Page 61 of 132 FirstFirst ... 115157585960616263646571111 ... LastLast
Results 601 to 610 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #601
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Remittance Advice', 'CHRISTMAS OFFERS.docx' SPAM, NTP ...

    FYI...

    Fake 'Remittance Advice' SPAM - malicious Excel attachment
    - http://blog.dynamoo.com/2014/12/remi...omes-with.html
    23 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
    From: Whitney
    Date: 23 December 2014 at 09:12
    Subject: Remittance Advice -DPRC93
    Confidentiality and Disclaimer: This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
    If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
    Please contact the sender to notify them of the error...


    The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, none of these are detected by anti-virus vendors [1] [2] [3]... the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself and puts it into a file %TEMP%\windows.vbs. So far I have seen three different scripts... which download a component from one of the following locations:
    http ://185.48.56.133:8080/sstat/lldvs.php
    http ://95.163.121.27:8080/sstat/lldvs.php
    http ://92.63.88.100:8080/sstat/lldvs.php
    It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe. The ThreatExpert report shows traffic to the following:
    194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
    80.237.255.196 (Denes Balazs / HostEurope, Germany)
    85.25.20.107 (PlusServer AG, Germany)
    VirusTotal indicates a detection rate of just 3/54*, and identifies it as Dridex.
    Recommended blocklist:
    194.146.136.1
    80.237.255.196
    85.25.20.107
    185.48.56.133
    95.163.121.27
    92.63.88.100
    92.63.88.106

    Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well."
    1] https://www.virustotal.com/en/file/2...is/1419330172/

    2] https://www.virustotal.com/en/file/8...is/1419330170/

    3] https://www.virustotal.com/en/file/2...is/1419330172/

    * https://www.virustotal.com/en/file/a...is/1419333104/

    - http://myonlinesecurity.co.uk/remitt...l-xls-malware/
    23 Dec 2014
    > 22 Dec 2014 : PZDF16.xls Current Virus total detections: 0/55*:
    TKBJ98.xls Current Virus total detections: 0/55**
    * https://www.virustotal.com/en/file/2...is/1419328785/

    ** https://www.virustotal.com/en/file/e...is/1419329398/

    - http://blog.mxlab.eu/2014/12/23/emai...licious-macro/
    Dec 23 2014
    > https://www.virustotal.com/en/file/e...e6b5/analysis/
    ___

    Fake 'CHRISTMAS OFFERS.docx' SPAM - Word doc malware
    - http://myonlinesecurity.co.uk/jayne-...d-doc-malware/
    23 Dec 2014 - "'CHRISTMAS OFFERS.docx' pretending to come from Jayne <Jayne@ route2fitness .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email body is completely -blank- . As per usual there are at least 2 different file sizes of this malware although all are named exactly the same.

    22 Dec 2014: CHRISTMAS OFFERS.doc (41 kb) . Current Virus total detections: 0/55* : CHRISTMAS OFFERS.doc (44 kb) . Current Virus total detections: 0/56**
    Downloads dridex Trojan from microinvent .com//js/bin.exe which is moved to and run from %temp%1\V2MUY2XWYSFXQ.exe Virus total*** ..."
    * https://www.virustotal.com/en/file/0...is/1419327481/

    ** https://www.virustotal.com/en/file/2...is/1419327349/

    *** https://www.virustotal.com/en/file/d...is/1419334606/

    - http://blog.mxlab.eu/2014/12/23/empt...licious-macro/
    Dec 23, 2014
    > https://www.virustotal.com/en/file/2...5d9c/analysis/
    ___

    Network Time Protocol Vulnerabilities
    - https://ics-cert.us-cert.gov//advisories/ICSA-14-353-01
    Dec 22, 2014 - "... vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
    IMPACT: Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process..."

    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-9295 - 7.5 (HIGH)

    - http://arstechnica.com/security/2014...rvers-at-risk/
    Dec 19 2014

    Last edited by AplusWebMaster; 2014-12-24 at 00:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #602
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down MBR Wiper attacks strike Korean Power Plant, Fake 'Signature Invoice' SPAM ...

    FYI...

    MBR Wiper attacks strike Korean Power Plant
    - http://blog.trendmicro.com/trendlabs...n-power-plant/
    Dec 23, 2014 - "In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees’ inboxes:
    > http://blog.trendmicro.com/trendlabs...MBR-wiper3.png
    We detect the malware as TROJ_WHAIM.A*, which is a fairly straightforward MBR wiper. In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted... it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat -evade- detection... This particular MBR-wiping behavior, while uncommon, has been seen before. We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability. There are also similarities to the previous MBR wiper attacks as well. All three attacks mentioned earlier overwrite the MBR with certain repeated strings... These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors. This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.
    Update as of 11:29 P.M. PST, December 23, 2014
    Upon further analysis, we confirmed that TROJ_WHAIM.A checks if the current date and time is Dec 10, 2014 11:00 AM or later. If it meets this condition, it sets the registry, HKEY_LOCAL_MACHINE\SOFTWARE\PcaSvcc\finish to 1, thus triggering the MBR infection. Otherwise, it sleeps for a minute and checks the system time again. Aside from the MBR infection capabilities and overwriting certain strings, another similarity of this attack to the March 2013 incident is its ‘time bomb’ routine. A certain action is set in motion once the indicated date/time by the attackers is reached by the infected system."
    * http://www.trendmicro.com/vinfo/us/t...e/troj_whaim.a
    "To restore your system's Master Boot Record (MBR)..."

    South Korea seeks China's cooperation in probe into cyberattack on nuclear operator
    - http://www.reuters.com/article/2014/...0K20DT20141224
    Dec 24, 2014 - "... Connections to South Korean virtual private networks (VPNs) used in the cyberattacks were traced to multiple IP addresses in China's Shenyang city, located in a province which borders North Korea..."

    Japan, wary of North Korea, works to secure infrastructure after Sony attack
    - http://www.reuters.com/article/2014/...0K20IX20141224
    Dec 24, 2014 - "Japan, fearing it could be a soft target for possible North Korean cyberattacks in the escalating row over the Sony Pictures hack, has begun working to ensure basic infrastructure is safe and to formulate its diplomatic response, officials said... The government's National Information Security Center, working through various ministries, is pressing companies to improve their security from cyberattacks..."

    Attack maps: http://map.ipviking.com/
    ___

    Fake 'Signature Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2014/12/malw...-wellings.html
    24 Dec 2014 - "Teckentrup Depot UK is a legitimate UK company, but these emails are -not- from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are -not- responsible for this in any way.
    From: Rhianna Wellings [Rhianna@ teckentrupdepot .co.uk]
    Date: 24 December 2014 at 07:54
    Subject: Signature Invoice 44281
    Your report is attached in DOC format.
    To load the report, you will need the Microsoft® Word® reader...


    Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro... which then downloads an additional component from one of these two locations:
    http ://Lichtblick-tiere .de/js/bin.exe
    http ://sunfung .hk/js/bin.exe
    The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56*. The ThreatExpert report shows traffic to the following IPs:
    74.208.11.204 (1&1 Internet, US)
    81.169.156.5 (Strato AG, Germany)
    59.148.196.153 (HKBN, Hong Kong)
    According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56**, detected as the Dridex banking trojan.
    Recommended blocklist:
    74.208.11.204
    81.169.156.5
    59.148.196.153
    lichtblick-tiere .de
    sunfung .hk
    "
    1] https://www.virustotal.com/en/file/4...is/1419412603/

    2] https://www.virustotal.com/en/file/5...is/1419412612/

    * https://www.virustotal.com/en/file/1...is/1419413157/

    ** https://www.virustotal.com/en/file/f...is/1419417434/

    - http://myonlinesecurity.co.uk/rhiann...d-doc-malware/
    24 Dec 2014 : Signature Invoice.doc . Current Virus total detections: 0/56*: 0/56**
    * https://www.virustotal.com/en/file/4...is/1419409093/

    ** https://www.virustotal.com/en/file/5...is/1419409548/
    ___

    Fake Christmas offers infect PCs with banking Trojan
    - https://blog.malwarebytes.org/fraud-...anking-trojan/
    Dec 24, 2014 - "... The email is accompanied by a Word document with a catchy name: CHRISTMAS OFFERS.docx:
    > https://blog.malwarebytes.org/wp-con...as_message.png
    ... the document is blank and requires the user to enable macros in order to view it. By default Microsoft Office disables macros, a handy automation feature but also a huge security risk. This is where the social engineering lies and the crooks are counting on people so eager to see the promised content that they will push the button and get infected. Macros enable you to create scripts that automate repetitive tasks within a document, for example copying content from one page and pasting it with a different font and color on another. At the same time, a macro can be used to perform a malicious action, which happens to be the case here.
    > https://blog.malwarebytes.org/wp-con...2/word_doc.png
    ... What happens if you were to trust the document? A remote file is downloaded from
    hxxp ://jasoncurtis .co.uk/js/bin.exe and ran from the temp folder... It is known as Dridex, a banking Trojan... Macro malware often relies on social engineering to convince the mark to open a file and disable the default protection. It is not terribly sophisticated but yet it has seen a bit of a revive in recent months with -spam- being the preferred delivery method. The best protection against these types of threats is to be particularly cautious before opening attachments, even if they are ‘classic’ Microsoft Office documents... This holiday season, whether you believe in Santa or not, please be extra cautious with offers that sound too good to be true. The bad guys like to make believe, but we’d rather leave them empty handed or send them off with a lump of coal."
    ___

    Fake 'Postal Notification' SPAM - malicious notification.exe
    - http://blog.mxlab.eu/2014/12/24/fake...ification-exe/
    Dec 24, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Postal Notification Service”. This email is sent from the spoofed address “”Fedex >” <voyeuristicxd@ jackpowerspiritbind .us>” and has the following body:

    Screenshot: http://img.blog.mxlab.eu/2014/20141224_fedex.gif

    The embedded URL, in our sample hxxp ://appimmobilier .com/notification.exe, will download the 58 kB large file notification.exe. The trojan is known as Win32/TrojanDownloader.Wauchos.AF, UDS:DangerousObject.Multi.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 56 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/d...0be8/analysis/

    Last edited by AplusWebMaster; 2014-12-25 at 15:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #603
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phish - "Your Netflix Account Has Been Suspeded", 64-bit Version of HAVEX malware ...

    FYI...

    Phish - "Your Netflix Account Has Been Suspeded"
    - http://blog.mxlab.eu/2014/12/29/phis...been-suspeded/
    Dec 29, 2014 - "... intercepted a phishing campaign by email with the subject “Your Netflix Account Has Been Suspeded [#654789]”. This email is sent from the spoofed address “”secure@ netflix .ssl .co.uk” <secure@ netflix .ssl .co.uk>” and has the following body:

    Screenshot: http://img.blog.mxlab.eu/2014/20141229_netflix_1.gif

    In our sample, the URL takes us to the phishing site located at hxxp ://netflix-validation- uk .co .uk/~netflix/authcode.22e2839f6ea44972845f1e0b02f397ba/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/d0446fac4ba6feceb507af17e1b0bca8/Login.php
    This shows us an identical copy of the official Netflix login page. Screenshot of the member login form on the phishing web site:
    > http://img.blog.mxlab.eu/2014/20141229_netflix_2.gif
    After submitting the login and password, the phishing process begins by asking to fill in our billing information.
    > http://img.blog.mxlab.eu/2014/20141229_netflix_3.gif
    Followed by filling in our credit card details:
    > http://img.blog.mxlab.eu/2014/20141229_netflix_4.gif
    Our account seems to be updated and we can continue:
    > http://img.blog.mxlab.eu/2014/20141229_netflix_5.gif
    …. straight to the official Netflix login site:
    > http://img.blog.mxlab.eu/2014/20141229_netflix_6.gif "
    ___

    64-bit Version of HAVEX seen - ICS
    - http://blog.trendmicro.com/trendlabs...havex-spotted/
    Dec 29, 2014 - "The remote access tool (RAT) HAVEX* became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting. The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems. First 64-bit HAVEX Sighting: Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.
    > File installation chain: http://blog.trendmicro.com/trendlabs...2/64havex1.jpg
    ... we’re seeing three indicators of BKDR_HAVEX:
    - The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
    - A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
    - C&C communication from the host and back
    ... a 64-bit file, was upgraded to a 32-bit v029 HAVEX RAT. This now brings us to four files that seem to be interrelated in one single infection, as seen below:
    File name SHA1 Compile Date Architecture
    %TEMP%\TMPprovider023.dll 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277 2012-10-03 AMD64
    %TEMP%\34CD.tmp.dll CF5755D167077C1F8DEEDDEAFEBEA0982BEED718 2013-04-30 I386
    %TEMP%\734.tmp.dll BFDDB455643675B1943D4E33805D6FD6884D592F 2013-08-16 I386
    %TEMP%\4F2.tmp.dll 8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007 2013-06-27 I386
    ... In this particular infection, the v023 HAVEX file was using the same command-and-control server as that of the v029 HAVEX file... Currently, we have seen at least four IP addresses communicating to the command-and-control server, two of which have exhibited the behavior of upgrading the version of the C&C module of the HAVEX RAT... the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again. ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic..."
    (More detail at the trendmicro URL at the top of this post.)
    * Havex infection (ICS)/SCADA systems chain:
    > http://about-threats.trendmicro.com/...es/HAVEX_2.jpg

    Last edited by AplusWebMaster; 2014-12-29 at 23:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #604
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'Worm' removed at hacked nuclear plant, Target hacks hit OneStopParking .com, MORE...

    FYI...

    'Worm' removed at hacked South Korea nuclear operator
    - http://www.reuters.com/article/2014/...0K80J620141230
    Dec 30, 2014 - "South Korean authorities have found evidence that a low-risk computer "worm" had been removed from devices connected to some nuclear plant control systems, but no harmful virus was found in reactor controls threatened by a hacker. Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber security by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters. The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors. The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul's energy ministry and nuclear watchdog said in a joint statement on Tuesday, adding the systems were -inaccessible- from external networks. The nuclear plant operator said on Tuesday it was increasing the number of staff devoted to cyber security from 53 to around 70, and would set up a committee of internal and external experts to oversee security..."
    ___

    Target hacks hit OneStopParking .com
    - http://krebsonsecurity.com/2014/12/t...opparking-com/
    Dec 30, 2014 - "Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — onestopparking .com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot. Late last week, the cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They’d all been used at onestopparking .com, a Florence, Ky. based company that provides low-cost parking services at airport hotels and seaports throughout the United States. Contacted about the suspicious activity that banks have traced back to onestopparking .com, Amer Ghanem, the site’s manager, said the company began receiving complaints from customers about a week before Christmas...
    Cards from the “Solidus” base at Rescator map back to One Stop Parking
    > http://krebsonsecurity.com/wp-conten...us-600x291.png
    This was the second time in as many weeks that this cybercrime shop –Rescator[dot]cm — has put up for sale a batch of credit cards stolen from an online parking service: On Dec. 16, this KrebsOnSecurity reported that the same shop was selling cards stolen from Park-n-Fly, a competing airport parking reservation service. Sometime over the past few days, Park-n-Fly announced it was suspending its online service... a security update posted on the company’s site*. Park ‘N Fly noted that it is still taking reservations over the phone... Last month, SP Plus — a Chicago-based parking facility provider — said** payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were -hacked- to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime -store- called Goodshop. In Missouri, the St. Louis Parking Company recently disclosed*** that it learned of a breach involving card data -stolen- from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014."
    * http://www.pnf.com/security-update/

    ** http://www.qconline.com/news/illinoi...eecb95eb1.html

    *** http://stlouisparking.com/press-release/
    ___

    Instagram Profile Deletion Hoax
    - https://blog.malwarebytes.org/fraud-...deletion-hoax/
    Dec 30, 2014 - "... accounts on Instagram claiming a mass purge is coming on January 1, 2015 unless your account is “verified”, with the aid of a so-called Verification Arrow. Profiles such as the one below (with 110k followers at time of writing) are receiving a fair amount of traction with between 5,000-8,000 likes per image (I got 6 for a picture of a cat once), stating:

    If your account doesn't have a picture of an arrow next to it then it's in the process of being deleted. To get your arrow, please follow the instructions below
    1) Follow @verifyingarrows
    2) Repost our photo
    3) Tag @verifyingarrows
    4) Hashtag #verifyingarrows

    Screenshot: https://blog.malwarebytes.org/wp-con...nstaarrow2.jpg
    Here’s a similar profile – now deleted – which managed to grab 245k followers before being banned itself:
    > https://blog.malwarebytes.org/wp-con...nstaarrow1.jpg
    The “arrow” in question appears to be nothing more than a drop down box on profiles which suggests accounts similar to the one you’re looking at. It has -nothing- to do with profile verification or dodging deletion waves. Regardless, panicked Instagram users appear to be jumping on the ban(d)wagon and doing what they can to fend off a profile extinction event that is never going to arrive. In terms of what the ultimate end game is with all of this, it’s a case of wait and see for the time being. This is either just a -hoax- for the sake of it, or maybe the accounts asking people to bolster their visibility on Instagram will suddenly start selling something come the New Year. Whatever they’re up to, you can safely -ignore- these profiles and carry on taking selfies and pictures of sandwiches, with or without a filter."
    ___

    Apple Store 'Transaction Cancellation Form' Phish...
    - http://www.hoax-slayer.com/apple-sto...ing-scam.shtml
    Dec 30, 2014 - "According to this email, which purports to be from Apple, you have purchased a TomTom from the Apple Store (GPS car navigation system). The email explains that, if you did not authorise the TomTom purchase, you should click-a-link-to-access an Apple Store Transaction Cancellation Form. Supposedly, by filling in the form, the purchase will be cancelled and you will receive a full refund. However, the email is -NOT- from Apple and the claim that you have bought a Tom Tom is just a ruse designed to trick you into clicking the 'cancel' link.
    Clicking the link takes you to a website that hosts a -fake- Apple Store 'Cancellation' form. The -fake- form asks you to provide name and contact details as well as your credit card and banking information.
    Clicking the 'Cancel Transaction' button will send all of your information to criminals who can then use it to commit financial -fraud- and identity theft.

    The scammers bank on the fact that at least a few recipients of the email will be -panicked- into clicking the link and supplying their information in the mistaken belief that someone has made fraudulent purchases in their name."
    > http://www.hoax-slayer.com/images/ap...ing-scam-1.jpg

    Last edited by AplusWebMaster; 2014-12-30 at 23:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #605
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'NetGuard Toolbar' SPAM, PUP borrows tricks from malware authors

    FYI...

    'NetGuard Toolbar' SPAM
    - http://blog.dynamoo.com/2014/12/netg...pcom-spam.html
    31 Dec 2014 - "Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:
    From: Brad Lorien [bclorien@ ngcmp .com]
    Date: 31 December 2014 at 01:12
    Subject: Real estate (12/30/2014)
    Our company reaches an online community of almost 41 million people,
    who are mostly US and Canadian based. We have the ability to present
    our nearly 41 million strong network with a best, first choice when
    they are looking online for what your company does.
    We are seeking a preferred choice to send our people who are looking
    for real estate in Abilene and surrounding markets.
    I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.
    Best regards,
    Brad Lorien
    Network Specialist, SPS EServices
    Phone: (877) 489.2929, ext. 64


    There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ ngcmp .com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp .com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US)... the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp .com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced. An examination of those two PSInet addresses shows the following domains are associated with them:
    ncmp .co
    ngmp .co
    ngcmp .com
    ng-portal .com
    ngcmp .net
    ng-central .net
    luxebagscloset .com
    reviewwordofmouth .com
    All of these domains have -anonymous- WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites... I did in this case to see what it was about:
    > https://2.bp.blogspot.com/-HeHlNoeUd...0/netguard.png
    This is basically -adware- . Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network... Predictably, there seems to be -no- such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally -signed- by a company called "IP Marketing Concepts, Inc." ... The executable itself is tagged by only one AV engine* as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes** that individual components appear to be Russian in origin. So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins..."
    * https://www.virustotal.com/en/file/7...is/1420024818/

    ** https://malwr.com/analysis/ZjdjZDYzM...RjNTUyNjhmNjM/
    ___

    PUP borrows tricks from malware authors
    - https://blog.malwarebytes.org/fraud-...lware-authors/
    Dec 31, 2014 - "... These days it is getting harder and harder to download a program from its official source, in its original format, without additional pieces of software bundled to it:
    > https://blog.malwarebytes.org/wp-con...ck-965x395.png
    Companies specializing in so-called ‘download assistants’ or ‘download managers’ claim that they:
    Provide a value added service to users by suggesting additional programs tailored to the users’ needs.
    Offer a way for software manufacturers to monetize their free applications.

    Let’s have a look for ourselves by checking an installer for the Adobe Flash Player. The details are as follows:
    Name: adobe_flash_setup.exe
    Size: 809.0 KB
    MD5: d549def7dd9006954839a187304e3835
    imphash: 884310b1928934402ea6fec1dbd3cf5e

    Out of the box: The first thing we noticed was that the program behaves differently whether it is launched on a real physical machine or a Virtual Machine:
    > https://blog.malwarebytes.org/wp-con...a-1024x782.png
    In a VM such as VirtualBox, the installer skips all the bundled offers and goes straight for the Flash Player... There might be a few reasons for this:
    To avoid unnecessary impressions and installs on ‘fake’ systems that would skew metrics.
    To appear as a ‘clean’ installer when installed on automated sandboxes or by hand from security researchers.

    Anti-vm behavior does not necessarily mean that the application is malicious, but it -is- something that many malware authors use... The certificate details show that said company is located in Tel Aviv, Israel and a VirusTotal scan* hints at a connection with InstallCore, a “digital content delivery platform”... There are also various other offers bundled in this installer, courtesy of “distributer” called Entarion Ltd., with an “address” conveniently located in Cyprus, well-known as a safe haven for offshore companies... Malwarebytes’ criteria for listing a program as a PUP can be viewed here**. The list is pretty thorough and will most likely continue to evolve as PUP makers diversify their operations. Consumers should be able to make educated choices rather than being mislead down a path that they didn’t intend to take..."
    * https://www.virustotal.com/en/file/7...6d0b/analysis/

    ** https://www.malwarebytes.org/pup/

    Last edited by AplusWebMaster; 2014-12-31 at 22:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #606
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Evil network: 217.71.50.0/24 ...

    FYI...

    Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@ inet .ba
    - http://blog.dynamoo.com/2014/12/evil...akabel-as.html
    31 Dec 2014 - "This post by Brian Krebs* drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics**..
    ** http://www.google.com/safebrowsing/d...site=AS:198252
    Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large*** collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts. An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very -many- bad sites...
    *** http://bgp.he.net/AS198252#_prefixes
    ... appears to be a block suballocated to someone using the email address aadeno@ inet .ba. I took a look at the sites hosted in this /24... There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.
    Recommended blocklist:
    217.71.50.0/24 ..."
    (Long list at the dynamoo URL at the top.)

    * http://krebsonsecurity.com/2014/12/l...trail-of-fail/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #607
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down binarysmoney .com / clickmoneys .com / thinkedmoney .com "job" SPAM

    FYI...

    binarysmoney .com / clickmoneys .com / thinkedmoney .com "job" SPAM
    - http://blog.dynamoo.com/2015/01/bina...moneyscom.html
    2 Jan 2015 - "I've been plagued with these for the past few days:
    Date: 2 January 2015 at 11:02
    Subject: response
    Good day!
    We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
    We cooperate with different countries and currently we have many clients in the world.
    Part-time and full-time employment are both currently important.
    We offer a flat wage from $1500 up to $5000 per month.
    The job offers a good salary so, interested candidates please registration on the our site: www .binarysmoney .com
    Attention! Accept applications only on this and next week.
    Respectively submitted
    Personnel department


    Subject lines include:
    New employment opportunities
    Staff Wanted
    Employment invitation
    new job
    New job offer
    Interesting Job
    response
    Spamvertised sites seen so far are binarysmoney .com, clickmoneys .com and thinkedmoney .com, all multihomed on the following IPs:
    46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
    201.215.67.43 (VTR Banda Ancha S.A., Chile)
    31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
    Another site hosted on these IPs is moneyproff .com. All the domains have apparently -fake- WHOIS details.
    It looks like a money mule spam, but in fact it leads to some binary options trading crap.
    > http://2.bp.blogspot.com/-91ORuyJxnp...ry-options.jpg
    ... that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere. Binary options are a haven for scammers, and my opinion is that this is such a -scam- given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:
    46.108.40.76
    201.215.67.43
    31.210.63.94
    clickmoneys .com
    thinkedmoney .com
    binarysmoney .com
    moneyproff .com
    "

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #608
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Thank you' SPAM - malware

    FYI...

    Fake 'Thank you' SPAM - malware
    - http://myonlinesecurity.co.uk/thank-...i-pro-malware/
    3 Jan 2015 - "'Thank you for buying from Acrobat XI Pro' pretending to come from Plimus Sales <receipt@ plimus .com> with a link to a malicious website is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Plimus is a genuine affiliate marketing service/reseller/payment gateway for many software companies including Adobe. If you look carefully at the email, you can see the links are to IPLIMUS -not- plimus...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...obat-XI-Pr.jpg

    3 January 2015: adbx1pro.exe : | Current Virus total detections: 25/56*
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1420298571/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #609
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phish - 'Tesco Important Notification' ...

    FYI...

    Phish - 'Tesco Important Notification' ...
    - http://myonlinesecurity.co.uk/tesco-...tion-phishing/
    5 Jan 2015 - "'Tesco Important Notification' pretending to come from Tesco .com offering you -free- Tesco vouchers is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well. If you are unwise enough to fill in the personal details and security questions, there is a very high likelihood that information could be used to compromise any other account or log in ANYWHERE on the net... don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco -bank- website but you can clearly see in the address bar, that it is -fake- ... Some versions of this -phish- will ask you fill in the html ( webpage) form that comes attached to the email...

    If you follow the link you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x606.jpg

    Then you get a page asking for password and Security number:
    > http://myonlinesecurity.co.uk/wp-con...2-1024x534.jpg

    After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
    > http://myonlinesecurity.co.uk/wp-con...3-1024x746.jpg

    Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
    > http://myonlinesecurity.co.uk/wp-con...4-1024x625.jpg

    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #610
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down hqq .tv serving up Exploit kit, Fake 'National Payments', Fake 'PAYMENT ADVICE' SPAM

    FYI...

    hqq .tv serving up Exploit kit (via Digital Ocean and Choopa)
    - http://blog.dynamoo.com/2015/01/hqqt...t-kit-via.html
    6 Jan 2014 - "... here's an infection chain starting from a scummy-looking video streaming site called cine-stream .net. I do not recommend visiting any of the sites labelled [donotclick]
    Step 1
    [donotclick]cine-stream .net/1609-le-pre-nol-est-une-ordure-en-streaming.html
    89.248.170.206 (Ecatel Ltd, Netherlands)
    URLquery report: http://urlquery.net/report.php?id=1420561240827
    Step 2
    [donotclick]hqq .tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
    199.83.130.198 (Incapsula, US)
    Step 3
    [donotclick]agroristaler .info/dasimotulpes16.html
    128.199.48.44 (Digital Ocean, Netherlands)
    URLquery report: http://urlquery.net/report.php?id=1420561209263
    Step 4
    [donotclick]aflesministal .info/chat.html
    178.62.147.144 (Digital Ocean, Netherlands)
    128.199.52.108 (Digital Ocean, Netherlands)
    Step 5
    [donotclick]pohfefungie .co.vu/VUZQBUgAAgtAGlc.html
    [donotclick]eixaaweexum .co.vu/VxFVBkgAAgtAGlc.html
    108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
    URLquery report: http://urlquery.net/report.php?id=1420560803160
    The Digital Ocean and Choopa IPs host several apparently malicious domains:
    108.61.165.69
    eixaaweexum .co.vu
    ienaakeoke .co.vu
    weswalkers .co.vu
    pohfefungie .co.vu
    vieleevethu .co.vu
    178.62.147.144
    128.199.52.108
    sebitibir .info
    abrisgalor .info
    aflesministal .info
    128.199.48.44
    abibruget .info
    alsonutird .info
    fiflakutir .info
    fistikopor .info
    agroristaler .info
    poliloparatoser .info
    In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following -minimum- blocklist:
    108.61.165.69
    178.62.147.144
    128.199.52.108
    128.199.48.44
    "
    ___

    Fake 'National Payments Centre' SPAM - malware
    - http://blog.dynamoo.com/2015/01/malw...-payments.html
    6 Jan 2015 - "This -fake- financial spam has a malicious payload:
    Date: 6 January 2015 at 08:56
    Subject: This is your Remittance Advice #ATS29858
    DO NOT REPLY TO THIS EMAIL ADDRESS
    Please find attached your remittance advice from Saint Gobain UK.
    For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947
    Regards,
    SGBD National Payments Centre


    Note that this email is a forgery. Saint Gobain UK are -not- sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a -botnet- to spam out malicious Excel documents. Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.
    There are actually four different versions of the -malicious- Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros... which then download a component from one of the following locations:
    http ://213.174.162.126:8080 /mans/pops.php
    http ://194.28.139.100:8080 /mans/pops.php
    http ://206.72.192.15:8080 /mans/pops.php
    http ://213.9.95.58:8080 /mans/pops.php
    This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48*. That report shows that the malware then connects to the following URLs:
    http ://194.146.136.1:8080/
    http ://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
    http ://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
    http ://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
    http ://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/
    194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted. The Malwr report shows no activity, indicating that it is hardened against analysis.
    Recommend blocklist:
    194.146.136.1
    179.43.141.164
    213.174.162.126
    194.28.139.100
    206.72.192.15
    213.9.95.58
    "
    1] https://www.virustotal.com/en/file/7...is/1420539739/

    2] https://www.virustotal.com/en/file/4...is/1420539746/

    3] https://www.virustotal.com/en/file/1...is/1420539753/

    4] https://www.virustotal.com/en/file/f...is/1420539759/

    * https://www.virustotal.com/en/file/e...is/1420540311/

    - http://myonlinesecurity.co.uk/sgbd-n...l-xls-malware/
    6 Jan 2015
    ___

    Fake 'PAYMENT ADVICE' malware SPAM
    - http://blog.dynamoo.com/2015/01/paym...ware-spam.html
    6 Jan 2015 - "This spam has a malicious attachment:
    From: Celeste , Senior Accountant
    Date: 6 January 2015 at 10:13
    Subject: PAYMENT ADVICE 06-JAN-2015
    Dear all,
    Payment has been made to you in amount GBP 18898,28 by BACS.
    See attachment.
    Regards,
    Celeste
    Senior Accountant


    I have only seen one sample so far, with a document BACS092459_473.doc which has a VirusTotal detection rate of 0/56* and which contains this macro... which attempts to download an additional component from:
    http ://206.72.192.15:8080 /mans/pops.php
    This is exactly the same file as seen in this parallel spam run** today and it has the same characteristics."
    * https://www.virustotal.com/en/file/5...is/1420543064/

    ** http://blog.dynamoo.com/2015/01/malw...-payments.html

    - http://myonlinesecurity.co.uk/senior...d-doc-malware/
    6 Jan 2015
    ___

    MS warns of new malware attacks w/ Office docs
    - http://www.techworm.net/2015/01/micr...documents.html
    Jan 5, 2015 - "Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs. In a report published on its blog*, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in -emails- masquerading as orders or invoices. The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft:
    ACH Transaction Report
    DOC-file for report is ready
    Invoice as requested
    Invoice – P97291
    Order – Y24383
    Payment Details
    Remittance Advice from Engineering Solutions Ltd
    Your Automated Clearing House Transaction Has Been Put On ...
    ...the attachment containing Adnel and Tarbir campaigns is usually named as following :
    20140918_122519.doc
    813536MY.xls
    ACH Transfer 0084.doc
    Automated Clearing House transfer 4995.doc
    BAC474047MZ.xls
    BILLING DETAILS 4905.doc
    CAR014 151239.doc
    ID_2542Z.xls
    Fuel bill.doc
    ORDER DETAILS 9650.doc
    Payment Advice 593016.doc
    SHIPPING DETAILS 1181.doc
    SHIP INVOICE 1677.doc
    SHIPPING NO.doc
    Microsoft Technet blog* says that the two Trojan downloaders, TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns..."
    * http://blogs.technet.com/b/mmpc/arch...se-macros.aspx
    2 Jan 2015

    Last edited by AplusWebMaster; 2015-01-06 at 19:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •