdf.exe
    Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1411120670/
    ... Behavioural information
    TCP connections
    188.165.204.210: https://www.virustotal.com/en/ip-add...0/information/
    192.185.97.223: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake 'Courier Svc' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/tnt-co...e-pdf-malware/
    19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 460911612900
    Your package have been picked up and is ready for dispatch.
    Connote # : 460911612900
    Service Type : Export Non Documents – Intl
    Shipped on : 18 Sep 14 12:00
    Order No : 4240629
    Status : Driver’s Return
    Description : Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions.
    Please check attachment to view information about the sender and package.


    19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
    Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1411121703/
    ... Behavioural information
    DNS requests
    hallerindia .com (192.185.97.223)
    TCP connections
    188.165.204.210: https://www.virustotal.com/en/ip-add...0/information/
    192.185.97.223: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Bitcoin Ponzi scheme ...
    - http://www.reuters.com/article/2014/...0HE1Z820140919
    Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
    ___

    Apple Phish ...
    - https://isc.sans.edu/diary.html?storyid=18669
    2014-09-18 23:58:53 UTC - "... this in this morning:
    Dear Client,
    We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
    just click the link below and follow the steps our request form
    Update now...
    This is an automatically generated message. Thank you not to answer. If you need help, please visit the Apple Support.
    Apple Client Support.


    A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
    ___

    Hack the ad network like a boss...
    - https://www.virusbtn.com/blog/2014/08_15.xml
    4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
    > https://www.virusbtn.com/images/news...icious_ads.png
    ... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
    > https://www.virusbtn.com/images/news...icious_ads.png
    Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."

    Last edited by AplusWebMaster; 2014-09-20 at 13:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #530
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake gov't, Invoice SPAM

    FYI...

    Fake gov't SPAM
    - http://blog.dynamoo.com/2014/09/your...sion-spam.html
    22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

    Screenshot: https://4.bp.blogspot.com/-O44byyBpv...00/gateway.png

    The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
    http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
    http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
    http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
    The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
    * https://www.virustotal.com/en-gb/fil...is/1411383282/

    184.168.152.32: https://www.virustotal.com/en-gb/ip-...2/information/

    ** https://anubis.iseclab.org/?action=r...82&format=html

    - http://myonlinesecurity.co.uk/online...e-pdf-malware/
    22 Sep 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...Submission.png
    ...
    > https://www.virustotal.com/en-gb/fil...is/1411381013/
    ___

    Fake 'LogMeIn' SPAM – malware
    - http://myonlinesecurity.co.uk/septem...pdate-malware/
    22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear client,
    We are pleased to announce that LogMeIn has released a new security certificate.
    It contains new features:
    • The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
    • Any irregular activity on your account will be detected by our security department
    • This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
    Download the attached certificate. Update will be automatically installed by double click.
    As always, your Logmein Support Team is happy to assist with any questions you may have.
    Feel free to contact us ...


    22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
    Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1411400614/
    ... Behavioural information
    DNS requests
    icanhazip .com (23.253.218.205)
    www .download .windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-add...4/information/
    t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-add...0/information/
    TCP connections
    23.253.218.205: https://www.virustotal.com/en/ip-add...5/information/
    95.101.0.83: https://www.virustotal.com/en/ip-add...3/information/
    38.229.70.4: https://www.virustotal.com/en/ip-add...4/information/

    - https://isc.sans.edu/diary.html?storyid=18695
    2014-09-22
    Screenshot: https://isc.sans.edu/diaryimages/ima...34_06%20AM.png
    ...
    > https://www.virustotal.com/en/file/a...0c3b/analysis/
    File name: cert.scr.exe
    Detection ratio: 3/51
    ... Behavioural information
    DNS requests
    icanhazip .com (23.253.218.205): https://www.virustotal.com/en/ip-add...5/information/
    www .download.windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-add...4/information/
    t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-add...0/information/
    TCP connections
    23.253.218.205: https://www.virustotal.com/en/ip-add...5/information/
    95.101.0.83: https://www.virustotal.com/en/ip-add...3/information/
    38.229.70.4: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake USAA SPAM - PDF malware
    - http://myonlinesecurity.co.uk/usaa-p...s-pdf-malware/
    22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...o-ID-Cards.png

    22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1411415107/

    - http://threattrack.tumblr.com/post/9...ance-card-spam
    23 Sep 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...ERc1r6pupn.png
    Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
    ___

    Fake 'RBC Invoice' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/rbc-invoices-pdf-malware/
    22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
    Thank you.


    22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1411409482/
    ___

    Fake 'Payment Advice' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
    22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
    Your payment advice is issued at the request of our customer. The advice is for your reference only.
    Please download your payment advice at ...
    Yours faithfully,
    Global Payments and Cash Management
    This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.


    ... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1411386112/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Invoice SPAM
    - http://myonlinesecurity.co.uk/peter-...e-pdf-malware/
    22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached your Invoice(s)/Credit(s)
    PETER HOGARTH & SONS LTD
    INDUSTRIAL HYGIENE and PROTECTION
    Tel: 01472 345726 | Fax: 01472 250272 | Web...
    Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
    Peter Hogarth & Sons Ltd is a company registered in England.
    Company Registration Number: 1143352...


    22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
    Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en-gb/fil...is/1411380202/
    ___

    European banks / Europol in cybercrime fightback
    - http://www.reuters.com/article/2014/...0RN1WO20140922
    Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."

    Last edited by AplusWebMaster; 2014-09-23 at 16:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •