Page 58 of 132 FirstFirst ... 84854555657585960616268108 ... LastLast
Results 571 to 580 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #571
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'BankLine', 'Voice mail' SPAM ...

    FYI...

    Fake 'BankLine' SPAM - targets RBS customers
    - http://blog.mxlab.eu/2014/11/13/fake...rbs-customers/
    Nov 13, 2014 - "... intercepted -fake- emails regarding a new secure message from BankLine that targets RBS customers. The subject line is “You have received a new secure message from BankLine#24802254″ this email is sent from the spoofed address “Bankline <secure.message @ bankline .com>” and has the following body:
    You have received a secure message.
    Read your secure message by following the link bellow:
    link-
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.
    First time users – will need to register after opening the attachment...


    The embedded URL in our sample leads to hxxp ://vsrwhitefish .com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

    216.251.43.98: https://www.virustotal.com/en/ip-add...8/information/
    ... 5/60 2014-11-13 13:23:41 http ://vsrwhitefish .com/bankline/message.php
    ___

    Fake 'Voice mail' SPAM ...
    - http://blog.mxlab.eu/2014/11/13/voic...curity-threat/
    Nov 13, 2014 - "... intercepted a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers. This email is sent from the spoofed address “Message Admin <martin.smith@ essex .org.uk>” and has the following body:

    Voice redirected message
    hxxp ://crcmich .org/bankline/message.php
    Sent: Thu, 13 Nov 2014 11:54:24 +0000


    The embedded URL in our sample leads to hxxp ://crcmich .org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

    69.160.53.51: https://www.virustotal.com/en/ip-add...1/information/
    ... 3/61 2014-11-13 15:04:47 http ://crcmich .org/bankline/message.php?
    ___

    Alert (TA14-317A)
    Apple iOS "Masque Attack" Technique
    - https://www.us-cert.gov/ncas/alerts/TA14-317A
    Nov 13, 2014
    Systems Affected:
    iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
    Overview:
    A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances...
    (More detail at the URL above.)

    Last edited by AplusWebMaster; 2014-11-13 at 23:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #572
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon Phish, Fake Flash sites ...

    FYI...

    Fake 'Amazon frozen account' – Phish ...
    - http://myonlinesecurity.co.uk/amazon...rily-phishing/
    14 Nov 2014 - "'Your account has been frozen temporarily' pretending to come from Amazon <auto-confirm@ amazon .co.uk> is one of the latest -phish- attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
    Screenshot: http://myonlinesecurity.co.uk/wp-con...hing-email.png
    If you open the -attached- html file you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...azon_login.png
    When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. After submitting the information you get -bounced- on to the genuine Amazon .co.uk website:
    > http://myonlinesecurity.co.uk/wp-con...rification.png
    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    ___

    CoinVault - new ransomware
    - http://www.webroot.com/blog/2014/11/14/coinvault/
    Nov 14, 2014 - "Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.).
    CoinVault GUI:
    > https://i.imgur.com/ADEO21U.png
    Here is the background* that it creates – also very similar.
    * https://i.imgur.com/LAHkjT8.png
    ... this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.
    > http://i.imgur.com/F3enAqN.png
    ... it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay..."

    - http://arstechnica.com/security/2014...-drug-dealers/
    Nov 14 2014
    ___

    Flash Player updated ...
    - https://blog.malwarebytes.org/online...-flash-player/
    Nov 14, 2014 - "Adobe has fixed -18- vulnerabilities in their Flash Player, and you should update immediately, if you haven’t already done so. However, please ensure you’re installing / updating from the right place. For example:
    > https://blog.malwarebytes.org/wp-con...1/adobupd1.jpg
    The above site claims:
    It is recommended that you update Flash to the latest version to view this page. Please update to continue. Your Flash Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your Flash Plugin now!
    The site -forwards- visitors to a sign-up page offering a “Mac cleaning” tool... confusing for anybody expecting Adobe Flash updates.
    > https://blog.malwarebytes.org/wp-con...1/adobupd2.jpg
    The Adobe Flash Player website is the place to go for Flash installs*... Always cast a critical eye at the URL of any “Flash Player” site you happen to be on, and check the small print in case you end up with more than you bargained for. Fake Flash Player websites have been around for many years, and are often a prime source of unwanted PUP installs and the occasional slice of Malware..."
    * http://get.adobe.com/flashplayer/ ... (Uncheck the 'McAfee' option if you choose not to use it...)

    Last edited by AplusWebMaster; 2014-11-16 at 08:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #573
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Fax SPAM ...

    FYI...

    Fake Fax SPAM - malicious .DOCM attachment
    - http://blog.dynamoo.com/2014/11/inte...sion-spam.html
    17 Nov 2014 - "This -fake- fax spam comes with a malicious attachment
    From: Interfax [uk@ interfax .net]
    Date: 13 November 2014 20:29
    Subject: Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
    Transmission Results
    Destination Fax: 00441616133969
    Contact Name: 01616133969@ fax .tc
    Start Time: 2014/11/13 20:05:27
    End Time: 2014/11/13 20:29:00
    Transmission Result: 3220 - Communication error
    Pages sent: 0
    Subject: 140186561.XLS
    CSID:
    Duration (In Seconds): 103
    Message ID: 485646629
    Thank you for using Interfax ...


    Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal*... Inside this .DOCM file is a malicious macro... which attempts to download a malicious binary from http ://agro2000 .cba .pl/js/bin.exe . This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal**, and the Malwr report shows that it tries to connect to the following URL: http ://84.40.9.34 /lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E . It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53***. If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks."
    * https://www.virustotal.com/en/file/7...is/1416221806/

    ** https://www.virustotal.com/en/file/8...is/1416222127/

    *** https://www.virustotal.com/en/file/1...is/1416222797/

    84.40.9.34: https://www.virustotal.com/en/ip-add...4/information/

    - http://myonlinesecurity.co.uk/failed...d-doc-malware/
    17 Nov 2014
    > https://www.virustotal.com/en/file/7...is/1416212735/
    ___

    Fake Investment SPAM ...
    - http://myonlinesecurity.co.uk/invest...eland-malware/
    17 Nov 2014 - "'Investment Opportunities in Ireland' pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with a link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...in-Ireland.png

    Todays Date: investmentareas.rar: Extracts to: investmentareas.scr
    Current Virus total detections: 26/55* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1416215003/
    ___

    Fake 'Payment Declined' Phish ...
    - http://myonlinesecurity.co.uk/bt-acc...ined-phishing/
    17 Nov 2014 - "Any phishing attempt wants to get as much personal and financial information from you as possible. This 'BT Account- Payment Declined' pretending to come from BT .com <noreplymail@ btc .com> phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...t-Declined.png

    The link in the email leads you to a webpage looking like:
    Screenshot2: http://myonlinesecurity.co.uk/wp-con...ake-log-in.png

    That leads on to a page to enter all your details, including bank account, credit card, mother’s maiden name and everything else necessary to steal your identity and clean out your bank and credit card accounts:
    Screenshot3: http://myonlinesecurity.co.uk/wp-con...ke-details.png

    Then you get a success page, where they kindly inform you that “The Anti Fraud System has been succesfully added to your account” and then are bounced to the real BT site:
    Screenshot4: http://myonlinesecurity.co.uk/wp-con...s-success-.png

    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
    ___

    Fake 'Test message' SPAM plague continues..
    - http://blog.dynamoo.com/2014/11/test...continues.html
    17 Nov 2014 - "This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125"* which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses. If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
    From: Hollie <Laurie.17@ 123goa .com>
    Date: 17 November 2014 19:04
    Subject: Test 8657443T
    test message.
    Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
    Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard...
    ..."
    * http://www.proofpoint.com/threatinsi...-customers.php

    Last edited by AplusWebMaster; 2014-11-18 at 01:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #574
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice, Fake FAX SPAM...

    FYI...

    Fake Invoice SPAM - Word doc malware attached
    - http://myonlinesecurity.co.uk/email-...d-doc-malware/
    18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    This email contains an invoice file attachment

    So far today, I have seen 3 different size files attached to this email, All file names are random:
    18 November 2014 : invoice_796732903.doc (59kb) Current Virus total detections: 1/55*

    18 November 2014 : invoice_1952581.doc (41kb) Current Virus total detections: 1/55**

    18 November 2014 : invoice_80943810.doc (22kb) Current Virus total detections: 0/54***
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1416303264/

    ** https://www.virustotal.com/en/file/7...is/1416304606/

    *** https://www.virustotal.com/en/file/6...is/1416304325/
    ___

    Another Fake FAX SPAM run ...
    - http://blog.dynamoo.com/2014/11/inco...ets-party.html
    18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
    From: Incoming Fax [no-reply@ efax .co.uk]
    Date: 18 November 2014 13:16
    Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
    INCOMING FAX REPORT
    Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
    Speed: 4222bps
    Connection time: 01:09
    Pages: 5
    Resolution: Normal
    Remote ID: 963-864-5728
    Line number: 1
    DTMF/DID:
    Description: Internal report
    We have uploaded fax report on dropbox, please use the following link to download your file...


    This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
    http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
    http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
    http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
    It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
    Recommended blocklist:
    108.61.229.224
    159593.webhosting58 .1blu .de
    "
    * https://www.virustotal.com/en/file/d...is/1416318405/
    ... Behavioural information
    TCP connections
    108.61.229.224: https://www.virustotal.com/en/ip-add...4/information/
    178.254.0.111: https://www.virustotal.com/en/ip-add...1/information/

    ** https://www.virustotal.com/en/file/5...is/1416318784/

    - http://myonlinesecurity.co.uk/incomi...e-pdf-malware/
    18 Nov 2014
    - https://www.virustotal.com/en/file/d...is/1416321619/
    ___

    Fake Voice msg SPAM again - PDF malware
    - http://myonlinesecurity.co.uk/voice-...e-pdf-malware/
    18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@ voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
    You have received a voice mail message from 685-869-9737
    Message length is 00:00:30. Message size is 225 KB.
    Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...


    18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
    Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1416321619/

    Last edited by AplusWebMaster; 2014-11-18 at 20:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #575
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Bank phish ...

    FYI...

    Fake Bank phish ...
    - http://myonlinesecurity.co.uk/lloyds...ount-phishing/
    19 Nov 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like :
    -We’re improving your current account
    -There have been unauthorised or suspicious attempts to log in to your account, please verify
    -Your account has exceeded its limit and needs to be verified
    -Your account will be suspended !
    -You have received a secure message from < your bank>
    -New Secure Message
    -We are unable to verify your account information
    -Update Personal Information
    -Urgent Account Review Notification
    -We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    -Confirmation of Order


    This one is Lloyds bank 'We’re improving your current account' pretending to come from Lloyds Banking Group Plc <info@ emails.very .co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually -do- allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out by this one and think they need to notify the bank.
    Email looks like:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...nt-account.png

    This one wants your personal details and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. If it says .EXE then it is a problem and should -not- be run or opened."
    ___

    Azure cloud outages - MSN web portal offline
    - http://www.reuters.com/article/2014/...0J309E20141119
    Nov 18, 2014 11:53pm EST - "Microsoft Corp's Azure cloud-computing service, which hosts websites and lets customers store and manage data remotely, suffered serious outages on Tuesday taking its popular MSN web portal offline. According to Microsoft's Azure status page*, the problems started around 5pm Pacific time and have still not been fully solved..."
    * http://azure.microsoft.com/en-us/status/#history

    >> http://azure.microsoft.com/blog/2014...-interruption/
    Nov 19, 2014

    Last edited by AplusWebMaster; 2014-11-21 at 03:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #576
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Angler Exploit Kit adds New Flash Exploit

    FYI...

    Angler Exploit Kit adds New Flash Exploit...
    - http://threatpost.com/angler-exploit...14-8440/109498
    Nov 20, 2014 - "... Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched. “This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.” Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release*. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. “The vulnerability is being exploited in blind mass attack. No doubt about it: the team behind Angler is really good at what it does,” he said in a blog post*..."
    * http://malware.dontneedcoffee.com/20...2014-8440.html

    > https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-8440 - 10.0 (HIGH)
    Last revised: 11/12/2014

    Flash test site: https://www.adobe.com/software/flash/about/
    ___

    Fake Donation Overpayment SCAM
    - https://www.ic3.gov/media/2014/141120.aspx
    Nov 20, 2014 - "... received numerous complaints from businesses, charitable organizations, schools, universities, health related organizations, and non-profit organizations, reporting an online donation scheme. The complaints reported subjects who had donated thousands of dollars, via stolen credit cards. Once donations were made, the subjects immediately requested the majority of the donation back, but credited to a different card. They claimed to have mistakenly donated too much by adding an extra digit to the dollar amount (i.e., $5000 was ‘accidently’ entered instead of $500). However, very few complainants actually returned the money to the second credit card. Many, through their own investigations, discovered the original card was -stolen- or the credit card company notified them of such. Also, some of the organizations’ policies did not allow funds to be returned to a different credit card."

    Last edited by AplusWebMaster; 2014-11-21 at 03:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #577
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 46.8.14.154, Fake Payment SPAM ...

    FYI...

    Something evil on 46.8.14.154
    - http://blog.dynamoo.com/2014/11/some...-46814154.html
    21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
    ___

    Fake 'Payment Received' SPAM - malicious DOC attachment
    - http://blog.dynamoo.com/2014/11/dupl...spam-from.html
    21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
    From: Enid Tyson
    Date: 21 November 2014 15:36
    Subject: INV209473A Duplicate Payment Received
    Good afternoon,
    I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
    I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
    If you have any queries regarding this matter, please do not hesitate to contact me.
    I look forward to hearing from you .
    Many thanks
    Enid Tyson
    Accounts Department


    In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
    http ://79.137.227.123 :8080/get1/get1.php
    ...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
    UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
    * https://www.virustotal.com/en/file/7...is/1416584784/

    * https://www.virustotal.com/en/file/e...is/1416584533/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #578
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Herbal Root', 'my new photo' SPAM

    FYI...

    Fake 'Herbal Root' email SCAM
    - http://blog.dynamoo.com/2014/11/opla...root-scam.html
    22 Nov 2014 - "... there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
    From: Mr. Tom Good Hope [mrtomgood@ gmail .com]
    Reply-To: mrtomgoodhope@ gmail .com
    Date: 22 November 2014 02:24
    Subject: SUPPLY BUSINESS OF OPLAMO
    My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
    I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company. I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase. OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD, while they supply to our company at the rate of $430 USD... Upon your reply i will clarify you more on how to start this business immediately, please drop your contact phone number for me to be able to contact you ASAP.
    Thanks,
    Mr Tom Goodhope
    Company Secretary ...


    ... the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost .com] in the US... give it a very wide berth.
    ___

    Fake 'my new photo' SPAM - malware - Google’s webp images
    - http://myonlinesecurity.co.uk/new-ph...s-webp-images/
    22 Nov 2014 - "... a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish. Until 2 days ago the -zip- attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected. Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https ://developers.google .com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs. We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser (if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file. Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected. I have been charting the progress of this malware for some time now, since it first appeared at end of August... we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it -does- in chrome OR why they cannot view or edit a downloaded jpg. The zip file contains 2 files - 1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on... If you open the image files in a hex editor or analysis program you will see the file type headers information:
    for jpg they are ……JFIF…..`.`……Exif..MM
    for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
    For Webp they are RIFFhs..WEBPVP8 "
    (Comparison example images shown at the URL at the top.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #579
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down RFID Payment Cards Hack, Regin spy tool ...

    FYI...

    RFID Payment Cards Hack possible with Android App
    - http://blog.trendmicro.com/trendlabs...h-android-app/
    Nov 24, 2014 - "... high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits... Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits... Using widely available tools, the attacker cracked the card’s authentication key. With the cracked key and the native NFC support in Android and the device, cloning a card and adding credits can be easily implemented in a mobile app... These particular MIFARE models were discontinued years ago and supplemented with more secure models. However, it appears that card issuers have opted for cheaper solutions which put their customers at risk...
    > http://blog.trendmicro.com/trendlabs...od-nfc-habits/
    We recommend customers take steps to protect RFID cards in their possession. They should also periodically check the balances of their accounts as well. In addition, if possible, they should check if any cards they are currently using are vulnerable and report these to their providers. RFID/NFC attacks are a well-known risk..."
    > http://blog.trendmicro.com/trendlabs...or-businesses/
    ___

    Fake MyFax SPAM - poorly-detected malware
    - http://blog.dynamoo.com/2014/11/myfa...pam-leads.html
    24 Nov 2014 - "Fax spam again... This spam appears to come from the person receiving it (which is an old trick).
    From: victim@ victimdomain .com
    Sent: 24 November 2014 15:31
    To: norep.c@ mefax .com
    Subject: MyFax message from "unknown" - 3 page(s)
    Fax Message [Caller-ID: 1-407-067-7356]
    http ://159593 .webhosting58 .1blu .de/messages/get_message.php
    You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
    * The reference number for this fax is chd_did11-14186364797-10847113200-628.
    View this fax using your PDF reader.
    Thank you for using the MyFax service!


    The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53*... connects to the following URLs:
    http ://95.211.199.37 :16792/2411us3/HOME/0/51-SP3/0/
    http ://95.211.199.37 :16792/2411us3/HOME/1/0/0/
    http ://lasuruguayas .com/images/refus3.pnk
    A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54**..."
    * https://www.virustotal.com/en/file/b...is/1416846678/

    ** https://www.virustotal.com/en/file/7...is/1416846980/

    95.211.199.37: https://www.virustotal.com/en/ip-add...7/information/

    199.26.87.212: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Regin: spy tool
    - http://www.symantec.com/connect/blog...y-surveillance
    Updated: 24 Nov 2014 - "... A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals...
    Regin’s five stages:
    > http://www.symantec.com/connect/site...chitecture.png
    ... Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
    Confirmed Regin infections by sector:
    > http://www.symantec.com/connect/site...g2-sectors.png
    The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist..."
    > http://www.symantec.com/security_res...121221-3645-99

    - http://community.websense.com/blogs/...-as-regin.aspx
    24 Nov 2014
    ___

    Avast AV can't handle Windows fixes ??
    - http://www.theregister.co.uk/2014/11...windows_fixes/
    24 Nov 2014 - "Security software outfit Avast are trying to figure out why the combination of recent Windows patches and updates to the latter company's software are breaking PCs. Hordes of users have found that their PCs, especially those running Windows 8 and 8.1, grind to a halt after they apply both Microsoft's recent KB3000850 update rollup and Avast's latest automatic updates. Some users report their PCs won't boot, or take forever to apply patches... Avast forums*... Microsoft's not immune either: a Redmond thread titled Major issues with KB3000850 includes plenty of people wondering why the company issued an update incompatible with third-party software**. That criticism may not be entirely fair, as an Avast staffer has posted the following explanation for the mess:
    'We have been able to simulate the problem in our lab and I think we fixed this issue. This Windows updates calls new memory related functions which are not fully compatible with Avast' ... Whatever the cause, a fair few people are rather upset with both Avast and Microsoft, with the latter company most often felt to be in the wrong..."
    * https://forum.avast.com/index.php?topic=160717.0

    ** http://answers.microsoft.com/en-us/w...5-3ae1a72b0b1a
    ___

    FTC Obtains Court Orders Temporarily Shutting Down Massive Tech Support Scams
    FTC, State of Florida Charge Companies Bilked $120 Million from Consumers for Bogus Software and Tech Support Service
    - http://www.ftc.gov/news-events/press...n-massive-tech
    Nov 19, 2014 - "At the request of the Federal Trade Commission and the State of Florida, a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services. The orders also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver. According to complaints filed by the FTC, since at least 2012, the defendants have used software designed to trick consumers into thinking there are problems with their computers, then subjected those consumers to high-pressure deceptive sales pitches for tech support products and services to fix their non-existent computer problems... In this latest action, the FTC and the State of Florida have filed two separate cases against companies who allegedly sold the -bogus- software and the deceptive telemarketing operators who allegedly sold -needless- tech support services:
    - In the first case, the defendants selling software include PC Cleaner Inc.; Netcom3 Global Inc.; Netcom3 Inc., also doing business as Netcom3 Software Inc.; and Cashier Myricks, Jr. The telemarketing defendants include Inbound Call Experts LLC; Advanced Tech Supportco. LLC; PC Vitalware LLC; Super PC Support LLC; Robert D. Deignan, Paul M. Herdsman, and Justin M. Wright.
    - In the second case, the defendants selling software include Boost Software Inc. and Amit Mehta, and the telemarketing defendants include Vast Tech Support LLC, also doing business as OMG Tech Help, OMG Total Protection, OMG Back Up, downloadsoftware.com, and softwaresupport.com; OMG Tech Help LLC; Success Capital LLC; Jon Paul Holdings LLC; Elliot Loewenstern; Jon-Paul Vasta; and Mark Donahue.
    According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems..."

    Last edited by AplusWebMaster; 2014-11-25 at 14:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #580
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down What's up with 104.152.215.0/25?

    FYI...

    What the heck is with 104.152.215.0/25?
    - http://blog.dynamoo.com/2014/11/what...152215025.html
    25 Nov 2014 - "A contact gave me the heads up to an exploit-kit running on 104.152.215.90* [virustotal] which appears to be using MS16-064** among other things [urlquery***]. 104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer... The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France... not much data about the range, there are a couple of domains that are also flagged a malicious:
    sxzav .xyz [Google diagnostics]: http://www.google.com/safebrowsing/d...site=sxzav.xyz
    klioz .xyz [Google diagnostics]: http://www.google.com/safebrowsing/d...site=klioz.xyz
    ... there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains. Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it..."
    * https://www.virustotal.com/en/ip-add...0/information/

    ** https://technet.microsoft.com/en-us/.../ms14-064.aspx

    *** http://urlquery.net/report.php?id=1416802220951
    ___

    Fake 'my photo' SPAM - new trojan variant
    - http://blog.mxlab.eu/2014/11/25/late...rojan-variant/
    Nov 25, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “my photo”.
    This email is sent from a spoofed address and has the following body:

    my new photo

    The attached file my_iphone_photo.zip contains the folder with the 54 kB large file 1my_photo.exe and the 30 kB large file 2my_photo.jpg. The trojan is known as a variant of MSIL/Injector.GMB, UDS:DangerousObject.Multi.Generic, Trojan.MSIL.BVXGen or Win32.Trojan.Inject.Auto. At the time of writing, 4 of the 54 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/2...is/1416912927/

    Last edited by AplusWebMaster; 2014-11-25 at 19:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •