Page 63 of 132 FirstFirst ... 135359606162636465666773113 ... LastLast
Results 621 to 630 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #621
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Proforma Invoice', 'Delivery Confirmation', 'Undefined transactions' SPAM

    FYI...

    Fake 'Proforma Invoice' SPAM - macro malware
    - http://blog.dynamoo.com/2015/01/malw...zbigkcouk.html
    20 Jan 2015 - "This -fake- invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a -forgery- designed to get you to click the malicious attachment.
    From: Monika [monika.goetz@ bigk .co.uk]
    Date: 20 January 2015 at 07:18
    Subject: Proforma Invoice
    Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.
    Kind regards,
    Monika Goetz
    Sales & Marketing Co-ordinator


    The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro... which attempts to download a binary from:
    http ://solutronixfze .com/js/bin.exe
    ..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56* and the Malwr report shows it attempting to phone home to:
    59.148.196.153 (HKBN, Hong Kong)
    74.208.11.204 (1&1, US)
    These IPs have been used many times in similar recent attacks an I recommend you block them. It also drops a DLL with a VirusTotal detection rate of 2/57**. The payload appears to be the Dridex banking trojan. See also this post*** about a related spam run also in progress this morning."
    * https://www.virustotal.com/en/file/0...is/1421744001/

    ** https://www.virustotal.com/en/file/4...is/1421744963/

    *** http://blog.dynamoo.com/2015/01/this...omes-with.html

    - http://myonlinesecurity.co.uk/profor...d-doc-malware/
    20 Jan 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...ma-invoice.png

    > https://www.virustotal.com/en/file/3...cfbb/analysis/
    ___

    Fake 'Barclays Online Bank [security-update]' SPAM
    - http://blog.dynamoo.com/2015/01/malw...nt-update.html
    20 Jan 2015 - "This -fake- Barclays spam leads to malware.
    From: Barclays Online Bank [security-update@ barclays .com]
    Date: 20 January 2015 at 14:41
    Subject: Barclays - Important Update, read carefully!
    Dear Customer,
    Protecting the privacy of your online banking access and personal information are our primary concern.
    During the last complains because of online fraud we were forced to upgrade our security measures.
    We believe that Invention of security measures is the best way to beat online fraud.
    Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
    For security reasons we downloaded the Update Form to security Barclays webserver.
    You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
    - Please download and complete the form with the requested details: <URL redacted>
    - Fill in all required fields with your accurately details (otherwise will lead to service suspension)
    Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
    Thank you for your patience as we work together to protect your account.
    Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
    Sincerely,
    Barclays Online Bank Customer Service
    We apologize for any inconvenience this may have caused...


    The link in the email varies, some other examples seen are:
    http ://nrjchat .org/ONLINE~IMPORTANT-UPDATE/last-update.html
    http ://utokatalin .ro/ONLINE-BANKING_IMPORTANT/update.html
    http ://cab .gov .ph/ONLINE-IMPORTANT~UPDATE/last~update.html
    Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
    The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
    The Malwr report shows traffic to the following URLs:
    http ://202.153.35.133 :33384/2001uk11/HOME/0/51-SP3/0/
    http ://202.153.35.133 :33384/2001uk11/HOME/1/0/0/
    http ://clicherfort .com/mandoc/eula012.pdf
    http ://202.153.35.133 :33387/2001uk11/HOME/41/7/4/
    http ://essextwp .org/mandoc/ml1from1.tar
    Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57* and is identified as Dyreza.C by Norman anti-virus."
    1] https://www.virustotal.com/en/file/d...is/1421768747/

    2] https://www.virustotal.com/en/file/e...is/1421768757/

    3] https://www.virustotal.com/en/file/0...is/1421768766/

    * https://www.virustotal.com/en/file/e...is/1421770305/

    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/

    - http://myonlinesecurity.co.uk/barcla...pdf-malware-2/
    20 Jan 2015
    * https://www.virustotal.com/en/file/a...is/1421769761/

    - http://threattrack.tumblr.com/post/1...nt-update-spam
    Jan 20, 2015
    Tagged: Barclays, Upatre
    ___

    Fake 'Delivery Confirmation' SPAM – doc malware
    - http://myonlinesecurity.co.uk/merewa...d-doc-malware/
    20 Jan 2015 - "'mereway kitchens Delivery Confirmation' pretending to come from mereway kitchens <sales.north@ mereway .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... 2 versions of this spreading today. In one version once again the body of the email is completely -blank- ... and the malware is the same as today’s version of Proforma Invoice Monika big K – Word doc malware*. The second version also having the same malware just simply says 'Delivery Confirmation'..."
    * http://myonlinesecurity.co.uk/profor...d-doc-malware/

    - http://blog.dynamoo.com/2015/01/this...omes-with.html
    20 Jan 2015
    1] https://www.virustotal.com/en/file/3...is/1421745692/

    2] https://www.virustotal.com/en/file/f...is/1421746148/
    ___

    Fake 'Undefined transactions' SPAM - macro malware
    - http://blog.dynamoo.com/2015/01/malw...nsactions.html
    20 Jan 2015 - "This spam comes in a few different variants, however the body text always seems to be the same:
    From: Joyce Mills
    Date: 20 January 2015 at 10:30
    Subject: Undefined transactions (need assistance) Ref:1647827ZM
    Good morning
    I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
    P.S. Undefined transactions are included in the attached DOC.
    Regards,
    Joyce Mills
    Senior Accounts Payable
    PAYPOINT


    The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated... I have seen two different variants of Word document in circulation, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro... which attempt to download from the following locations:
    http ://189.79.63.16 :8080/koh/mui.php
    http ://203.155.18.87 :8080/koh/mui.php
    This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57*. That report indicates that it attempts to phone home to:
    194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
    This IP is commonly used in this type of attack, I would strongly recommend you block it. The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57**, which is the same DLL as seen earlier today***."
    1] https://www.virustotal.com/en/file/5...is/1421750540/

    2] https://www.virustotal.com/en/file/9...is/1421750559/

    * https://www.virustotal.com/en/file/b...is/1421750847/

    ** https://www.virustotal.com/en/file/4...is/1421752892/

    *** http://blog.dynamoo.com/2015/01/malw...zbigkcouk.html


    - http://myonlinesecurity.co.uk/undefi...d-doc-malware/
    20 Jan 2015
    * https://www.virustotal.com/en/file/9...is/1421749886/
    ___

    Fake 'IRS' SPAM - doc malware
    - http://myonlinesecurity.co.uk/intern...d-doc-malware/
    20 Jan 2015 - "'Complaint against your company' pretending to come from Internal Revenue Service <complaints@irs.gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
    Dear business owner,
    A criminal complaint has been filled against your company.
    Your company is being accused of trying to commit tax evasion schemes.
    The full text of the complaint file ( .DOC type ) can be viewed in your
    Microsoft Word, complaint is attached.
    AN official response from your part is required, in order to take further
    action.
    Please review the charges brought forward in the complaint file, and
    contact us as soon as possible by :
    Telephone Assistance for Businesses: Toll-Free, 1-800-829-4933
    Email: complaints@ irs .gov
    Thank you,
    Internal Revenue Service Fraud Prevention Department


    20 January 2015 : complaint20150119.doc - Current Virus total detections: 22/57*
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1421772306/
    ___

    Fake 'Bank of Canada' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/nation...e-pdf-malware/
    20 Jan 2015 - "'National Bank of Canada Notice of payment pretending to come from sac.sbi@ sibn .bnc .ca with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You can view and print the notice of payment using the Netscape or
    Microsoft Explorer browsers, versions 6.2 and 5.5. You can export and store the
    notice of payment data in your spreadsheet by choosing the attached file in
    pdf format “.pdf”.
    If you have received this document by mistake, please advise us immediately
    and return it to us at the following E-mail address:
    “sac.sbi@ sibn .bnc .ca”.
    Thank you.
    National Bank of Canada
    600 de La Gauchetire West, 13th Floor
    Montreal, Quebec H3B 4L2 ...


    20 January 2015: payment_notice.zip: Extracts to: payment_notice.scr
    Current Virus total detections: 13/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1421783533/

    Last edited by AplusWebMaster; 2015-01-21 at 06:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #622
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Open24 Service update', 'inTuit-QuickBooks' Phish, Flash 0-day ...

    FYI...

    Fake 'Open24 Service update' Phish ...
    - http://myonlinesecurity.co.uk/open24...date-phishing/
    21 Jan 2015 - "'Open24 Permanent TSB Service update' pretending to come from Open24 <serviceupdates@ gol .net .gy> is one of the latest -phish- attempts to steal your Open24.ie ( Permanent TSB) Bank, credit card and personal details. This one only wants your personal details, your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email:
    Fwd: Software Upgrade
    Dear Open24 Customer,
    In order to help us protect our main line of defense against intruders; you will need to update your account through our secured server, in line to safe internet banking regulatory Requirements.
    To proceed, simply follow the link below:
    service_update
    Kind regards
    Open24


    > Screenshot: http://myonlinesecurity.co.uk/wp-con...n24_phish1.png
    When you fill in your user name and password you get sent on to a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format then you are sent to the genuine open24.ie ( permanent TSB ) bank site:
    > http://myonlinesecurity.co.uk/wp-con...2-1024x659.png
    All of these emails use Social engineering tricks to persuade you to open the attachments (or click-the-link) that come with the email..."
    ___

    Fake inTuit QuickBooks Phish
    - https://security.intuit.com/alert.php?a=119
    1/19/2015 - "People are receiving -fake- emails with the title "Profile Update". These mails are coming from turbotax_infoo01@ grr .la, which is -not- a legitimate email address. Below is a copy of the email people are receiving:
    > https://security.intuit.com/images/p...pdatephish.jpg

    This is the end of the -fake- email.
    Steps to Take Now:
    - Do -not- open the attachment in the email...
    - Do not forward the email to anyone else.
    - Delete the email."
    ___

    Flash 0-Day Exploit used by Angler Exploit Kit
    - https://isc.sans.edu/diary.html?storyid=19213
    2015-01-21 - "The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly. However, the blog post below* shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable... typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly..."
    * http://malware.dontneedcoffee.com/20...-in-flash.html
    2015-01-21 - "... Angler EK exploiting last version (16.0.0.257) of Flash..."
    Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
    * https://www.malwarebytes.org/antiexploit/

    - http://blog.trendmicro.com/trendlabs...-new-zero-day/
    Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."
    Geographic distribution of users affected by Angler
    > http://blog.trendmicro.com/trendlabs...-Angler-01.jpg

    Last edited by AplusWebMaster; 2015-01-22 at 16:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #623
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'HMRC Application' SPAM – PDF malware, 'Tesco Bank Fix' – Phish, MyFax SPAM...

    FYI...

    Fake 'HMRC Application' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/hmrc-a...pdf-malware-2/
    22 Jan 2015 - "'HMRC Application – [ your domain name]' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This template was used in a malware run back in July 2014 and gets periodically reused HMRC Application – fake PDF malware*...
    * http://myonlinesecurity.co.uk/hmrc-a...e-pdf-malware/
    The email looks like:
    Please print this information, sign and send to application@ hmrc .gov .uk.
    Date Created: 22 January 2015
    Business name: ...
    Acknowledgement reference: 3213476
    VAT Registration Number is 3213476.
    Repayment of Input Tax
    Before the business starts to make taxable supplies they may provisionally claim repayment of VAT they are charged as input tax. The general rules about VAT, including Input Tax, Partial Exemption, are explained in VAT Notices 700 and 706, available on the HMRC website
    Repayment of VAT as input tax is subject to the condition, provided for by the Value Added Tax Act 1994, Section 25(6), that HMRC may require them to refund some or all of the input tax they have claimed, if they do not make taxable supplies by way of business, or the input tax they claimed prior to a period in which they make taxable supplies in the course of business does not relate to the taxable supplies they make.
    Change of Circumstances
    If your client no longer intends to make taxable supplies, or there is any other change of circumstances affecting their VAT registration (including any delay in starting to make taxable supplies), they must notify HMRC within 30 days of the change.
    If the application included an enquiry about:
    the Flat Rate Scheme
    the Annual Accounting Scheme
    an Economic Operator Registration and Identification (EORI) number
    HMRC will send your client more information about this separately
    What next?
    Your client will receive their Certificate of Registration (VAT4) in the post in due course.
    Your client can find general information about VAT and a guide to record keeping requirements by following one of the links below...


    22 January 2015: Application_3213476.zip (15 kb): Extracts to: Application_891724.pdf.exe
    Current Virus total detections: 2/56** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ** https://www.virustotal.com/en/file/a...is/1421924288/
    ___

    Fake 'Tesco Bank Fix' – Phish ...
    - http://myonlinesecurity.co.uk/tesco-...ount-phishing/
    22 Jan 2015 - "'Tesco Bank Fix The Error On Your Account' pretending to come from Tesco .com <info@ thf .com> warning of errors on your account is one of the latest phish attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html ( webpage) form that comes attached to the email:
    Dear Customer:
    You have an incoming payment slated for your account. This transaction cannot be
    completed due to errors present in your account information.
    You are required to click on the Logon below to fix this problem immediately.
    LOG ON
    Please do not reply to this message. For questions, please call Customer Service at the
    number on the back of your card. We are available 24 hours a day, 7 days a week.
    Regards,
    Tesco Personal Finance.


    If you follow the link you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x606.jpg
    Then you get a page asking for password and Security number:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers2.jpg
    After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers3.jpg
    Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers4.jpg
    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    ___

    Fake (more) MyFax malware SPAM
    - http://blog.dynamoo.com/2015/01/yet-...ware-spam.html
    22 Jan 2015 - "There's another batch of "MyFax" spam going around at the moment, for example:
    From: MyFax [no-replay@ my-fax .com]
    Date: 22 January 2015 at 15:08
    Subject: Fax #4356342
    Fax message
    http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
    Sent date: Thu, 22 Jan 2015 15:08:30 +0000


    Clicking the link [don't] leads to a page like this:
    > http://1.bp.blogspot.com/-k2m-UrYJxy...600/upatre.png
    The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.
    The Malwr report shows communication with the following URLs:
    http ://202.153.35.133 :51025/2201us22/HOME/0/51-SP3/0/
    http ://202.153.35.133 :51025/2201us22/HOME/1/0/0/
    http ://when-to-change-oil .com/mandoc/story_su22.pdf
    http ://202.153.35.133 :51014/2201us22/HOME/41/7/4/
    Of these 202.153.35.133 is the essential one to -block- traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48*.
    I haven't seen a huge number of these, the format of the URLs looks something like this:
    http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
    http ://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
    http ://[redacted]/_~NEW.FAX.MESSAGES/incoming.html "
    1] https://www.virustotal.com/en/file/e...is/1421943275/

    2] https://www.virustotal.com/en/file/d...is/1421943304/

    3] https://www.virustotal.com/en/file/3...is/1421943319/

    * https://www.virustotal.com/en/file/7...is/1421944232/

    - http://myonlinesecurity.co.uk/myfax-...e-pdf-malware/
    22 Jan 2015
    * https://www.virustotal.com/en/file/b...is/1421940393/
    ___

    Fake 'voice mail' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
    22 Jan 2015 - "'You have received a voice mail' pretending to come from Voice Mail <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You received a voice mail : VOICE 837-676-8958.wav (29 KB)
    Caller-Id: 837-676-8958
    Message-Id: KIUB4Y
    Email-Id: [redacted]
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


    22 January 2015 : VOICE837-676-8958.zip (209 kb): Extracts to: VOICE8419-283-481.scr
    Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1421943742/
    0003_.b64.zip-1.exe

    Last edited by AplusWebMaster; 2015-01-22 at 20:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #624
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'tax return incorrect' SPAM

    FYI...

    Fake 'tax return incorrect' SPAM - doc malware
    - http://blog.dynamoo.com/2015/01/malw...ent-issue.html
    23 Jan 2015 - "This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:
    From: Quinton
    Date: 23 January 2015 at 08:18
    Subject: 2014 Tax payment issue
    According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
    Regards
    Quinton
    Tax Inspector

    From: Tara Morris
    Date: 23 January 2015 at 09:28
    Subject: Your tax return was incorrectly filled out
    Attention: Accountant
    This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
    In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).


    Attached is a Word document with a random name, but always starting with "TAX_". Examples include:
    TAX_42592OE.doc
    TAX_381694AI.doc
    TAX_59582FZ.doc
    There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros... that download a file 20.exe from the following URLs:
    http ://37.139.47.221 :8080/koh/mui.php
    http ://95.163.121.82 :8080/koh/mui.php
    This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending."
    1] https://www.virustotal.com/en/file/5...is/1422005666/

    2] https://www.virustotal.com/en/file/c...is/1422005678/

    37.139.47.221: https://www.virustotal.com/en/ip-add...1/information/

    95.163.121.82: https://www.virustotal.com/en/ip-add...2/information/


    - http://myonlinesecurity.co.uk/tax-re...d-doc-malware/
    23 Jan 2015
    > https://www.virustotal.com/en/file/c...is/1422004558/
    TAX_38156WHH.doc
    > https://www.virustotal.com/en/file/3...is/1422007893/
    23.01.15_3406ICZ.xls
    ___

    Fake 'Danske Bank' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/danske...pdf-malware-2/
    23 Jan 2015 - "'Danske Bank – Potentially fraudulent transaction' pretending to come from Dee Hicks – Danske Bank <Dee.Hicks@ danskebank .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We are contacting you regarding a potentially fraudulent transaction on your account.
    Please check attached file for more information about this specific transaction.
    Dee Hicks
    Senior Account Executive
    Danske Bank
    Dee.Hicks@ danskebank .com
    Tel. +45 33 44 46 77
    CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed...


    23 January 2015 : bank_notice2301.zip (12kb): Extracts to: bank_notice2301.scr
    Current Virus total detections: 8/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1422012240/
    ___

    Fake 'IRS Activity' SPAM - malware
    - http://blog.dynamoo.com/2015/01/malw...ty-531065.html
    23 Jan 2015 - "This fake IRS spam actually does use the irsuk .co domain to host malware.
    From: IRS [support@ irsuk .co]
    Date: 23 January 2015 at 11:46
    Subject: IRS Fiscal Activity 531065
    Hello, [redacted].
    We notify you that last year, according to the estimates of tax taxation,
    we had a shortage of means.
    We ask you to install the special program with new digital certificates,
    what to eliminate an error.
    To install the program go to the link <redacted>
    Thanks
    Intrenal Revenue Sevrice...


    The ZIP file contains a malicious executable SetupIRS2015.exe which has a VirusTotal detection rate of 8/53*. The irsuk .co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux .com (78.24.219.6 - TheFirst-RU, Russia)... A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk .co), but the host on the IP identifies itself as ukirsgov .com which is a domain created on the same day (2015-01-19) but has been -suspended- due to invalid WHOIS details (somebody at csc .com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries**. The malware POSTS to garbux .com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF. Overall, automated analysis tools are not very clear about what this malware does... although you can guarantee it is nothing good.
    Recommended blocklist:
    89.108.88.9
    78.24.219.6
    109.105.193.99
    irsuk .co
    garbux .com
    ukirsgov .com
    updateimage .ru
    getimgdcenter .ru
    agensiaentrate .it
    freeimagehost .ru
    "
    * https://www.virustotal.com/en/file/8...is/1422014166/

    ** 109.105.193.99: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake AMEX SPAM - PDF malware
    - http://myonlinesecurity.co.uk/americ...e-pdf-malware/
    23 Jan 2015 - "'Your Message is Ready' pretending to come from American Express <secure.message@ americanexpresss .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and download the malware zip...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...e-is-ready.png

    When you follow the link you get a page saying "Get file. Your download will start in 5 seconds..." ... which then counts down to zero. You might get the -malware- automatically downloaded or you might have to click-the-direct-link [don't].
    23 January 2015: bankline_document_pdf57331.zip (12 kb): Extracts to: bankline_document_pdf34929.exe
    Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1422025963/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    192.163.217.66: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'BankLine secure message' SPAM - malware
    - http://blog.dynamoo.com/2015/01/malw...eived-new.html
    23 Jan 2015 - "... these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.
    From: Bankline [secure.message@ rbs .com .uk]
    Date: 23 January 2015 at 12:43
    Subject: You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link bellow:
    <redacted>
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly...


    The link in the email seems to be somewhat dynamic... The landing page looks like this:
    > http://4.bp.blogspot.com/-LLqihSXhTv...0/fake-rbs.jpg
    The link on that landing page goes to http ://animation-1 .com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded. The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan."

    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/

    Last edited by AplusWebMaster; 2015-01-23 at 19:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #625
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'HP Scanned Image', 'Berendsen Invoice" SPAM

    FYI...

    Fake 'HP Scanned Image' SPAM - malware
    - http://blog.dynamoo.com/2015/01/malw...e-scanned.html
    26 Jan 2015 - "This spam comes with a malicious attachment:
    From: HP Digital Device [HP_Printer@ victimdomain .com]
    Date: 26 January 2015 at 13:04
    Subject: Scanned Image
    Please open the attached document.
    This document was digitally sent to you using an HP Digital Sending device...
    This email has been scanned for viruses and spam...


    Attached is a file ScannedImage.zip which contains a malicious executable ScannedImage.scr which has a VirusTotal detection rate of 5/56*..."
    * https://www.virustotal.com/en/file/0...is/1422279206/

    - http://myonlinesecurity.co.uk/scanne...e-pdf-malware/
    26 Jan 2015
    > https://www.virustotal.com/en/file/0...is/1422279206/
    ___

    Fake 'Berendsen Invoice" SPAM – doc malware
    - http://myonlinesecurity.co.uk/berend...d-doc-malware/
    26 Jan 2015 - "'Berendsen UK Ltd Invoice 60020918 117' pretending to come from donotreply@berendsen.co.uk with -a malicious word doc attachment- is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear Sir/Madam, Please find attached your invoice dated 1st January. All queries should be directed to your branch that provides the service. This detail can be found on your invoice. Thank you...

    26 January 2015: IRN001526_60020918_I_01_01.DOC (39 kb)
    Current Virus total detections: 0/55* | IRN001526_60020918_I_01_01.DOC (34kb) 0/56**
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1422258625/

    ** https://www.virustotal.com/en/file/0...is/1422258320/

    - http://blog.dynamoo.com/2015/01/malw...d-invoice.html
    26 Jan 2015
    > https://www.virustotal.com/en/file/f...is/1422262884/

    - http://blog.mxlab.eu/2015/01/26/emai...rd-attachment/
    Jan 26, 2015
    > https://www.virustotal.com/en/file/f...is/1422262884/
    ___

    Fake 'CardsOnLine natwesti' SPAM
    - http://blog.dynamoo.com/2015/01/malw...twesticom.html
    26 Jan 2015 - "This -fake- NatWest email leads to malware:
    From: CardsOnLine [CardsOnLine@ natwesti .com]
    Date: 26 January 2015 at 13:06
    Subject: Cards OnLine E-Statement E-Mail Notification
    Body:
    Dear Customer
    Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.
    For more information please check link: <redacted>
    Thank you
    Cards OnLine


    ... Users have recently been targeted through -bogus- E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address. Please be on your guard against E-Mails that request any of your security details... Users who click-the-link see a download page similar to this:
    > https://4.bp.blogspot.com/-a7BgUdoOp...t-download.png
    The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe. This binary has a VirusTotal detection rate of 1/56* and is identified by Norman AV as Upatre..."
    * https://www.virustotal.com/en/file/8...is/1422281915/
    ___

    Fake 'Sage Invoice' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/sage-r...e-pdf-malware/
    26 Jan 2015 - "'RE: Invoice #9836956' pretending to come from Sage .co .uk <no-reply@ sage .co .uk>
    [random invoice numbers] with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please remit BACs before 26/01/2015. The document attached.

    The malware attached to this email is exactly the same as in today’s Scanned Image – fake PDF malware*.
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * http://myonlinesecurity.co.uk/scanne...e-pdf-malware/

    Last edited by AplusWebMaster; 2015-01-26 at 17:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #626
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Whatsapp leads to Fake Flash update, Fake 'invoice' SPAM - malware

    FYI...

    Whatsapp leads to Fake Flash update – malware
    - http://myonlinesecurity.co.uk/whatsa...pdate-malware/
    27 Jan 2015 - "An email pretending to come from somebody you know that appears to be a Whatsapp notification is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...e1-262x300.png

    When you press the play button in the email, you get sent to a page looking like:
    > http://myonlinesecurity.co.uk/wp-con...2-1024x739.png
    ... if you select the 'upgrade now' button you end up with a fake flash player update and a badly infected computer...
    27 January 2015: adobe_flash_player_update.exe . Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1422376705/
    ___

    Fake 'invoice' SPAM - malware
    - http://blog.dynamoo.com/2015/01/malw...de-r-kern.html
    27 Jan 2015 - "Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a -forgery- which has a malicious Word document attached.
    From: Eileen Meade [eileenmeade@ kerneng .com]
    date: 27 January 2015 at 08:25
    subject: inv.# 35261
    Here is your invoice & Credit Card Receipt.
    Eileen Meade
    R. Kern Engineering & Mfg Corp.
    Accounting
    909) 664-2442
    Fax 909) 664-2116


    So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros... These attempt to download a binary from one of the following locations:
    http ://UKR-TECHTRAININGDOMAIN .COM/js/bin.exe
    http ://schreinerei-ismer.homepage.t-online .de/js/bin.exe
    This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57*..."
    1] https://www.virustotal.com/en/file/7...is/1422351101/

    2] https://www.virustotal.com/en/file/2...is/1422351116/

    * https://www.virustotal.com/en/file/2...is/1422351532/


    - http://myonlinesecurity.co.uk/eileen...d-doc-malware/
    27 Jan 2015
    > https://www.virustotal.com/en/file/7...is/1422350612/

    > https://www.virustotal.com/en/file/2...is/1422350713/

    - http://blog.mxlab.eu/2015/01/27/fake...word-document/
    Jan 27, 2015
    > https://www.virustotal.com/en/file/2...is/1422351532/

    216.251.43.17: https://www.virustotal.com/en/ip-add...7/information/

    80.150.6.138: https://www.virustotal.com/en/ip-add...8/information/

    Last edited by AplusWebMaster; 2015-01-27 at 23:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #627
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice' SPAM - doc malware, Malvertising campaign...

    FYI...

    Fake 'invoice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/windso...d-doc-malware/
    28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
    Dear Accounts payable
    Please see attached invoice 1385 for flowers within January 15.
    Our bank details can be found at the bottom of the invoice.
    If paying via transfer please reference our invoice number.
    If you have any queries, please do not hesitate to contact me.
    Many thanks in advance
    Connie
    Windsor Flowers
    74 Leadenhall Market
    London
    EC3 V1LT
    Tel: 020 7606 4277...


    28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
    Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1422442083/

    ** https://www.virustotal.com/en/file/0...is/1422443094/
    ___

    Fake 'RBS' SPAM - pdf-malware
    - http://myonlinesecurity.co.uk/rbs-mo...pdf-malware-2/
    28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please refer to the details below if you are having problems reading the attached file.
    Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...


    All the attachment numbers are random but all extract to same -malware- payload.
    28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
    Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...is/1422448752/
    ... Behavioural information
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    xHamster involved in large Malvertising campaign ...
    - https://blog.malwarebytes.org/exploi...sing-campaign/
    Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
    > https://blog.malwarebytes.org/wp-con...sh-300x262.png
    Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
    hxxp ://nertafopadertam .com/2/showthread.php
    What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
    * https://www.virustotal.com/en/file/b...is/1422391909/

    ** https://www.virustotal.com/en/file/0...is/1422393597/

    *** https://blog.malwarebytes.org/exploi...d-in-the-wild/

    Last edited by AplusWebMaster; 2015-01-28 at 15:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #628
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', 'BACS Transfer' SPAM

    FYI...

    Fake 'Invoice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/invoic...d-doc-malware/
    29 Jan 2015 - "'Invoice #10413 from SPOTLESS CLEANING pretending to come from paulamatos@ btinternet .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This message contains Invoice #10413 from SPOTLESS CLEANING. If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.
    SPOTLESS CLEANING
    GLYNDEL HOUSE
    BOWER LANE
    DA4 0AJ
    07956 379907


    29 January 2015 : SPOTLESS CLEANING-Invoice-10413.doc - Current Virus total detections: 0/57*
    ... this malicious word doc with macros downloads from www .otmoorelectrical .co.uk/js/bin.exe which is saved as %temp%\hDnyDA.exe (dridex banking Trojan) which has a current detection rate of 2/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1422523082/

    ** https://www.virustotal.com/en/file/6...is/1422531540/
    ___

    Fake 'BACS Transfer' SPAM - doc malware
    - http://myonlinesecurity.co.uk/garth-...d-doc-malware/
    29 Jan 2015 - "'Garth Hutchison BACS Transfer : Remittance for JSAG400GBP' pretending to come from Garth Hutchison <accmng2556@ blumenthal .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.


    29 January 2015 : BACS_transfer_JS87123781237.doc - Current Virus total detections: 0/57*
    ... same malware payload as today’s Invoice #10413 from SPOTLESS CLEANING – Word doc malware** ..."
    * https://www.virustotal.com/en/file/f...is/1422524523/

    ** http://myonlinesecurity.co.uk/invoic...d-doc-malware/
    ___

    Swiss users inundated with malware-laden SPAM
    - http://net-security.org/malware_news.php?id=2950
    29.01.2015 - "Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan. Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin .ch, gmx .ch) and Swiss telecom provider Orange (orange .ch), but actually originate from broadband lines located all over the world. They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
    > http://www.net-security.org/images/a...m-29012015.jpg
    Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware. "While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains," noted Swiss security activist Raymond Hussy*. Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed. Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg .ru, midnightadvantage .ru) and the following IPs: 91.220.131.216 and 91.220.131.61. "In general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock," he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway."
    * https://www.abuse.ch/?p=9095

    91.220.131.61: https://www.virustotal.com/en/ip-add...1/information/

    91.220.131.216: https://www.virustotal.com/en/ip-add...6/information/

    Last edited by AplusWebMaster; 2015-01-30 at 13:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #629
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'BACS Transfer', Fake BBB SPAM ...

    FYI...

    Fake 'BACS Transfer' SPAM - doc malware
    - http://blog.dynamoo.com/2015/01/malw...emittance.html
    30 Jan 2015 - "So far I have only seen one sample of this..
    From "Garth Hutchison"
    Date 21/01/2015 11:50
    Subject BACS Transfer : Remittance for JSAG400GBP
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.


    Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57*] which contains a macro... which downloads a file from:
    http ://stylishseychelles .com/js/bin.exe
    This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57** identifying it as a Dridex download... Sources indicate that this malware phones home to the following IPs which I recommend you block:
    92.63.88.108
    143.107.17.183
    5.39.99.18
    136.243.237.218
    "
    * https://www.virustotal.com/en/file/9...is/1422618493/

    ** https://www.virustotal.com/en/file/3...is/1422618468/
    ___

    Fake BBB SPAM - PDF malware
    - http://myonlinesecurity.co.uk/bbb-sb...e-pdf-malware/
    30 Jan 2015 - "'BBB SBQ Form #2508(Ref#61-959-0-4)' pretending to come from Admin <no-replay@ bbbl .org> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...015/01/BBB.png

    30 January 2015: SBQForm-57675.zip ( 13kb) : Extracts to: doc-PDF.exe
    Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1422628270/
    ... Behavioural information
    TCP connections
    46.165.223.77: https://www.virustotal.com/en/ip-add...7/information/
    31.170.162.203: https://www.virustotal.com/en/ip-add...3/information/
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    208.91.197.54: https://www.virustotal.com/en/ip-add...4/information/
    208.97.25.20: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'RE-CONFIRM' SPAM - malware
    - http://myonlinesecurity.co.uk/re-con...ll112-malware/
    30 Jan 2015 - "'RE-CONFIRM P.O©{XX1ll112}' pretending to come from sensaire@ emirates .net .ae with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...A9XX1ll112.png

    30 January 2015: Purchase order(1).zip: Extracts to: Purchase order.exe
    Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper file with an icon saying A instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1422633004/
    ___

    Fake 'Apple Termination' – Phish ...
    - http://myonlinesecurity.co.uk/apple-...tion-phishing/
    30 Jan 2015 - "'Apple Termination' pretending to come from Apple Account <support@ apple-messages .com> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ermination.png

    If you follow the link you see a webpage looking like with a pre-filled in box with your email address in it:
    > http://myonlinesecurity.co.uk/wp-con...y_apple_ID.png
    When you fill in your user name and password you get a page looking like this ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
    > http://myonlinesecurity.co.uk/wp-con...apple_ID_3.png
    ... these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
    ___

    Fake 'Tesco Bank' – Phish ...
    - http://myonlinesecurity.co.uk/latest...bank-phishing/
    30 Jan 2015 - "'Latest estatement is ready – Tesco Bank' pretending to come from savings@ tescobank .com <pol@ tesco .com> is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one only wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email.
    Certain restriction has been placed on your tesco bank online services
    View your eDocument attached to proceed
    Tesco Bank is a retail bank in the United Kingdom which was formed in 1997,
    and which has been wholly owned by Tesco PLC since 2008
    ©Tesco Personal Finance plc 2014 / ©Tesco Personal Finance Compare Limited 2014.


    If you open the attached html form you see this message:
    Your Latest Tesco Bank Saving Account Statement is ready.
    Certain restriction has been placed on your tesco bank online service
    You would be required to re – activate your online banking access to proceed
    Activate Your Online Access


    If you follow that link you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers1.jpg
    Then you get a page asking for password and Security number:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers2.jpg
    After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers3.jpg
    Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
    > http://myonlinesecurity.co.uk/wp-con..._vouchers4.jpg
    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    Last edited by AplusWebMaster; 2015-01-30 at 18:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #630
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Super Bowl Phishing -and- SPAM ...

    FYI...

    Super Bowl Phishing -and- SPAM ...
    - https://isc.sans.edu/diary.html?storyid=19261
    2015-01-31 - "Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are -pouring- in complete with helpful -links- back-ended by malware and/or credential harvesting:
    > https://isc.sans.edu/diaryimages/images/superbowl.PNG
    ... worth a reminder to friends and family if they see any emails about the Super Bowl that appears to be too-good-to-be-true - delete it..."

    Last edited by AplusWebMaster; 2015-01-31 at 19:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •