Page 57 of 132 FirstFirst ... 74753545556575859606167107 ... LastLast
Results 561 to 570 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #561
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Securitas, Job offer SPAM ...

    FYI...

    Fake Securitas SPAM – PDF malware
    - http://myonlinesecurity.co.uk/securi...e-pdf-malware/
    30 Oct 2014 - "'From Securitas Mail Out Report Attached' pretending to come from Alert ARC Reports is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .uk.com


    30 October 2014: Q100982010_Mail Out Report.zip: Extracts to: Q100771292_Mail Out Report.exe
    Current Virus total detections: 1/54* . This 'From Securitas Mail Out Report Attached' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1414659759/
    ___

    Fake 'Accounts Payable' SPAM - malware .doc attachment
    - http://myonlinesecurity.co.uk/remind...d-doc-malware/
    30 Oct 2014 - "An email with a Microsoft word doc attachment saying 'Please see attached statement sent to us' pretending to come from random names with a subject of 'Further Reminder' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The name of the alleged sender matches the name of the 'Senior Accounts Payable Clerk from the Finance Department' in the body of the email... word macro malware*... The email looks like:
    Good afternoon,
    Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
    Thanking you in advance.
    Many Thanks & Kind Regards
    Vivian Dennis
    Senior Accounts Payable Clerk
    Finance Department ..


    30 October 2014 : CopyHA779333.doc - Current Virus total detections: 0/53**. Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    * http://myonlinesecurity.co.uk/malfor...macro-viruses/

    ** https://www.virustotal.com/en/file/9...is/1414671500/

    - http://blog.dynamoo.com/2014/10/furt...malicious.html
    30 Oct 2014
    ... Recommended blocklist:
    212.59.117.207: https://www.virustotal.com/en/ip-add...7/information/
    217.160.228.222: https://www.virustotal.com/en/ip-add...2/information/
    91.222.139.45: https://www.virustotal.com/en/ip-add...5/information/
    81.7.3.101: https://www.virustotal.com/en/ip-add...1/information/
    195.154.126.245: https://www.virustotal.com/en/ip-add...5/information/
    ___

    Fake Job offer SPAM - malware
    - http://myonlinesecurity.co.uk/job-se...r-job-malware/
    30 Oct 2014 - "'Job service New offer Job' pretending to come from Job service is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...-offer-job.png

    30 October 2014: job.pdf.zip: Extracts to: job.pdf.exe
    Current Virus total detections: 3/53*. same malware as today’s version of my new photo malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1414662840/

    ** http://myonlinesecurity.co.uk/new-photo-malware/
    ___

    Malicious Browser Extensions
    - http://blog.trendmicro.com/trendlabs...er-extensions/
    Oct 29, 2014 - "Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil. We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that -bypasses- a Google security feature checks third party extensions... we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe... Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
    Top affected countries:
    > http://blog.trendmicro.com/trendlabs...-infection.jpg
    ... We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall* to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat. Below is the SHA1 hash of the malicious file:
    4733c4ea00137497daad6d2eca7aea0aaa990b46 "
    * http://housecall.trendmicro.com/
    ___

    Popular Science site compromised
    - http://community.websense.com/blogs/...mpromised.aspx
    28 Oct 2014 - "... injected with a malicious code that -redirects- users to websites serving exploit code, which subsequently drops malicious files on each victim's computer... injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit..."

    Last edited by AplusWebMaster; 2014-10-30 at 22:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #562
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon SPAM, 'Confirmation' SPAM ...

    FYI...

    Fake Amazon SPAM - malicious DOC attachment
    - http://blog.dynamoo.com/2014/10/your...ispatched.html
    31 Oct 2014 - "This -fake- Amazon email comes with a malicious Word document attached:
    From: Amazon.co.uk [auto-shipping@ amazon .co.uk]
    Reply-To: "auto-shipping@ amazon .co.uk" [auto-shipping@ amazon .co.uk]
    Date: 31 October 2014 09:12
    Subject: Your Amazon.co.uk order has dispatched (#203-2083868-0173124)
    Dear Customer,
    Greetings from Amazon .co.uk,
    We are writing to let you know that the following item has been sent using Royal Mail.
    For more information about delivery estimates and any open orders, please visit ...
    Your order #203-2083868-0173124 (received October 30, 2014) ...


    The Word document contains a malicious macro... but is currently undetected at VirusTotal* (the Malwr report doesn't say much...). The macro then downloads http ://ctmail .me/1.exe and executes it. This malicious binary has a detection rate of 4/52**... 84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54***.
    Recommended blocklist:
    213.143.97.18
    84.40.9.34
    ctmail .me
    "
    * https://www.virustotal.com/en/file/3...is/1414752406/

    ** https://www.virustotal.com/en/file/8...is/1414752639/

    *** https://www.virustotal.com/en/file/7...is/1414754766/

    - http://myonlinesecurity.co.uk/amazon...d-doc-malware/
    31 Oct 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...68-0173124.png
    * https://www.virustotal.com/en/file/3...is/1414744958/
    ___

    Fake 'Confirmation' SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/site-m...d-doc-malware/
    31 Oct 2014 - "An email saying 'Please find attached Remittance and BACS confirmation for September and October Invoices' pretending to come from random names, companies and email addresses with a subject of 'Remittance Confirmation [random characters]' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Good morning,
    Please find attached Remittance and BACS confirmation for September and October Invoices
    Best Wishes
    Lynn Blevins
    Accounts Dept Assistant
    Site Management Services (Central) Ltd ...


    31 October 2014 : CU293705.doc - Current Virus total detections: 0/52*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1414747524/
    ___

    Chrome 40 to terminate use of SSL ...
    - http://www.theregister.co.uk/2014/10...s_down_poodle/
    31 Oct 2014 - "... Update 40* will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Cupertino followed -Redmond- in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer** ahead of removal in a few months. Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result... -Chrome- 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as -Mozilla's- Firefox 34***..."
    * https://groups.google.com/a/chromium...ev/Vnhy9aKM_l4

    ** https://support.microsoft.com/kb/3009008#FixItForMe

    *** https://blog.mozilla.org/security/20...nd-of-ssl-3-0/

    Last edited by AplusWebMaster; 2014-10-31 at 18:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #563
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake invoice SPAM ...

    FYI...

    Fake invoice SPAM – Word doc malware
    - http://myonlinesecurity.co.uk/new-in...d-doc-malware/
    3 Nov 2014 - "An email saying 'A new invoice has been created. Please find it attached' pretending to come from TM Group Helpdesk Billing with a subject of 'A new invoice [random characters]' has been created for You' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear Client,
    A new invoice, WJ7647670C has been created. Please find it attached.
    Kind regards, Marcellus Powell
    TM Group
    Helpdesk Billing


    3 November 2014 : PI646028B.doc - Current Virus total detections: 0/54*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1415010191/

    - http://blog.dynamoo.com/2014/11/tm-g...4567c-has.html
    3 Nov 2014
    ... Recommended blocklist:
    91.222.139.45
    213.140.115.29
    149.62.168.210
    111.125.170.132
    121.78.88.208
    "
    ___

    Fake Amazon SPAM - malicious DOC attachment
    - http://blog.dynamoo.com/2014/10/your...ispatched.html
    UPDATE 1: 2014-11-03 - "... different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54* and contains this malicious macro... This downloads a file from http ://hilfecenter-harz .de/1.exe which also has zero detections at VirusTotal... It also downloads a malicious DLL... this as a version of Cridex...
    Recommended blocklist 2:
    84.40.9.34
    37.139.23.200
    hilfecenter- harz .de
    garfield67 .de

    * https://www.virustotal.com/en/file/5...is/1415004635/

    Last edited by AplusWebMaster; 2014-11-04 at 00:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #564
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'New order' SPAM ...

    FYI...

    Fake 'New order' SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/new-or...d-doc-malware/
    4 Nov 2014 - "'New order 7757100' from site is an email saying 'Thank you for ordering' pretending to come from random names at random companies with a subject of 'New order 7757100 from site' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is -malformed- and contains a macro script virus... DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be -blank- when opened...

    Screenshots: http://myonlinesecurity.co.uk/wp-con...-from-site.png

    - http://myonlinesecurity.co.uk/wp-con...iew-macros.png

    4 November 2014 : Order561104135.doc - Current Virus total detections: 1/54*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1415093505/
    ___

    Fake 'Remittance' SPAM – Word doc malware
    - http://myonlinesecurity.co.uk/duco-r...d-doc-malware/
    4 Nov 2014 - "An email saying 'Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP' pretending to come from DUCO with a subject of 'Remittance Advice November' [ random characters] with a malicious word document attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Dear Sir/Madam
    Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
    Regards,
    Domenic Burton
    Accounts Payable Department DUCO


    4 November 2014 : De_BW574826C.doc - Current Virus total detections: 0/44*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1415106043/

    - http://blog.dynamoo.com/2014/11/duco...mber-spam.html
    4 Nov 2014
    - https://www.virustotal.com/en/file/3...is/1415110852/
    ... Behavioural information
    TCP connections
    91.222.139.45: https://www.virustotal.com/en/ip-add...5/information/
    213.140.115.29: https://www.virustotal.com/en/ip-add...9/information/
    ___

    'C-93 Virus Alert' - Phish ...
    - http://www.hoax-slayer.com/C93-virus...ing-scam.shtml
    Nov 4, 2014 - "An email claiming to be from Windows Outlook warns that a 'C93 Virus' has been detected in your mailbox and you are therefore -required- to -click- a link to run a Norton anti-virus scan to resolve the issue. The email is -not- from Outlook or Microsoft. It is a phishing scam designed to trick you into giving your Microsoft Account login details to criminals... According to this email, which claims to be from 'Windows Outlook', a 'C93 Virus' has been detected in your mailbox. The message instructs you to click a link to run a Norton anti-virus scan that will 'remove all Trojan and viral bugs' from your account. But, warns the message, if you fail to run the scan, your mailbox will be -deactivated- ... Example:
    Dear Outlook Member,
    A C93 Virus has been detected in your mailbox, You are required to apply the new Norton AV security anti-virus to scan and to remove all Trojan and viral bugs from your mailbox Account, Failure to apply the scan your mailbox will be De-Activated to avoid our database from being infected.
    Click on Optimal Scan and Log in to apply the service.
    Thank you ...


    If you click the link, you will be taken to a -fake- webpage that is designed to look like a genuine Microsoft account login. When you enter your login details and click the 'Sign In' button, you will be automatically -redirected- to a genuine Microsoft account page... the criminals can collect your login details and use them to hijack your real Microsoft Account. Because the same credentials are used to login to various Microsoft services, they are a valuable commodity for scammers... If you receive one of these -fake- virus warnings, do -not- click any links or open any attachments..."
    ___

    Bitcoin bonanza - or blunders?
    - https://www.virusbtn.com/blog/2014/11_04.xml
    4 Nov 2014 - "... 'occasionally losing a lot of money through bugs and blunders... 'hard not to feel dizzy and somewhat overwhelmed by the security issues and implications.
    > https://www.virusbtn.com/virusbullet...ontiroli-1.jpg
    Malware targeting Bitcoin wallets or using other people's resources to mine for cryptocurrencies are perhaps the least of our worries. What about virus code (or worse, child abuse material) ending up in the blockchain? Or the common flaw of transaction malleability? Or the almost existential threat of the "51% attack"? Cryptocurrencies are here to stay, but they come with their own unique set of problems that we cannot ignore... we're not in Kansas anymore..."
    (More detail at the top virusbtn URL.)

    - https://www.virusbtn.com/blog/2014/10_31a.xml
    31 Oct 2014
    ___

    Facebook: gov't requests for user data rises 24%
    - http://www.reuters.com/article/2014/...0IO21Z20141104
    Nov 4, 2014 - "Facebook Inc said requests by governments for user information rose by about a quarter in the first half of 2014 over the second half of last year. In the first six months of 2014, governments around the world made 34,946 requests for data. During the same time, the amount of content restricted because of local laws increased about 19 percent... Google reported in September a 15 percent sequential increase in the number of requests in the first half of this year, and a 150 percent rise in the last five years, from governments around the world to reveal user information in criminal investigations."

    Last edited by AplusWebMaster; 2014-11-05 at 00:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #565
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New Backoff PoS malware ...

    FYI...

    Backoff PoS malware - stealthier, more difficult to analyze
    - http://net-security.org/malware_news.php?id=2906
    Nov 5, 2014 - "... Backoff infections are still on the rise. Fortinet researchers* have recently managed to get their hands on a new Backoff variant that shows that its authors haven't been idle. This version also does not have a version number, but has been given the name Backoff ROM. Compared to the older versions, Backoff ROM disguises itself as as a media player (mplayerc.exe) instead of a Java component in the autorun registry entries... Traffic between the malware and the C&C server is also encrypted, and the way the server responds with new commands for the malware has been simplified... for whatever reason, this new Backoff version does not have keylogging capabilities. But, the researchers believe that this is only a temporary change that will be reversed in newer versions..."
    * http://blog.fortinet.com/post/rom-a-...ff-pos-malware

    - https://www.damballa.com/state-infec...eport-q3-2014/
    10/24/2014
    > https://www.damballa.com/wp-content/...oi-q3-2014.jpg

    - http://atlas.arbor.net/briefs/index#1351521298
    Elevated Severity
    6 Nov 2014
    Analysis: Since approximately Sep 8, 2014, this new version of the Backoff PoS malware has been classified in the ASERT malware analysis infrastructure, which contains at least three hundred distinct instances of Backoff... Easily compromised systems proliferate, and weak remote access deployments are often the culprit. Among the more difficult to compromise systems, tactics such as spear phishing, vendor compromise, partner attacks featuring lateral movement and other strategies well-known to more dedicated threat actors are bearing fruit for the attackers. Proper isolation, hardening, and monitoring of PoS deployments and associated infrastructure are crucial to reducing risks and detecting attackers that may already be present. PoS is squarely in the sights of many threat actors which means that organizations running PoS and their support infrastructure must realize that they are a target...
    Source: http://www.net-security.org/malware_news.php?id=2906
    ___

    Banking Trojan DRIDEX uses Macros for Infection
    - http://blog.trendmicro.com/trendlabs...for-infection/
    Nov 5, 2013 - "... DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.
    Sample spammed message
    > http://blog.trendmicro.com/trendlabs...11/dridex1.png
    The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled — which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware:
    Malicious attachment instructing users to enable the macro feature:
    > http://blog.trendmicro.com/trendlabs...11/dridex2.png
    It then performs information theft through methods like form grabbing, screenshots, and site injections... Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature...
    Top affected countries, based on data from September-October 2014:
    > http://blog.trendmicro.com/trendlabs...11/dridex4.jpg
    We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.
    Top DRIDEX spam sending countries:
    > http://blog.trendmicro.com/trendlabs...11/dridex5.jpg
    ... best to make sure to enable the macro security features* in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings..."
    * https://office.microsoft.com/en-us/v...001049689.aspx
    ___

    'Free' Netflix Accounts: Good Luck With That...
    - https://blog.malwarebytes.org/fraud-...uck-with-that/
    Nov 5, 2014 - "We’ve seen a number of Netflix themed websites which claim to offer up accounts / logins for fans of TV and movie streaming to get their fix -without- having to register or -pay- up to use the service...
    1) freenetflixaccount(dot)info
    This one is rather cookie-cutter and claims to have lots of accounts up for grab, linking to numerous “Netflix premium account” URLs further down the page.
    > https://blog.malwarebytes.org/wp-con...flx1.jpg?w=564
    However, all of the live links lead to the same survey page:
    > https://blog.malwarebytes.org/wp-con...4/11/nflx4.jpg
    To get your hands on the supposed account credentials, you’d have to fill in an offer or sign up to whatever happens to be presented to you. Am I sensing an incoming theme here?…
    2) freenetflixaccountasap(dot)com
    This website has the visitor play an extremely long-winded and elaborate game of “click the thing”, distracting them with lots of options to choose from in order to watch some movies.
    > https://blog.malwarebytes.org/wp-con...4/11/nflx5.jpg
    ... According to the text underneath the many scrolling blue bars, they claim to log you into an account from your chosen region via proxy, set up a bunch of options then log you out. They then “upload the account details” to Fileice, and ask the visitor to “Click below to download the login details”.
    > https://blog.malwarebytes.org/wp-con.../11/nflx12.jpg
    ... > https://blog.malwarebytes.org/wp-con.../11/nflx13.jpg
    ... Interesting to note that the “newly created” page has an entry on VirusTotal* from just over a week ago... Always be wary when presented with supposedly free accounts – remember that there’s something in it for the person offering them up, and it could be anything from survey scam affiliate cash and fakeouts to phishing and Malware attacks..."
    * https://www.virustotal.com/en/url/d7...5e95/analysis/
    ___

    E-ZPass SPAM/Phish ...
    - http://www.networkworld.com/article/...ware-ploy.html
    Nov 3, 2014 - "The Internet Crime Complaint Center* today said it has gotten more than 560 complaints about a rip-off using the E-ZPass vehicle toll collection system that uses phishing techniques to deliver malware to your computer. E-ZPass is an association of 26 toll agencies in 15 states that operate the E-ZPass toll collection program..."
    * https://www.ic3.gov/media/2014/141103.aspx
    "... The IC3 has received more than 560 complaints in which a victim receives an e-mail stating they have not paid their toll bill. The e-mail gives instructions to download the invoice by using the link provided, but the -link- is actually a .zip file that contains an executable with location aware malware. Some of the command and control server locations are associated with the ASProx botnet..."

    - http://stopmalvertising.com/spam-sca...to-asprox.html
    9 July 2014
    Screenshot: http://stopmalvertising.com/research...ass-asprox.jpg
    ___

    20 million new strains of malware - Q3 2014
    - http://www.pandasecurity.com/mediace...ed-in-q3-2014/
    Oct 31, 2014 - "... some 20 million new strains were created worldwide in the third quarter of the year, at a rate of 227,747 new samples every day. Similarly, the global infection ratio was 37.93%, slightly up on the previous quarter (36.87%)... Trojans are still the most common type of malware (78.08%). A long way behind in second place come viruses (8.89), followed by worms (3.92%)... Trojans also accounted for most infections during this period, some 75% of the total, compared with 62.80% in the previous quarter. PUPs are still in second place, responsible for 14.55% of all infections, which is down on the second quarter figure of 24.77. These are followed by adware/spyware (6.88%), worms (2.09%), and viruses (1.48)..."

    Last edited by AplusWebMaster; 2014-11-07 at 16:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #566
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down iOS app malware, Fake Amazon SPAM ...

    FYI...

    Fake Amazon SPAM - Word doc malware
    - http://blog.mxlab.eu/2014/11/06/w97m...patched-order/
    Nov 6, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Amazon .co.uk order has dispatched (#203-2083868-0173124)”. This email is sent from the spoofed address “Amazon .co.uk” <auto-shipping@ amazon .co.uk>” and has the following body:
    Dear Customer,
    Greetings from Amazon .co.uk,
    We are writing to let you know that the following item has been sent using Royal Mail.
    For more information about delivery estimates and any open orders, please visit: http ://www.amazon .co.uk/your-account
    Your order #203-2083868-0173124 (received November 5, 2014)
    Your right to cancel:
    At Amazon .co.uk we want you to be delighted every time you shop with us. O=
    ccasionally though, we know you may want to return items. Read more about o=
    ur Returns Policy at: http ://www.amazon .co.uk/returns-policy/
    Further, under the United Kingdom’s Distance Selling Regulations, you have =
    the right to cancel the contract for the purchase of any of these items wit=
    hin a period of 7 working days... If you’ve explored the above links but still need to get in touch with us, = you will find more contact details at the online Help Desk.=20
    Note: this e-mail was sent from a notification-only e-mail address that can= not accept incoming e-mail.
    Please do not reply to this message.=20
    Thank you for shopping at Amazon .co.uk


    The attached file has the name Mail Attachment.doc and is approx. 230 kB large file. The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus. At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total*..."
    * https://www.virustotal.com/en/file/9...is/1415272790/

    - http://myonlinesecurity.co.uk/amazon...d-doc-malware/
    31 Oct 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...68-0173124.png
    - https://www.virustotal.com/en/file/3...6238/analysis/
    ___

    Fake 'Order' SPAM – Word doc malware
    - http://myonlinesecurity.co.uk/succes...d-doc-malware/
    6 Nov 2014 - "An email saying 'This is a notice that the invoice has been generated on 05.11.2014' pretending to come from random names at random companies with a subject of 'Successfull_Order 032574522' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
    Dear Customer, [redacted]
    This is a notice that the invoice has been generated on 05.11.2014.
    Your payment method is: credit card.
    The order reference is 468824369.
    Your credit card will be charged for 47.40 USD.
    The payment and delivery information is in attached file.
    Regards,
    Systems Company,
    Crocitto Greta


    6 November 2014 : Order561104111.doc - Current Virus total detections: 6/54*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... embedded malware or macro..."
    * https://www.virustotal.com/en/file/d...is/1415152827/
    ___

    Fake Bank SPAM – PDF malware
    - http://myonlinesecurity.co.uk/rbc-ba...e-pdf-malware/
    6 Nov 2014 - "'The Bank INTERAC to Guillaume Gilnaught was accepted' pretending to come from RBC Banque Royale < ibanking@ rbc .com > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...s-accepted.png

    6 November 2014: INTERAC_pmt_11062014_0345875.zip: Extracts to: INTERAC_pmt_11062014_0345875.exe
    Current Virus total detections: 5/53* . This 'The Bank INTERAC to Guillaume Gilnaught was accepted" is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1415290279/
    ___

    Western Union Payment Confirmation Spam
    - http://threattrack.tumblr.com/post/1...firmation-spam
    Nov 6, 2014 - "Subjects Seen:
    WUBS Outgoing Payment Confirmation for SOTR4465838
    Typical e-mail details:
    ... This is an automatically generated response: please do not reply to this e-mail. For enquiries please contact Customer Service.
    Attached you will find the Outgoing Payment Confirmation for SOTR4465838. Please confirm all details are correct and notify us immediately if there are any discrepancies.
    Thank you for your business!


    Malicious File Name and MD5:
    9574536_11062014.zip (5ED4C6DE460B2869088C523606415B4B)
    9574536_11062014.exe (C8A8F049313D1C67F1BAAF338FE5EDE0)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...8aI1r6pupn.png

    Tagged: Western Union, Upatre
    ___

    Apple blocks apps infected with WireLurker malware targeting iPhones and iPads
    - http://www.theinquirer.net/inquirer/...s-via-mac-os-x
    Nov 6, 2014 - "... Palo Alto Networks* discovered the malware threat that targets iPhones and iPads through Apple's Mac OS X operating system, putting an end to the age-old belief that iOS is virus-free. Apple has since responded, and said it has -blocked- third-party apps infected with the malware, which Palo Alto describes as the "biggest in scale" it has ever seen... "As always, we recommend that users download and install software from trusted sources.” Palo Alto discovered the new family of malware dubbed 'WireLurker', which is the first known malware that can attack iOS applications in a similar way to a traditional virus. Palo Alto describes the threat as heralding "a new era in malware attacking Apple's desktop and mobile platforms", and said that the malware is "the biggest in scale we have ever seen". WireLurker can attack iOS devices through Mac OS X using USB, and does so by installing third-party applications on non-jailbroken iPhones through 'enterprise provisioning'. The malware seems to be limited to China at present, where it is targeting devices via the Maiyadi App Store, a third-party Mac app store. WireLurker has been found in -467- OS X apps at Maiyadi, which Palo Alto claims have been downloaded 356,104 times so far... The firm also said that enterprises using Mac computers should ensure that mobile device traffic is routed through a threat prevention system."
    * http://researchcenter.paloaltonetwor...x-ios-malware/
    ___

    Hacks devise new simplified Phishing
    - http://www.darkreading.com/attacks-b...d/d-id/1317242
    Nov 5, 2014 - "... a more efficient way to get unwary online shoppers to part with their personal data and financial account information. The new technique, dubbed 'Operation Huyao' by the security researchers at Trend Micro* who discovered it, basically lessens the time and effort needed for attackers to mount a phishing campaign while also making such attacks harder to spot... only when the user actually attempts to make a purchase that the proxy program serves up a modified page that walks the victim through a checkout progress designed to extract personal information and payment card or bank account information... the phishers employed various blackhat SEO techniques to ensure that people doing specific product-related searches online were served up with results containing malicious links to the targeted store. Users who clicked on the links were then routed to the department store's website via the malicious proxy... In the first half of 2014 for instance, the median uptime for phishing attacks was 8 hours and 42 minutes, meaning that half of all phishing attackers were active for less than nine, the APWG** has noted... Even so, phishing continues to be a major problem. In the first six months of 2014, the industry group counted more than 123,700 unique phishing attacks which was the highest since the second half of 2009. A total of -756- institutions were specifically targeted in these attacks, the largest number ever during a six-month period. Of these companies -Apple- was the most phished brand."
    * http://blog.trendmicro.com/trendlabs...eration-huyao/

    ** http://docs.apwg.org/reports/APWG_Gl...rt_1H_2014.pdf
    ___

    CVE-2014-1772 – IE vuln analysis
    - http://blog.trendmicro.com/trendlabs...vulnerability/
    Nov 5, 2014 - "... privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035*... this vulnerability was already patched some time ago... This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better..."
    * https://technet.microsoft.com/en-us/.../ms14-035.aspx - Critical
    Updated: Jun 17, 2014
    V1.1 (June 17, 2014): Corrected the severity table and vulnerability information to add CVE-2014-2782 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-1772 - 9.3 (HIGH)
    Last revised: 06/26/2014
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-2782 - 9.3 (HIGH)
    Last revised: 06/26/2014

    Last edited by AplusWebMaster; 2014-11-06 at 22:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #567
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake job sites, Fake Tech Support website infections

    FYI...

    'Dark market' websites seized in U.S., European busts - Silk Road 2.0
    - http://www.reuters.com/article/2014/...0IR0Z120141107
    Nov 7, 2014
    > http://s4.reutersmedia.net/resources...=LYNXMPEAA60EZ
    "U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
    - http://www.fbi.gov/newyork/press-rel...-federal-court
    ___

    Fake invoice SPAM - malicious Word macro attachment
    - http://blog.dynamoo.com/2014/11/sue-...-contains.html
    7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
    From: Sue Morckage
    Date: 7 November 2014 13:10
    Subject: inovice 9232088 November
    This email contains an invoice file attachment


    The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
    http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustotal.com/en/ip-add...9/information/
    http ://heartgate .de/bin.exe > https://www.virustotal.com/en/ip-add...6/information/
    This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
    * https://www.virustotal.com/en/file/e...is/1415369050/

    1] https://www.virustotal.com/en/file/7...is/1415365398/

    2] https://www.virustotal.com/en/file/0...is/1415368736/

    - http://myonlinesecurity.co.uk/sue-mo...d-doc-malware/
    7 Nov 2014
    > https://www.virustotal.com/en/file/6...is/1415372037/
    ___

    Fake job sites ...
    - http://blog.dynamoo.com/2014/11/euro...-fake-job.html
    7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
    > https://www.youtube.com/watch?v=UbSCXqL1jL4

    * https://twitter.com/peterkruse/statu...28073264517120

    ** (Long list at the dynamoo URL at the top.)
    ___

    Fake Tech Support website infections ...
    - https://blog.malwarebytes.org/exploi...-even-dial-in/
    Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
    > https://blog.malwarebytes.org/wp-con...d-1024x817.png
    ... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
    > https://blog.malwarebytes.org/wp-con...r-1024x728.png
    ... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
    * https://blog.malwarebytes.org/tech-support-scams/

    - http://www.symantec.com/connect/blog...eet-ransomlock
    7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
    Top ten ransomware detections as of 11-07-14:
    > http://www.symantec.com/connect/site...omlock%202.png
    Fake BSoD lock screen:
    > http://www.symantec.com/connect/site...203%20edit.png ..."

    - http://www.ftc.gov/news-events/press...h-support-scam

    Last edited by AplusWebMaster; 2014-11-09 at 12:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #568
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM, Masque Attacks - iOS ...

    FYI...

    Fake Invoice SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/kate-w...d-doc-malware/
    10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:

    Please find attached your November invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
    Thanks very much
    Kate Williams


    10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1415612495/

    - http://blog.dynamoo.com/2014/11/kate...-november.html
    10 Nov 2014 - "... the malware connecting to 84.40.9.34 (Hostway, UK)..."

    1] https://www.virustotal.com/en/file/8...is/1415613432/

    2] https://www.virustotal.com/en/file/6...is/1415613431/

    84.40.9.34: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake Amazon SPAM - malware-macros
    - http://net-security.org/malware_news.php?id=2912
    Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an order confirmation from Amazon .com:
    > http://www.net-security.org/images/a...112014-big.jpg
    ... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed 'invoice file attached' is actually a Trojan dropper that will download additional malware once the host is infected..."
    * http://blog.appriver.com/2014/11/mal...liday-shoppers
    "... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
    ___

    'Darkhotel malware' is targeting travelling execs via hotel WiFi
    - http://www.theinquirer.net/inquirer/...via-hotel-wifi
    Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
    * https://securelist.com/blog/research...darkhotel-apt/
    Nov 10, 2014
    ___

    Home Depot drops Windows for Mac ...
    - http://www.theinquirer.net/inquirer/...fter-data-hack
    Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
    * http://online.wsj.com/articles/home-...dor-1415309282
    "... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
    ___

    'All Your iOS Apps Belong to Us' - FireEye
    - http://www.fireeye.com/blog/technica...ong-to-us.html
    Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
    > https://www.youtube.com/watch?featur...&v=3VEQ-bJUhPw
    We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
    > http://www.fireeye.com/blog/wp-conte.../Untitled1.jpg
    ... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
    -- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
    - Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
    - Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
    - When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
    Figure 3:
    > http://www.fireeye.com/blog/wp-conte...1/IMG_0001.jpg

    Last edited by AplusWebMaster; 2014-11-11 at 02:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #569
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Bank Payment', 'Duplicate Payment' SPAM...

    FYI...

    Fake 'Bank Payment' SPAM - malicious attachment
    - http://blog.dynamoo.com/2014/11/naza...hley-bank.html
    11 Nov 2014 - "This -fake- invoice spam pretending to be from a care home in the UK comes with a malicious attachment.
    From: Accounts Finchley [accounts.finchley@ nazarethcare .com]
    Date: 11 November 2014 10:34
    Subject: Bank Payments
    Good Afternoon,
    Paying in sheet attached
    Regards
    Sandra Whitmore
    Care Home Administrator
    Nazareth House
    162 East End Road
    East Finchley
    London...
    Nazareth Care Charitable Trust...


    ... The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox. Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros... which then downloads a file from one of the following locations:
    http ://www.grafichepilia .it/js/bin.exe
    http ://dhanophan .co.th/js/bin.exe
    This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53*. The Malwr report shows it phoning home to:
    http ://84.40.9.34 /kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
    It also drops a DLL identified by VirusTotal** as Dridex."
    1] https://www.virustotal.com/en/file/b...is/1415703941/

    2] https://www.virustotal.com/en/file/0...is/1415703952/

    * https://www.virustotal.com/en/file/4...is/1415704632/

    ** https://www.virustotal.com/en/file/1...is/1415705610/


    - http://myonlinesecurity.co.uk/bank-p...d-doc-malware/
    11 Nov 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...s-Finchley.png
    ___

    Fake 'Duplicate Payment' SPAM – Word doc malware
    - http://myonlinesecurity.co.uk/duplic...d-doc-malware/
    11 Nov 2014 - "'Duplicate Payment Received' pretending to come from various random names with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good afternoon,
    I refer to the above invoice for which we received a bacs payment of £660.94 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
    I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
    If you have any queries regarding this matter, please do not hesitate to contact me.
    I look forward to hearing from you .
    Many thanks
    Lenora Dunn
    Accounts Department


    11 November 2014 : De_VY955279R.doc - Current Virus total detections: 2/55*
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1415704035/

    - http://blog.dynamoo.com/2014/11/dupl...-spam-has.html
    11 Nov 2014
    ... Recommended blocklist:
    178.254.57.146
    213.140.115.29
    62.76.180.133
    62.76.189.108
    "
    ___

    Trojan SMS Found on Google Play
    - https://blog.malwarebytes.org/mobile...n-google-play/
    Nov 11, 2014 - "... this one slipped under Google Play’s radar, but an SMS Trojan app with the package name com.FREE_APPS_435.android claims to be a download for wallpapers, videos, and music is actively on the Google Play store (at least at the time of this writing it was).
    > https://blog.malwarebytes.org/wp-con...creenShot1.jpg
    ... This tactic has been seen since malware started appearing on Android devices. If you visit the developer’s website from the link provided on the Google Play page, it takes you to a page with two banners and a couple of links.
    > https://blog.malwarebytes.org/wp-con...creenShot3.jpg
    ... Google Play has been notified of the existence of this SMS Trojan. The last update of this app was August 20th 2013, which was most likely the date it was added to the Play store. Many variants of this Trojan have been seen that are not currently on the Play store. We flag this Trojan and similar variants as Android/Trojan.SMS.Agent. This is proof that Google Play isn’t perfect at alleviating all malware."
    ___

    Predator Pain and Limitless... the Fraud
    - http://blog.trendmicro.com/trendlabs...ind-the-fraud/
    Nov 11, 2014 - "ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason... It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception... the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone... cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present. Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable... clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is... The following graphs show the distribution of the victims that we observed, both by country and by industry:
    Predator Pain/Limitless Victims by Country:
    > http://blog.trendmicro.com/trendlabs...ibution-01.jpg
    Predator Pain/Limitless Victims by Industry:
    > http://blog.trendmicro.com/trendlabs...ibution-01.jpg

    - http://www.trendmicro.com/vinfo/us/s...predator-pain/
    "... The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threat..."

    Last edited by AplusWebMaster; 2014-11-12 at 02:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #570
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Police' SPAM ...

    FYI...

    Fake 'Police' SPAM ...
    - http://blog.dynamoo.com/2014/11/exch...adquaters.html
    12 Nov 2014 - "I got a lot of these yesterday..

    From: omaniex@ investigtion .com
    Subject: Exchange House Fraud (Police Headquaters)
    please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.
    Note: come along with your report as it will be needed
    regards,
    Police headquarters.
    Investigtion dept.


    Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:
    7 TRANSACTION RPPP 00000123-PDF.jar
    PR0JECT INVESTIGATI 011111-PDF.jar
    ... malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably -don't- need it). It has a VirusTotal detection rate of 7/55*..."
    * https://www.virustotal.com/en/file/b...is/1415792881/
    ___

    ADP Past Due Invoice Spam
    - http://threattrack.tumblr.com/post/1...e-invoice-spam
    Nov 12, 2014 - "Subjects Seen:
    ADP Past Due Invoice#54495150
    Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here.
    Important: Please do not respond to this message. It comes from an unattended mailbox.


    Malicious URLs:
    kurdogluhotels .com/docfiles/invoice_1211.php
    kevalee .ac.th/docfiles/invoice_1211.php
    Malicious File Name and MD5:
    invoice1211_pdf27.zip (05FC7646CF11B6E7FB124782DAF9FB53)
    invoice1211_pdf.exe (78CF05FAA79B41B4BE4666E3496D1D54)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...x451r6pupn.png

    Tagged: ADP, Upatre

    - http://blog.dynamoo.com/2014/11/adp-...1564-spam.html
    12 Nov 2014
    ... Recommended blocklist:
    188.165.206.208
    shahlart .com
    mboaqpweuhs .com
    "

    - http://www.threattracksecurity.com/i...-invoice-spam/
    Nov 13, 2014 - "... the Upatre Trojan, which in turn downloaded and decrypted the banking-credential-stealing Trojan Dyre..."
    Screenshot: http://www.threattracksecurity.com/i...ue-Invoice.png

    94.23.49.77: https://www.virustotal.com/en/ip-add...7/information/

    Last edited by AplusWebMaster; 2014-11-15 at 03:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •