Page 6 of 132 FirstFirst ... 23456789101656106 ... LastLast
Results 51 to 60 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #51
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus USPS, SMS SPAM lead to malware

    FYI...

    Bogus USPS emails lead to malware
    - http://blog.webroot.com/2012/11/06/u...ad-to-malware/
    Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....am_malware.jpg
    Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
    Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
    Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDS:DangerousObject.Multi.Generic
    Upon execution, the sample phones back to the following URLs...
    (See the 1st webroot URL above - long list of IPs.) ... 64.151.87.152, 66.7.209.185, 173.224.211.194, 46.105.121.86, 222.255.237.132, 64.151.87.152, 79.170.89.209, 217.160.236.108, 88.84.137.174, 46.105.112.99, 50.22.136.150, 130.88.105.45, 91.205.63.194, 95.173.180.42, 217.160.236.108 ..."
    * https://www.virustotal.com/file/372b...is/1351876562/
    File name: Shipping_Label_USPS.exe
    Detection ratio: 5/44
    Analysis date: 2012-11-02
    ___

    SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
    - http://blog.dynamoo.com/2012/11/sms-...o-us-show.html
    6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
    Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

    In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
    ___

    Fake Apple "Account Info Change" SPAM / welnessmedical .com
    - http://blog.dynamoo.com/2012/11/appl...ange-spam.html
    6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
    From: Apple [ appleid @ id.arcadiadesign .it]
    Sent: Tue 06/11/2012 18:30
    Subject: Account Info Change
    Hello,
    The following information for your Apple ID [redacted] was updated on 11/06/2012:
    Date of birth
    Security question(s) and answer(s)
    If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
    To review and update your security settings, sign in to appleid.apple.com.
    This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
    Thanks,
    Apple Customer Support
    TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
    All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID


    The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44... Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
    * http://en.wikipedia.org/wiki/CyberBunker
    ___

    Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
    - http://blog.dynamoo.com/2012/11/scan...entre-pro.html
    6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
    From: Keshawn Burns - MaribelParchment @ hotmail .com
    Sent: 06 November 2012 05:09
    Subject: Scan from a Xerox WorkCentre Pro #47938830
    Please open the attached document. It was scanned and sent
    to you using a Xerox WorkCentre Pro.
    Sent by: Keshawn
    Number of Images: 5
    Attachment File Type: .HTML [Internet Explorer file]
    Xerox WorkCentre Location: machine location not set


    The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin .ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:
    65.99.223.24 (RimuHosting, US)
    103.6.238.9 (Universiti Putra, Malaysia)
    203.80.16.81 (MYREN, Malaysia)
    The following malicious domains are also hosted on the same servers:
    forumibiza .ru
    kiladopje .ru
    donkihotik .ru
    lemonadiom .ru
    peneloipin .ru
    panacealeon .ru
    finitolaco .ru
    fidelocastroo .ru
    ponowseniks .ru
    dianadrau .ru
    panalkinew .ru
    fionadix .ru ..."

    Last edited by AplusWebMaster; 2012-11-06 at 22:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #52
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ‘Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit

    FYI...

    Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/11/07/f...e-exploit-kit/
    Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
    Sample screenshots of the spamvertised emails:
    > https://webrootblog.files.wordpress....ts_malware.png
    > https://webrootblog.files.wordpress....malware_01.png
    ... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M
    ... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
    panalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."
    * https://www.virustotal.com/file/c655...ea40/analysis/
    File name: Scan_N13004.htm
    Detection ratio: 24/44
    Analysis date: 2012-11-05
    ** https://www.virustotal.com/file/f8aa...5ed8/analysis/
    File name: d34c2e80562a36fb762be72e490b7793887c3192
    Detection ratio: 25/43
    Analysis date: 2012-11-01
    ___

    Fake Intercompany Invoice SPAM / controlleramo .ru
    - http://blog.dynamoo.com/2012/11/inte...oice-spam.html
    7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
    Date: Wed, 7 Nov 2012 07:29:44 -0500
    From: LinkedIn [welcome@linkedin.com]
    Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
    Attachments: Invoice_e49580.htm
    Hi
    Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
    Thanks a lot for supporting this process
    Rihanna PEASE
    Beazer Homes USA Corp.


    The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:
    103.6.238.9 (Universiti Putra, Malaysia)
    203.80.16.81 (MYREN, Malaysia)
    209.51.221.247 (eNet, US)
    These IP addresses have been used in several attacks recently, and you should block access to them if you can."
    ___

    Phishers take aim at USAA
    - http://www.gfi.com/blog/phishers-take-aim-at-usaa/
    Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
    > http://www.gfi.com/blog/wp-content/u...AACred_115.png
    From: {random}
    To: {random}
    Subject: USAA – Account Security Update
    Message body:
    Dear Valued Customer,
    We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
    your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
    Please follow the reference link below to verify your account.
    [link] Click here to verify [/link]
    Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
    reasons.
    Thank you,
    USAA Internet Banking.


    Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
    > http://www.gfi.com/blog/wp-content/u...11/usaa011.png
    This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
    * https://www.usaa.com/inet/ent_logon/Logon

    >> https://www.usaa.com/inet/pages/advi...ishing%20email

    >>> https://www.youtube.com/watch?featur...v=KYiKATvQvWw#!

    Last edited by AplusWebMaster; 2012-11-07 at 19:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #53
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Discover Card emails - and more...

    FYI...

    Fake Discover Card emails serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/08/y...s-and-malware/
    8 Nov 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit.
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 * ... UDS:DangerousObject.Multi.Generic
    Upon execution, the sample phones back to 200.169.13.84 :8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
    Client-side exploits serving domain reconnaissance:
    teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 – Email: anil_valiquette124 @ dawnsonmail .com
    Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89
    Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90
    netgear-india .net – 183.180.134.217, AS2519
    Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61
    Name Server: NS2.TOPPAUDIO .COM - 173.234.9.89 ..."
    * https://www.virustotal.com/file/44c3...0589/analysis/
    File name: KB01474670.exe
    Detection ratio: 4/44
    Analysis date: 2012-11-02
    ___

    getyourbet .org injection attack
    - http://blog.dynamoo.com/2012/11/gety...on-attack.html
    8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:
    Registrant ID:TOD-42842658
    Registrant Name:ChinSec
    Registrant Organization:ChinSec
    Registrant Street1:Beijing
    Registrant Street2:
    Registrant Street3:
    Registrant City:Beijing
    Registrant State/Province:BJ
    Registrant Postal Code:519000
    Registrant Country:CN
    Registrant Phone:+86.5264337745
    Registrant Phone Ext.:
    Registrant FAX:+86.5264337745
    Registrant FAX Ext.:
    Registrant Email:chinseccdomains @ yahoo .com
    The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
    This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
    pin.panacheswimwear .co.uk
    physical.oneandonlykanuhura .com
    pig.onmailorder .com
    picture.onlyplussizes .com
    person.nypersonaltrainers .com
    pipe.payday-loanstoday .com
    I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
    Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #54
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Intuit, Changelog emails lead to malware

    FYI...

    Fake Intuit emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/11/09/p...e-exploit-kit/
    Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqf
    Client-side exploits serving domain reconnaissance:
    savedordercommunicates .info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .net
    Name Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .com
    Name Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209
    We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
    Responding to the same IP (75.127.15.39) is also the following malicious domain:
    teamscapabilitieswhich .org..."
    * https://www.virustotal.com/file/4619...1e14/analysis/
    File name: download
    Detection ratio: 29/44
    Analysis date: 2012-11-08
    ___

    Changelog SPAM / canadianpanakota .ru
    - http://blog.dynamoo.com/2012/11/chan...anakotaru.html
    9 Nov 2012 - "This spam leads to malware on canadianpanakota .ru:
    Date: Fri, 9 Nov 2012 11:55:11 +0530
    From: LinkedIn Password [password @ linkedin .com]
    Subject: Re: Changlog 10.2011
    Attachments: changelog4-2012.htm
    Hello,
    as promised changelog,(Internet Explorer File)


    The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:
    120.138.20.54 (SiteHost, New Zealand)
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)
    These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:
    120.138.20.54
    202.180.221.186
    203.80.16.81
    canadianpanakota .ru
    controlleramo .ru
    donkihotik .ru
    finitolaco .ru
    fionadix .ru
    forumibiza .ru
    lemonadiom .ru
    peneloipin .ru
    moneymakergrow .ru ..."

    Last edited by AplusWebMaster; 2012-11-09 at 16:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #55
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AmExpress emails serve client-side exploits and malware

    FYI...

    Fake American Express emails serve client-side exploits and malware...
    - http://blog.webroot.com/2012/11/12/a...s-and-malware/
    Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Malicious domain name reconnaissance:
    stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .com
    Name Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .com
    Name Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...
    Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...
    Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:
    210.56.23.100 :8080/asp/intro.php
    210.56.23.100 :8080/za/v_01_a/in ...
    The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."
    * https://www.virustotal.com/file/06af...6182/analysis/
    File name: c8c607bc630ee2fe6a8c31b8eb03ed43
    Detection ratio: 15/43
    Analysis date: 2012-11-02
    ___

    Cableforum.co .uk hacked?
    - http://blog.dynamoo.com/2012/11/cabl...uk-hacked.html
    12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:
    NatWest : Helpful Banking
    Dear Valued Member ;
    To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
    This is a procedure that automatically occur when an invalid information is submitted during the log in process.
    Please follow the provided steps below to confirm your identity
    and restore your online access...

    > https://lh3.ggpht.com/-v0aFooReF9M/U...00/natwest.png
    This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, crap like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."

    Last edited by AplusWebMaster; 2012-11-12 at 17:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #56
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Blackhole exploit kit - top threat by a large margin

    FYI...

    Blackhole exploit kit - top threat by a large margin
    - https://blogs.technet.com/b/security...w-heights.aspx
    12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."

    * https://blogs.technet.com/cfs-filesy...-43/3683.2.jpg

    ** https://blogs.technet.com/cfs-filesy...-43/6443.1.jpg

    *** http://www.microsoft.com/security/si...t/default.aspx
    ___

    New Java attack introduced into "Cool Exploit Kit"
    - https://threatpost.com/en_us/blogs/n...oit-kit-111212
    Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-5076 - 10.0 (HIGH)

    Last edited by AplusWebMaster; 2012-11-13 at 13:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #57
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake "Your flight" / Wire transfer SPAM - monacofrm .ru

    FYI...

    Fake "Your flight" SPAM / monacofrm .ru
    - http://blog.dynamoo.com/2012/11/your...nacofrmru.html
    13 Nov 2012 - "These spam email messages lead to malware on monacofrm .ru:
    From: sales1 @victimdomain .com
    Sent: 13 November 2012 04:04
    Subject: Fwd: Your Flight A874-64581
    Dear Customer,
    FLIGHT NR: 1173-8627
    DATE/TIME : JAN 27, 2013, 19:15 PM
    ARRIVING AIRPORT: SAN-DIEGO AIRPORT
    PRICE : 520.40 USD
    Your bought ticket is attached to the letter as a scan document .
    To use your ticket you should print it.
    NAOMI PATTON,
    ==========
    From: messages-noreply @bounce .linkedin .com On Behalf Of LinkedIn
    Sent: 13 November 2012 05:18
    Subject: Re: Fwd: Your Flight A943-6733
    Dear Customer,
    FLIGHT NR: 360-6116
    DATE/TIME : JAN 26, 2013, 14:12 PM
    ARRIVING AIRPORT: SAN-DIEGO AIRPORT
    PRICE : 997.25 USD
    Your bought ticket is attached to the letter as a scan document .
    To use your ticket you should print it.
    Adon Walton,

    (...etc.)

    The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)
    216.24.194.66 (Psychz Networks, US)
    The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

    Added: There's a Wire Transfer SPAM using the same payload too:
    From: Amazon.com / account-update @amazon .com
    Sent: 13 November 2012 08:08
    Subject: Fwd: Re: Wire Transfer Confirmation
    Dear Bank Account Operator,
    WIRE TRANSFER: FED8979402863338715
    CURRENT STATUS: PENDING
    Please REVIEW YOUR TRANSACTION as soon as possible.

    ___

    Fake "End of Aug. Statmeent" SPAM / veneziolo .ru
    - http://blog.dynamoo.com/2012/11/end-...nezioloru.html
    13 Nov 2012 - "The spam never stops, this malicious email leads to malware at veneziolo .ru:
    Date: Tue, 13 Nov 2012 12:27:15 -0500
    From: Mathilda Allen via LinkedIn [member @linkedin .com]
    Subject: Re: End of Aug. Statmeent required
    Attachments: Invoices12-2012.htm
    Good morning,
    as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
    Regards


    The malicious payload is at [donotclick]veneziolo .ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:
    41.168.5.140, 62.76.46.195, 62.76.178.233, 62.76.186.190, 62.76.188.246, 65.99.223.24, 84.22.100.108, 85.143.166.170, 87.120.41.155, 91.194.122.8, 103.6.238.9, 120.138.20.54, 132.248.49.112, 202.180.221.186,
    203.80.16.81, 207.126.57.208, 209.51.221.247, 213.251.171.30, 216.24.194.66
    ..."

    Last edited by AplusWebMaster; 2012-11-14 at 02:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #58
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit

    FYI...

    Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/11/14/p...e-exploit-kit/
    Nov 14, 2012 - "A cybercriminal/group... continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Malicious domain name reconnaissance: puzzledbased .net – 183.180.134.217, AS2519 – Email: rodger_covach3060 @ spacewar .com
    Name Server: NS1.TOPPAUDIO .COM
    Name Server: NS2.TOPPAUDIO .COM
    Although we couldn’t reproduce puzzledbased .net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp ://netgear-india .net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware analysis...
    The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:
    rovo .pl
    itracrions .pl
    superdmntre .com
    chicwhite .com
    radiovaweonearch .com
    strili .com
    superdmntwo .com
    unitmusiceditior .com
    newtimedescriptor .com
    steamedboasting .info
    solla.at votela .net
    stempare .net
    tradenext .net
    bootingbluray .net
    The following malicious domain (stempare .net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns..."
    ___

    promotesmetasearch .net promotes malware
    From the WeAreSpammers blog: http://wearespammers.blogspot.co.uk/...launch-of.html

    - http://blog.dynamoo.com/2012/11/prom...s-malware.html
    14 Nov 2012 - "This looks like a fake get-rich-quick scam email which is actually intended to distribute malware. Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer .com on 5.39.101.225 (OVH, Germany) and promotesmetasearch .net on 46.249.38.27 (Serverius Holding, Netherlands). This last one is kind of interesting, because 1) it's all in French and 2) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull .chickenkiller .com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.
    The WHOIS details show a completely different name and address from the one quoted on the email:
    Florence Buker
    florence_buker05 @rockfan .com
    7043 W Avenue A4
    93536 Lancaster
    United States
    Tel: +1.4219588211
    Clearly the owner of promotemetasearch .net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.
    From: Anthony Tomei admin @8 mailer .com
    Reply-To: info @ promotesmetasearch .net
    To: donotemail @ wearespammers .com
    Date: 14 November 2012 18:22
    Subject: launch of
    Dear Future Millionaire,
    Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.
    The first way is to...


    Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques... You should probably regard the domain chickenkiller .com as compromised and block it. Additionally, all the following IPs and domains are related and a probably malicious.
    46.249.38.21
    46.249.78.23
    46.249.38.27

    deficiencieshiss .net
    personaloverly .net
    spaceyourfilesbig.chickenkiller .com
    vodkkaredbuuull.chickenkiller .com
    firefoxslacker .pro
    personaloverly .net
    wowteammy113 .org
    logicalforced .org
    flashkeyed .org
    incidentindie .org
    sufficeextensible .org
    laughspadstyle .org
    check-update .org
    softtwareupdate .org
    internallycontentchecking .org
    cordlesssandboxing .org
    westsearch .org
    perclickbank .org
    trayscoffeecup .org
    agreedovetails .org
    commencemessengers .org
    dfgs453t .org
    disappointmentcontent .org
    whiskeyhdx .org
    uhgng43fgjl82309dfg99df1 .com
    rethnds732 .com
    odiushb327 .com
    a6q7 .com
    makosl .com
    noticablyccleaner .com
    leisurelyadventures .com
    invitedns .com
    srv50 .in
    flacleaderboard.in
    frwdlink .in
    tgy56fd3fj.firm .in
    warrantynetwork .co .in
    kclicksnet .in
    reelshandsoff .info
    scatteredavtestorg .info
    ap34 .pro
    trafficgid .pro
    stop2crimepeople .pro
    huge4floorhouse .pro
    exportlite .pro
    weeembedding .pro
    layer-grosshandel .pro
    firefoxslacker .pro
    s1topcrimefor .pro
    opera-soft .pro
    brauser-soft .pro
    mp3soft .pro
    pornokuca .net
    licencesoftwareupda .net
    settlementstored .net
    licencesoftwareuppd .net
    compartmentalizationwere .net
    seniorhog .net
    coinbatches .net
    isnbreathy .net
    mrautorun .ru
    askedvisor .ru
    srv50b .biz
    vimeosseeing .biz
    threatwalkthrough .biz
    promotemetasearch .net ..."

    Last edited by AplusWebMaster; 2012-11-15 at 02:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #59
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus BBB emails serve client-side exploits and malware

    FYI...

    Opera site served Blackhole malvertising...
    - http://www.theregister.co.uk/2012/11...era_blackhole/
    15 Nov 2012 - "Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm's home page. Malicious scripts loaded by portal .opera .com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender*, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted..."
    * http://www.hotforsecurity.com/blog/o...page-4431.html
    14 Nov 2012 - "... malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP..."
    > http://www.hotforsecurity.com/wp-con...omepage-21.jpg

    - http://www.h-online.com/security/new...ew=zoom;zoom=3
    16 Nov 2012
    ___

    Bogus BBB emails serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/15/b...s-and-malware/
    Nov 15, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
    2012-10-16 00:24:08 – hxxp ://navisiteseparation .net/detects/processing-details_requested.php
    2012-10-12 11:19:37 – hxxp ://editdvsyourself .net/detects/beeweek_status-check.php
    Responding to the same IP (183.81.133.121) are also the following malicious domains:
    stafffire .net
    hotsecrete .net - Email: counseling1 @ yahoo .com
    the-mesgate .net - also responds to 208.91.197.54 – Email: admin @ newvcorp .com
    Name servers used in the campaign:
    Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61 – Email: windowclouse @ hotmail .com
    Name Server: NS2.TOPPAUDIO .COM - 29.217.45.138 – Email: windowclouse @ hotmail .com ..."
    ___

    Changelog SPAM / feronialopam .ru
    - http://blog.dynamoo.com/2012/11/chan...ialopamru.html
    15 Nov 2012 - "This fake "Changelog" spam leads to malware on feronialopam .ru:
    Date: Thu, 15 Nov 2012 10:43:59 +0300
    From: "Xanga" [noreply@xanga.com]
    Subject: Re: Changelog 2011 update
    Attachments: changelog-12.htm
    Hello,
    as promised chnglog attached (Internet Explorer File)
    ==========
    Date: Thu, 15 Nov 2012 05:43:09 -0500
    From: Chaz Shea via LinkedIn [member@linkedin.com]
    Subject: Re: Changelog as promised(updated)
    Attachments: Changelog-12.htm
    Hello,
    as prmised changelog is attached (Internet Explorer File)


    The malicious payload is at [donotclick]feronialopam .ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:
    120.138.20.54 (Sitehost, New Zealand)
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)..."

    Last edited by AplusWebMaster; 2012-11-16 at 16:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #60
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus eFax Corporate messages serve multiple malware variants

    FYI...

    Malware sites to block - 16/11/12
    - http://blog.dynamoo.com/2012/11/malw...ck-161112.html
    16 Nov 2012 - "Some more evil domains and IPs, connected with this spam run*. (Thanks, GFI)
    * http://gfisoftware.tumblr.com/post/3...nt-system-spam
    chelseafun .net
    cosmic-calls .net
    dirtysludz .com
    fixedmib .net
    packleadingjacket .org
    performingandroidtoios .info
    65.131.100.90
    75.127.15.39
    82.145.36.69
    108.171.243.172
    218.102.23.22
    0 ..."
    ___

    Bogus eFax Corporate messages serve multiple malware variants
    - http://blog.webroot.com/2012/11/16/c...ware-variants/
    Nov 16, 2012 - "... mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....am_malware.png
    Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e * ... Trojan-PSW.Win32.Tepfer.blbl
    Upon execution, it attempts to connect to the following domains:
    192.5.5.241
    ser.foryourcatonly .com
    ser.luckypetspetsitting .com
    dechotheband .gr
    barisdogalurunler .com
    alpertarimurunleri .com
    oneglobalexchange .com
    rumanas .org
    www .10130138 .wavelearn .de
    visiosofttechnologies .com
    sgisolution.com .br
    plusloinart .be
    marengoit .pl
    It then downloads additional malicious payload...
    Phone back URL:
    hxxp ://oftechnologies.co .in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 ** – Email: melody_mccarroll38 @ indyracers .com
    Name Server:NS1.INVITEDNS .COM
    Name Server:NS2.INVITEDNS .COM
    The following malicious domain responds to the same IP: updateswindowspc .net
    The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/755d...is/1352078183/
    File name: eFAX.CORPORATE.exe
    Detection ratio: 37/43
    Analysis date: 2012-11-05

    ** https://www.google.com/safebrowsing/...?site=AS:48434
    Diagnostic page for AS48434 (TEBYAN) - "Of the 1723 site(s) we tested on this network over the past 90 days, 86 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-16, and the last time suspicious content was found was on 2012-11-16... Over the past 90 days, we found 2 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 5 site(s)... that infected 6 other site(s)..."

    Last edited by AplusWebMaster; 2012-11-16 at 16:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •