Page 59 of 132 FirstFirst ... 94955565758596061626369109 ... LastLast
Results 581 to 590 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #581
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down QuickBooks Spam

    FYI...

    QuickBooks Payment Overdue Spam
    - http://threattrack.tumblr.com/post/1...t-overdue-spam
    Nov 26, 2014 - "Subjects Seen:
    Payment Overdue
    Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 07/22/2014 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Lucio Gee
    This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.


    Malicious File Name and MD5:
    Invoice_[-var=partorderb].zip (A3374A3639D4F8EBF105B8FFA1ACB4D1)
    Invoice_0128648.scr (08AEA8B75143DC788A52568E823DD10E)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...uuJ1r6pupn.png

    Tagged: QuickBooks, Upatre

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #582
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake HMRC SPAM - PDF malware

    FYI...

    Fake HMRC SPAM - fake PDF malware
    - http://myonlinesecurity.co.uk/hmrc-t...e-pdf-malware/
    27 Nov 2014 - "'HMRC taxes application with reference 68J9 WDWK 1NMJ P0ZA received' pretending to come from noreply@ taxreg.hmrc .gov.uk with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    The application with reference number 68J9 WDWK 1NMJ P0ZA submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.


    27 November 2014: HM Revenue & Customs – TAX.zip: Extracts to: HM Revenue & Customs – TAX.scr
    Current Virus total detections: 2/56* ( same malware as THIS**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1417085413/
    ... Behavioural information
    TCP connections
    95.211.199.37: https://www.virustotal.com/en/ip-add...7/information/
    83.125.22.167: https://www.virustotal.com/en/ip-add...7/information/

    ** http://myonlinesecurity.co.uk/info-s...e-pdf-malware/
    ___

    Tainted network: Crissic Solutions (167.160.160.0/19)
    - http://blog.dynamoo.com/2014/11/tain...solutions.html
    27 Nov 2014 - "Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness. I analysed over 1500 sites hosted in the Crissic IP address range... and many sites were already marked as being -malicious- by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious... Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend -blocking- your traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence..."
    More detail at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2014-11-27 at 19:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #583
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Black Friday - deal or no deal

    FYI...

    Black Friday: deal or no deal
    - https://blog.malwarebytes.org/online...al-or-no-deal/
    Nov 27, 2014 - "... Spammers and scammers have risen to the occasion with deals that are too good to be true such as in this example for -fake- Gucci products. This was reported in a Tweet by Denis Sinegubko, from Unmask Parasites*
    * http://www.unmaskparasites.com/ -- https://twitter.com/unmaskparasites
    'Denis @unmaskparasites - Chinese spammers are ready for Black Friday. Found these domains in code on a hacked site: GucciBlackFridays .com, BlackFridayCDN .com'
    ... and also a security researcher at Sucuri** -- http://sucuri.net/ -- http://blog.sucuri.net/2014/11
    The site boasts incredible prices on normally very expensive merchandise... Shoppers might get fooled by the security badges and stamps, which of course are only here for show... Traffic to these -bogus- sites will come from spam or, as in this case, from compromised websites... This code resides on the compromised server and performs different checks, in particular whether the user visiting the page is real or a search engine... When Black Friday is over, the crooks will be ready to serve you special deals for Cyber Monday... There certainly are good deals to be made during this holiday season but you really ought to be careful what you click on. You might order counterfeit goods or have your banking credentials stolen and money depleted..."
    (More detail at the malwarebytes URL above.)

    - https://blog.malwarebytes.org/online...ng-made-safer/
    Nov 24, 2014

    - http://www.trendmicro.com/vinfo/us/s...cams-on-mobile
    Nov 24, 2014

    - http://www.trendmicro.com/vinfo/us/s...s-thanksgiving
    Nov 21, 2014
    ___

    Lots of Black Friday SPAM & Phishing
    - https://isc.sans.edu/diary.html?storyid=19003
    2014-11-28 23:20:46 UTC - "Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for 'One Click Black Friday Rewards'.
    Of course, that one click goes -nowhere- near Amazon and directs you to the likes of Black Fiday (yes, it's misspelled) at hXXp ://www.jasbuyersnet .com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Can't speak to the payload there, don't bother, just use it at as ammo for heightened awareness and safe shopping on line during these holidays, and...well, all the time. Be careful out there. :-)
    Cheers and happy holidays."
    ___

    Best Buy Order Spam
    - http://threattrack.tumblr.com/post/1...buy-order-spam
    Nov 28, 2014 - "Subjects Seen:
    Details of Your Order From Best Buy
    Typical e-mail details:
    E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.
    Upon confirmation you may pick it in any nearest store of Best Buy.
    Detailed order information is attached to the letter.
    Wishing you Happy Thanksgiving!
    Best Buy


    Malicious File Name and MD5:
    BestBuy_Order.exe (bff17aecb3cc9b0281275f801026b75d)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...YyG1r6pupn.jpg

    Tagged: Best Buy, Kuluoz

    Last edited by AplusWebMaster; 2014-11-29 at 04:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #584
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Dridex Phish uses malicious word docs

    FYI...

    Dridex Phish uses malicious word docs
    - https://isc.sans.edu/diary.html?storyid=19011
    2014-12-01 - "... During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex... The emails contained malicious Word documents, and with macros enabled, these documents -infected- Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog and TechHelpList... often report on these and other phishing campaigns... On 11 Nov 2014, I saw at least 60 emails with 'Duplicate Payment Received' in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe... Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [3]... File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block..."
    1] http://stopmalvertising.com/malware-...odo-bugat.html

    2] http://www.abuse.ch/?p=8332

    3] https://isc.sans.edu/diaryimages/images/brad5.png

    4] http://doc.emergingthreats.net/2019478

    62.76.185.127: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'New offer Job' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/new-of...e-pdf-malware/
    1 Dec 2014 - "'New offer Job' with a zip attachment pretending to come from Job service <billiond8@ greatest3threeisland .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    New offer for you, see attached here.

    There is also a version around with the subject of 'Tiket alert' pretending to come from FBR service <newspaperedixv@ greatest3threeisland .com>
    Look at the attached file for more information.
    Assistant Vice President, FBR service
    Management Corporation


    Both emails contain the same malware as does today’s version of 'my new photo malware'*
    1 December 2014 : tiket.zip: Extracts to: tiket.exe
    Current Virus total detections: 5/19** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * http://myonlinesecurity.co.uk/new-photo-malware/

    ** https://www.virustotal.com/en/file/3...is/1417475226/
    ___

    Phishing scam that hit Wall Street might work against you
    - http://arstechnica.com/security/2014...ainst-you-too/
    Dec 1 2014 - "Researchers have uncovered a group of Wall Street-savvy hacks that have penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.
    > http://cdn.arstechnica.net/wp-conten...sh-640x359.jpg
    FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye*. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will -inject- a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success. E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns... FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known... Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients... the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics."
    * https://www.fireeye.com/blog/threat-...ing_insid.html

    - http://www.reuters.com/video/2014/12...eoId=347691634
    Dec 01, 2014
    Video: 02:09

    - http://www.computerworld.com/article...ck-market.html
    Dec 1, 2014
    > http://core0.staticworld.net/images/...large.idge.jpg

    - http://www.theregister.co.uk/2014/12...stock_markets/
    2 Dec 2014
    > http://regmedia.co.uk/2014/12/02/11223.png
    ___

    Europol and US customs seize 292 domains selling counterfeit goods
    - http://www.theinquirer.net/inquirer/...nterfeit-goods
    Dec 1, 2014 - "... Interpol in conjunction with US Immigration and Customs Enforcement has seized the domains of almost 300 websites that were selling counterfeit merchandise. The law enforcement agencies, not to mention politicians, are concerned that citizens are being taken for mugs online and cannot resist spending good money on fake rubbish... Europol said that the seizures involved 25 law enforcement agencies from 19 countries and participation from the US National Intellectual Property Rights Coordination Center... The websites offered a mix of content, ranging from luxury goods and sportswear to CDs and DVDs. The domains are now in the hands of the national governments involved in the shutdowns, and the gear is presumably facing some sort of immolation. Operation In Our Sites has closed down 1,829 domains so far..."
    ___

    O/S Market Share - Nov 2014
    - http://www.netmarketshare.com/operat...10&qpcustomd=0

    Browser Market Share - Nov 2014
    - http://www.netmarketshare.com/browse...=0&qpcustomd=0
    ___

    PoS Malware 'd4re|dev1|' attacking Ticket Machines and Electronic Kiosks
    - https://www.intelcrawler.com/news-24
    Nov 26, 2014 - "... new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features. This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal. The exploitation of merchants is taking place on a global scale as outlined by the IntelCrawler POS infection map*.
    * https://www.intelcrawler.com/analytics/pmim
    ... The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers... As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the -VPN- as well as to limit the software environment for operators, using proper access control lists and updated security polices..."

    Last edited by AplusWebMaster; 2014-12-02 at 16:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #585
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Walmart 'Order Details', 'Voice Message from Message Admin' SPAM...

    FYI...

    Fake Walmart 'Order Details' SPAM opens malware site
    - http://www.hoax-slayer.com/walmart-o...-malware.shtml
    Dec 2, 2014 - "Email purporting to be from Walmart claims that you can click a link to read more information about a recent order. The email is a scam... Clicking the link opens a website that contains malware. This attack is very similar to another malware campaign in which -bogus- emails claim to be from Costco*...
    > http://www.hoax-slayer.com/images/wa...-malware-1.jpg
    This email, which claims to be from retail giant Walmart, advises that your order is ready to be picked up at any local store. It invites you to -click-a-link- to find out more information about the supposed order... the email is -not- from Walmart and has nothing to do with any order you have made. The goal of the email is simply to trick you into clicking the link. If you receive this email, you may be concerned that fraudulent purchases have been made in your name and click the link in the hope of finding out more details... the link opens a compromised website that harbours malware. In some versions, the malicious download may start automatically. In other cases, a notice on the website may instruct you to download a file to view the order information. Generally, the download will be a .zip file that contains a .exe file inside. Clicking the .exe file will install the malware on your computer. The exact malware payload delivered in such attacks may vary... This attack closely mirrors another current malware campaign that uses emails that falsely claim to be from Costco*. Again, the email claims that you can get information about recent purchase by clicking a link. Clicking downloads a .zip file that contains malware."
    * http://www.hoax-slayer.com/costco-or...-malware.shtml
    Nov 28, 2014
    > http://www.hoax-slayer.com/images/co...-malware-2.jpg
    ___

    Fake 'FEDEX TRACK' 'FEDEX INFO' SPAM - contains trojan
    - http://blog.mxlab.eu/2014/12/02/fake...ntains-trojan/
    Dec 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
    - Ezekiel Francis your agent FEDEX
    - Bullock, Tiger P. agent FEDEX
    - Quin Greer FEDEX company
    This email is sent from the -spoofed- address “FEDEX TRACK <******@ care .it>”, FEDEX INFO <fedexservice@ care .info> or “FEDEX INFO <fedextechsupport@ care .org>” and has the following body:
    Dear Customer!
    We attempted to deliver your package on December 2th, 2014, 10:50 AM.
    The delivery attempt failed because the address was business closed or nobody could sign for it.
    To pick up the package,please, print the invoice that is attached to this email and visit Fedex location indicated in the receipt.
    If the package is not picked up within 48 hours, it will be returned to the shipper.
    Label/Receipt Number: 45675665665
    Expected Delivery Date: December 2th, 2014
    Class: International Package Service
    Service(s): Delivery Confirmation
    Status: Notification sent
    Thank you ...


    The attached file Package.zip contains the 180 kB large file 45675665665.scr... At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/3...bd3b/analysis/
    ___

    Iran hacks target airlines, energy, defense companies
    - http://www.reuters.com/article/2014/...0JG18I20141202
    Dec 2, 2014 - "Iranian hackers have infiltrated major airlines, energy companies, and defense firms around the globe over the past two years in a campaign that could eventually cause physical damage, according to U.S. cyber security firm Cylance*. The report comes as governments scramble to better understand the extent of Iran's cyber capabilities, which researchers say have grown rapidly as Tehran seeks to retaliate for Western cyber attacks on its nuclear program... The California-based company said its researchers uncovered breaches affecting more than 50 entities in 16 countries, and had evidence they were committed by the same Tehran-based group that was behind a previously reported 2013 cyber attack on a U.S. Navy network. It did not identify the companies targeted, but said they included major aerospace firms, airports and airlines, universities, energy firms, hospitals, and telecommunications operators based in the United States, Israel, China, Saudi Arabia, India, Germany, France, England and others. Cylance said it had evidence the hackers were Iranian, and added the scope and sophistication of the attacks suggested they had state backing... Cylance Chief Executive Stuart McClure said the Iranian hacking group has so far focused its campaign - dubbed Operation Cleaver - on intelligence gathering, but that it likely has the ability to launch attacks. He said researchers who succeeded in gaining access to some of the hackers' infrastructure found massive databases of user credentials and passwords from organizations including energy, transportation, and aerospace companies, as well as universities. He said they also found diagrams of energy plants, screen shots demonstrating control of the security system for a major Middle Eastern energy company, and encryption keys for a major Asian airline... Cylance said its researchers also obtained hundreds of files apparently stolen by the Iranian group from the U.S. Navy's Marine Corps Intranet (NMCI). U.S. government sources had confirmed that Iran was behind the 2013 NMCI breach..."
    * http://blog.cylance.com/operation-cl...-is-everything
    Dec 2, 2014
    - http://www.cylance.com/operation-cle...9-4b051299b3ea
    ___

    Fake 'Voice Message from Message Admin' SPAM - leads to malware
    - http://blog.mxlab.eu/2014/12/01/fake...ds-to-malware/
    Dec 1, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Voice Message #0174669888″ (number will vary). This email is sent from the -spoofed- address 'Message Admin <NoRepse@ voiceservice .com>” and has the following body:

    Voice redirected message
    hxxp ://www.studio37kriswhite .com/voicemail/listen.php
    Sent: Mon, 1 Dec 2014 19:06:35 +0000

    Voice redirected message
    hxp ://thepinkcompany .com/voicemail/listen.php
    Sent: Mon, 1 Dec 2014 20:10:47 +0000


    The embedded URL leads to a web page with a Javascript that is making use of an ActiveXObject to download the file voice646-872-8712_wav.zip. Once extracted, the 43 kB large file voice646-872-8712_wav.exe is present. The trojan is known as W32.HfsAutoA.631F, Trojan.DownLoader11.46947, UDS:DangerousObject.Multi.Generic , Upatre.FE or BehavesLike.Win32.Backdoor.pz.
    The trojan is capable of starting a listening server, make HTTP requests, can fingerprint a system and have outbound communication. A service bowmc.exe will be installed, the TCP port 1034 will be opened and connection with the IP on port 21410 and 21397 will be openened for outbound traffic. At the time of writing, 8 of the 55* AV engines did detect the trojan at Virus Total..."
    * https://www.virustotal.com/en/file/8...is/1417468098/
    ... Behavioural information
    TCP connections
    192.186.219.137: https://www.virustotal.com/en/ip-add...7/information/
    UDP communications
    91.200.16.56: https://www.virustotal.com/en/ip-add...6/information/
    91.200.16.37: https://www.virustotal.com/en/ip-add...7/information/

    Last edited by AplusWebMaster; 2014-12-03 at 00:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #586
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware on Crissic Solutions, Fake 'Fedex Unable to deliver your item' SPAM

    FYI...

    More malware on Crissic Solutions LLC
    - http://blog.dynamoo.com/2014/12/more...tions-llc.html
    3 Dec 2014 - "Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report*):
    167.160.164.102: https://www.virustotal.com/en/ip-add...2/information/
    167.160.164.103: https://www.virustotal.com/en/ip-add...3/information/
    167.160.164.141: https://www.virustotal.com/en/ip-add...1/information/
    167.160.164.142: https://www.virustotal.com/en/ip-add...2/information/
    ... domains are being exploited (although there will probably be more soon)... Subdomains in use start with one of qwe. or asd. or zxc... Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended** blocking 167.160.165.0/24 and 167.160.166.0/24 and now with -multiple- servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go."
    * http://urlquery.net/report.php?id=1417554412643

    ** http://blog.dynamoo.com/2014/11/tain...solutions.html
    ___

    Fake 'Fedex Unable to deliver your item' SPAM - malware
    - http://myonlinesecurity.co.uk/fedex-...86182-malware/
    3 Dec 2014 - "'FedEx Unable to deliver your item, #00486182' pretending to come from FedEx International Economy with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    FedEx ®
    Dear Customer,
    We could not deliver your parcel.
    Please, open email attachment to print shipment label.
    Regards,
    Francis Huber,
    Delivery Agent.
    (C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.


    3 December 2014: Label_00486182.zip: Extracts to: Label_00486182.doc.js
    Current Virus total detections: 4/55* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1417611902/
    ___

    Be Wary of ‘Order Confirmation’ Emails
    - http://krebsonsecurity.com/2014/12/b...mation-emails/
    Dec 3, 2014 - "If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to -click- the included -link- or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.
    'Order confirmation' malware email blasted out by the Asprox spam botnet:
    >> http://krebsonsecurity.com/wp-conten...ox-600x273.png
    Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25:
    This Asprox malware email poses as a notice about a wayward package from a WalMart order.
    >> http://krebsonsecurity.com/wp-conten...ox-600x308.png
    According to Malcovery*, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email...
    Target is among the many brands being spoofed by Asprox this holiday season:
    >> http://krebsonsecurity.com/wp-conten...ox-600x373.png
    ... do not click the embedded links or attachments..."

    * http://blog.malcovery.com/blog/aspro...liday-shoppers
    Dec 3, '14

    Last edited by AplusWebMaster; 2014-12-04 at 00:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #587
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 46.161.30.0/24, FedEx phish ...

    FYI...

    Something evil on 46.161.30.0/24
    - http://blog.dynamoo.com/2014/12/some...616130024.html
    4 Dec 2014 - "The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware. In the past, this IP range has hosted various sites which have moved off... There are no legitimate sites in this network range, so I strongly recommend that you -block- the entire 46.161.30.0/24 range."
    (More detail at the dynamoo URL above.)
    ___

    Fake 'Quickbooks intuit unpaid invoice' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/quickb...e-pdf-malware/
    4 Dec 2014 - "'Quickbooks intuit unpaid invoice' with a zip attachment pretending to come from Elena.Lin@ intuit .com <Elena.Lin@ quickbooks .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
    questions.
    Thank you.


    4 December 2014 : invoice72.zip: Extracts to: invoice72.scr
    Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1417726300/
    ... Behavioural information
    TCP connections
    80.248.222.238: https://www.virustotal.com/en/ip-add...0/information/
    198.58.84.150: https://www.virustotal.com/en/ip-add...0/information/
    UDP communications
    198.27.81.168: https://www.virustotal.com/en/ip-add...8/information/
    192.95.17.62: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake 'FedEx Delivery' confirmation - phishing 419 SCAM
    - http://myonlinesecurity.co.uk/fedex-...hing-419-scam/
    4 Dec 2014 - "'FedEx Delivery Notification. (Confirmation)' pretending to come from FedEx Courier Delivery <FedExdelivery@ FedEx .com> is a phishing scam. When I first saw these emails start to come in, I thought it was a follow 0n to the current malware spreading campaign Fedex Unable to deliver your item, #00486182 malware but no, it is a pure and simple phishing scam trying to get you to voluntarily give your details. It is most likely a 419 scam which will ask for a fee to expedite the delivery. Just look at all the spelling and grammar mistakes in the email, but of course most victims just don’t read emails closely, just blindly follow instructions and do what is asked without thinking. Email looks like:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...very_phish.jpg

    ... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
    ___

    Fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file
    - http://blog.mxlab.eu/2014/12/03/new-...ious-zip-file/
    Dec 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
    Order #70189189901 successfully – Ticket and flight details
    Order #70189101701 paid – E-ticket and flight details
    This email is sent from the -spoofed- address “Aircanada .com” <tickets@ aircanada .com>” and has the following body:
    Dear client,
    Your order has been successfully processed and your credit card charged.
    ELECTRONIC TICKET – 70189101701
    FLIGHT – QB70189101701CA
    DATE / TIME – Dec 4th 2014, 15:30
    ARRIVING – Quebec
    TOTAL PRICE / 575.00 CAD
    Your ticket can be downloaded and printed from the following URL: ...
    hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?ticket_number=70189101701& view_pdf=yes
    For information regarding your order, contact us by visiting our website: ...
    Thank you for choosing Air Canada


    The embedded URL does -not- point the browser to the real web site address but to hxxp ://ravuol .com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif. The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL. This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies. At the time of writing, 2 of the 52* AV engines did detect the trojan at Virus Total..."
    * https://www.virustotal.com/en/file/8...96fb/analysis/

    ravuol .com / 192.232.218.114: https://www.virustotal.com/en/ip-add...4/information/

    Last edited by AplusWebMaster; 2014-12-05 at 02:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #588
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Voicemail, Remittance Advice SPAM

    FYI...

    Fake Voicemail SPAM - wav malware
    - http://myonlinesecurity.co.uk/stuart...e-wav-malware/
    5 Dec 2014 - "'Voicemail Message (01438351556>Night Message) From:01438351556' pretending to come from stuartclark146@ gmx .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    IP Office Voicemail redirected message

    5 December 2014: voicemsg.wav.zip : Extracts to: voicemsg.exe
    Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1417779780/
    ___

    Fake Remittance Advice SPAM
    - http://blog.dynamoo.com/2014/12/k-j-...ce-advice.html
    5 Dec 2014 - "... The spam comes with an Excel spreadsheet which contains a malicious macro.
    Some sample spams are as follows:
    From: Brenton Glover
    Date: 5 December 2014 at 07:20
    Subject: Remittance Advice for 430.57 GBP
    Please find attached a remittance advice for recent BACS payment.
    Any queries please contact us.
    Brenton Glover
    Senior Accounts Payable Specialist
    K J Watking & Co


    I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2]. Each spreadsheet contains a different but similar malicious macro... which then download a binary... Recommended blocklist:
    194.146.136.1
    84.92.26.50
    79.137.227.123
    124.217.199.218
    "
    1] https://www.virustotal.com/en/file/8...is/1417773044/

    2] https://www.virustotal.com/en/file/a...is/1417773050/

    - http://myonlinesecurity.co.uk/k-j-wa...excel-malware/
    5 December 2014 : BAC_002163F.xls (253KB) - Current Virus total detections: 0/55*
    * https://www.virustotal.com/en/file/6...is/1417779426/
    5 December 2014 : BAC_644385B.xls (290KB) - Current Virus total detections: 0/55**
    ** https://www.virustotal.com/en/file/a...is/1417779139/

    - http://blog.mxlab.eu/2014/12/05/emai...ious-xls-file/
    Dec 5, 2014
    > https://www.virustotal.com/en/file/3...is/1417768835/
    ___

    Fake Order/Invoice SPAM - malicious .doc attachment
    - http://blog.dynamoo.com/2014/12/math...couk-spam.html
    5 Dec 2014 - "This -spam- came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.
    From: Mathew Doleman [order@ lightmoorhomes .co .uk]
    Date: 5 December 2014 at 08:32
    Subject: Order no. 98348936010
    Thank you for using our services!
    Your order #98348936010 will be shipped on 08-12-2014.
    Date: December 04, 2014
    Price: 177.69
    Payment method: Credit card
    Transaction number: OVFTMZERLXVNPXLPXB
    Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
    Best regards,
    Sales Department
    Mathew Doleman
    +07966 566663


    The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors* ... Some investigation shows that it contains a malicious macro... The macro downloads a file from http ://hiro-wish .com/js/bin.exe which is completely undetected by any AV vendor** at present... The VirusTotal report** shows it phoning home to:
    46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
    Recommended blocklist:
    203.172.141.250
    46.4.232.200
    74.208.11.204
    hiro-wish .com
    "
    * https://www.virustotal.com/en/file/c...is/1417776108/

    ** https://www.virustotal.com/en/file/e...is/1417775973/
    ___

    Fake 'Package delivery failed' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/packag...e-pdf-malware/
    5 Dec 2014 - "'Package delivery failed' pretending to come from Canada Post with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    From: Canada Post [mailto:shipping@ canadapost .ca]
    Sent: December 5, 2014 2:31
    To: e-Bills – [redacted]
    Subject: Package delivery failed
    Image removed by sender.
    Dear customer,
    A delivery attempt has been made on December 3rd, 2014.
    The delivery failed because nobody was present at the receiver’s address.
    Redelivery can be arranged by visiting our nearest office and presenting a printed copy of the shipping invoice.
    TRACKING Number: 3765490000465274
    Originating from : RICHMOND
    The shipping invoice, necessary for the redelivery arrangements can be automatically downloaded by visiting the tracking section, in our website: ...


    5 December 2014: canpost_3765490000465274_trk.zip: Extracts to:
    canpost_3765490000465274_trk.pif . Current Virus total detections: 5/55*
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1417725574/
    ___

    Halifax phish...
    - http://myonlinesecurity.co.uk/halifax-phishing/
    5 Dec 2014 - "This Halifax phishing attempt starts with an email saying 'Your Account' pretending to come from Halifax <update@halifax .co .uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. This one only wants your personal details,and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well:
    1] http://myonlinesecurity.co.uk/wp-con...hish_email.jpg
    ...
    2] http://myonlinesecurity.co.uk/wp-con..._fake-site.jpg
    ... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format..."

    Last edited by AplusWebMaster; 2014-12-06 at 03:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #589
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice, Transaction SPAM - malicious doc, zip attachment

    FYI...

    Fake Invoice SPAM - malicious doc attachment
    - http://blog.dynamoo.com/2014/12/soo-...-power-ec.html
    8 Dec 2014 - "... this -fake- invoice comes with a malicious Word document attached.
    From: soo.sutton966@ powercentre .com
    Date: 8 December 2014 at 10:57
    Subject: INVOICE 224245 from Power EC Ltd
    Please find attached INVOICE number 224245 from Power EC Ltd


    Attached are one of two Word documents -both- with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros... which then downloads an executable from one of the following locations:
    http ://aircraftpolish .com/js/bin.exe
    http ://gofoto .dk/js/bin.exe
    This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
    203.172.141.250 (Ministry of Education, Thailand)
    74.208.11.204 (1&1 Internet, US)
    According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53*.
    Recommended blocklist:
    203.172.141.250
    74.208.11.204
    aircraftpolish .com
    gofoto .dk
    "
    1] https://www.virustotal.com/en/file/6...is/1418035603/

    2] https://www.virustotal.com/en/file/8...ed22/analysis/

    * https://www.virustotal.com/en/file/8...is/1418037172/

    - http://myonlinesecurity.co.uk/please...d-doc-malware/
    8 Dec 2014
    ___

    Fake 'Transaction confirmation' SPAM - doc malware
    - http://myonlinesecurity.co.uk/shippi...d-doc-malware/
    8 Doc 2014 - "'Shipping status: Transaction confirmation' with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subjects include (all having random numbers, senders, sales clerks names, telephone numbers, order numbers and amounts. Most pretend to come from sale@ or order@ < random company> )
    Shipping status: Transaction confirmation: 77951286043
    Order info: 50664959001
    Payment info: 22908714125
    Payment confirmation: 6322896965


    They look like:
    Shipping status: Transaction confirmation: 77951286043Greetings,
    Your order #77951286043 will be shipped on 16.12.2014.
    Date: December 08, 2014. 01:27pm
    Price: £163.10
    Transaction number: 43595D828F1A5A
    Please find the detailed information on your purchase in the attached file order2014-12-08_77951286043.zip
    Yours truly,
    Sales Department
    Keisha Konick ...

    -or-
    Hello,
    Your order #50664959001 will be shipped on 17-12-2014.
    Date: December 08, 2014. 01:49pm
    Price: £181.71
    Transaction number: 1E51D75638EEDA4499
    Please find the detailed information on your purchase in the attached file item2014-12-08_50664959001.zip
    Kind regards,
    Sales Department
    Sanjuanita Mandeville ...


    Every single attachment received so far today (and there are hundreds) has a different file # so it is difficult to get a viable detection rate at Virus total. The zip attachment extracts to another zip & then to a scr file with an icon looking like it is a word doc.
    8 December 2014: order2014-12-08_77951286043.zip: Extracts to: sale2014-12-08_97164185939.scr
    Current Virus total detections: 3/55* .
    8 December 2014: item2014-12-08_24831482215.zip: Extracts to: item2014-12-08_79359848638.scr
    Current Virus total detections: 5/55**
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1418050446/
    ... Behavioural information
    TCP connections
    157.56.96.55: https://www.virustotal.com/en/ip-add...5/information/
    213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
    95.101.0.96: https://www.virustotal.com/en/ip-add...6/information/
    195.60.214.11: https://www.virustotal.com/en/ip-add...1/information/
    217.16.10.3: https://www.virustotal.com/en/ip-add...3/information/
    74.208.11.204: https://www.virustotal.com/en/ip-add...4/information/

    ** https://www.virustotal.com/en/file/8...is/1418050480/
    ... Behavioural information
    TCP connections
    191.232.80.55: https://www.virustotal.com/en/ip-add...5/information/
    213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
    95.101.0.90: https://www.virustotal.com/en/ip-add...1/information/
    195.60.214.11: https://www.virustotal.com/en/ip-add...1/information/
    217.16.10.3: https://www.virustotal.com/en/ip-add...3/information/
    74.208.11.204: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake HSBC Advising SPAM - leads to malware
    - http://blog.mxlab.eu/2014/12/08/fake...ds-to-malware/
    Dec 8, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[GB659898] / CHAPS credits” (number in subject will vary). This email is sent from the spoofed address “HSBC Advising Service <advising.service@ hsbc .com>” and has the following body:
    Sir/Madam,
    Please download document from dropbox, payment advice is issued at the request of our customer. The advice is or your reference only.
    Download link: ...
    Yours faithfully,
    Global Payments and Cash Management
    HSBC ...


    In this sample, the embedded URl directs us to hxxp ://paparellalogistica .it/banking/document.php where the file documentXXX.zip (name contains number that will vary) is downloaded.The trojan is known as Upatre-FAAJ!BADD639EC640, HB_Arkam or Virus.Win32.Heur.c. The trojan will create a new service gtpwz.exe on the system, modify some Windows registry and can connect to the IP 62.210.204.149 on port 33294 and 33321 for outbound traffic. At the time of writing, 5 of the 53* AV engines did detect the trojan at Virus Total..."
    * https://www.virustotal.com/en/file/2...0b9a/analysis/
    ... Behavioural information
    TCP connections
    62.210.204.149: https://www.virustotal.com/en/ip-add...9/information/
    188.132.235.180: https://www.virustotal.com/en/ip-add...0/information/
    UDP communications
    208.97.25.20: https://www.virustotal.com/en/ip-add...0/information/
    208.97.25.6: https://www.virustotal.com/en/ip-add...6/information/

    Last edited by AplusWebMaster; 2014-12-09 at 03:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #590
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 5.196.33.8/29, Phishing SCAM

    FYI...

    Something evil on 5.196.33.8/29
    - http://blog.dynamoo.com/2014/12/some...519633829.html
    9 Dec 2014 - "This Tweet* from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.
    Specifically, VirusTotal lists badness on the following IPs:
    5.196.33.8: https://www.virustotal.com/en/ip-add...8/information/
    5.196.33.9: https://www.virustotal.com/en/ip-add...9/information/
    5.196.33.10: https://www.virustotal.com/en/ip-add...0/information/
    There are also some doubtful looking IP addresses on 5.196.33.15** which may we have a malicious purpose... suggest that you treat them as malicious.
    Recommended blocklist:
    5.196.33.8/29 ..."
    (Long list at the dynamoo URL at the top of this post.)
    * https://twitter.com/kafeine/status/541550193649680385

    ** https://www.virustotal.com/en/ip-add...5/information/
    ___

    Fake 'UPS Customer Service' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/ups-cu...e-pdf-malware/
    9 Dec 2014 - "'UPS Customer Service' pretending to come from UPS Customer Service [mailto:upsdi@ ups .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    From: UPS Customer Service [mailto:upsdi@ ups .com]
    Sent: December 9, 2014 11:25
    To: [redacted]
    Subject: [SPAM] UPS Customer Service
    IMPORTANT DELIVERY
    Dear [redacted]
    You have received an important delivery from UPS Customer Service.
    Please pick up the ePackage at the following Web address:
    The ePackage will expire on Thursday December 11, 2014, 00:00:00 EDT
    …………………………………………………………….
    HOW TO PICK UP YOUR ePackage
    * If the Web address above is highlighted, click on it to open a browser window. You will automatically be taken to the ePackage.
    * If the Web address above is not highlighted, then follow these steps:
    – Open a web browser window.
    – Copy and paste the entire Web address into the ‘location’ or ‘address’ bar of the browser.
    – Press enter.
    Once you arrive at the ePackage web page, you can access the attached files and/or private message.
    …………………………………………………………….
    If you require assistance please contact UPS Customer Service.
    Please note: This e-mail was sent from an auto-notification system that cannot accept incoming e-mail. Please do not reply to this message.
    This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review,
    dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organizations is strictly prohibited.
    __________________________________
    Delivered by UPS ePackage


    9 December 2014: ePackage_12092014_42.pdf.zip: Extracts to: ePackage_12092014_42.pdf.scr
    Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1418149697/
    ... Behavioural information
    TCP connections
    54.225.211.214: https://www.virustotal.com/en/ip-add...4/information/
    194.150.168.70: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Phishing SCAM - 'Your Email Address Transmitting Viruses'
    - http://www.hoax-slayer.com/email-add...phishing.shtml
    Dec 9, 2014 - "... The email is -not- from any email administrator or service provider. It is a phishing scam designed to steal your account login details via a fake login form. If you click the link and login on the -fake- site, your email account may be hijacked by criminals and used for spam and scam campaigns... Example:

    Subject: Take note [email address removed]: Your email address will be terminated now
    Dear [email address removed]
    Your email address (removed) has been transmitting viruses to our servers and will be deactivated permanently if not resolved.
    You are urgently required to sanitize your email or your access to email services will be terminated
    Click here now to scan and sanitize your e-mail account
    Note that failure to sanitize your email account immediately will lead to permanent deactivation without warning.
    We are very sorry for the inconveniences this might have caused you and we assure you that everything will return to normal as soon as you have done the needful.
    Admin


    According to this email, which claims - rather vaguely - to be from 'Admin', your email has been transmitting viruses to the sender's servers. The email warns that your account will be deactivated permanently if you do not resolve the issue. The message instructs you to 'urgently' click a link to run a scan and 'sanitize your e-mail account'... Clicking the link takes you to a fraudulent webpage that includes a stolen Norton Antivirus logo and a login box (See screenshot below*). The page instructs you to login with your email address and password to run a 30 second scan. After 'logging in', a 'Please wait - scanning' message will be displayed for a few seconds. Finally, a 'Scan Complete' message will be shown. At this point, you may believe that the viruses have been removed and you have successfully resolved the issue... however, the criminals behind the scam can collect your login details and hijack your real email account. They may use the hijacked account to launch further spam and scam campaigns in your name..."
    * http://www.hoax-slayer.com/images/em...ng-viruses.jpg

    Last edited by AplusWebMaster; 2014-12-10 at 02:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •