Page 7 of 132 FirstFirst ... 345678910111757107 ... LastLast
Results 61 to 70 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #61
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Jdeeedwards .com SCAM

    FYI...

    Fake J. dee Edwards / jdeeedwards .com scam
    - http://blog.dynamoo.com/2012/11/j-de...scom-scam.html
    17 Nov 2012 - "I'm not even certain what this scam is, but this is certainly not legitimate:
    From: J. dee Edwards j.edwards @ jdeeedwards .com
    Reply-To: j.edwards @ jdeeedwards .com
    Date: 17 November 2012 16:29
    Subject: Edwards contact
    Dear Colleague,
    We are working with healthcare market companies which would like to hear your opinion.
    We would like you to become a member of working group and share your opinion online. Please review your full name, specialty, country and language by clicking on the link http ://www .jdeeedwards .com/contact.php?e=[redacted] or replying to the email.
    Thank you for your time.
    J. dee Edwards HRms
    j.edwards @ jdeeedwards .com
    http ://www .jdeeedwards .com
    To ensure that our emails reach you, please remember to add j.edwards @ jdeeedwards .com to your email address book.
    We would like to remind you that J. dee Edwards is committed to safeguarding your privacy and your personal details will not be disclosed to third parties.
    If you do not wish to receive please visit: http ://jdeeedwards .com/ unsub.php?e=[redacted]
    Copyright 2012 - J. dee Edwards - 20 Broadwick Street London, UK


    Firstly, the email is sent to an address that ONLY spammers use, which is not a good sign. Secondly, the domain jdeeedwards .com has anonymous WHOIS details and was registered just over a month ago - the site is hosted on 54.247.87.188 (Amazon, Ireland) and looks like this:
    > https://lh3.ggpht.com/-gF0CqXAXYUc/U...deeedwards.png
    ... there used to be a company called JD Edwards, but there isn't any more**, nor is there a company called J. dee Edwards anywhere in the UK. The link in the email is some sort of signup thing, I guess it's the first part of a scam to recruit people for some sort of illegal activity.
    > https://lh3.ggpht.com/-htRJx4tLeEA/U...eeedwards2.png
    Oddly, the email address is an "optional" component, so how are they going to contact you? Maybe it's the tracking code in the link. Alternatively, you can reply by email and this is the third suspect thing, the mailserver is on 85.206.51.81 in Lithunia (AS8764 / LIETUVOS-TELEKOMAS). AS8764* is a pretty scummy netblock according to Google*. 85.206.51.81 is also the IP address the spam was sent from. So, a non-existent company with a month-old domain sends an email to an address only spammers use, from an email server in a dodgy part of cyberspace. Whatever this is, it is some sort of scam and is definitely best avoided."
    * http://www.google.com/safebrowsing/d...c?site=AS:8764

    ** https://en.wikipedia.org/wiki/JD_Edwards
    "... JD Edwards, abbreviated JDE, -was- an Enterprise Resource Planning (ERP) software company..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #62
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus IRS emails lead to malware

    FYI...

    Fake IRS "W-1" SPAM / 5.chinottoneri .com
    - http://blog.dynamoo.com/2012/11/w-1-...tonericom.html
    19 Nov 2012 - "This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form of some sort from the US Internal Revenue Service.
    From: Administrator [mailto:administrator @ victimdomain .com]
    Sent: 19 November 2012 14:50
    Subject: To All Employee's - Important Address UPDATE
    To All Employee's:
    The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
    Verify that the address is correct - https ://local .victimdomain .com/details.aspx?id=[redacted]
    If changes need to be made, contact HR at https ://hr.victimdomain .com/update.aspx?id=[redacted].
    Administrator,
    http ://victimdomain .com


    In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri .com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low*. I suspect that there are many other malicious sites on this IP, blocking it would be wise."
    * https://www.virustotal.com/file/8254...is/1353338928/
    File name: exploit.htm
    Detection ratio: 3/43
    Analysis date: 2012-11-19
    ___

    Bogus IRS emails lead to malware
    - http://blog.webroot.com/2012/11/19/b...ad-to-malware/
    Nov 19, 2012 - "In March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective users in an attempt to drop malware on the affected hosts. This week, we intercepted three consecutive campaigns using the exact same email template used in the March campaign...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....al_malware.png
    Unlike March 2012's campaign that used client-side exploits in an attempt to drop malware on the affected host, the last three campaigns have relied on malicious archives attached to spamvertised emails. Each has a unique MD5 and phones back to a different (compromised) command and control server.
    The first sample: MD5: f56026fcc9ac2daad210da82d92f57a3 * ... Worm:Win32/Cridex.E phones back to 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan).
    We also have another: MD5: 532bdd2565cae7b84cb26e4cf02f42a0 ** Worm:Win32/Cridex.E that is known to have phoned back to the same IP, 128.2.172.202 :8080/37ugtbaaaaa/enmtzaaaaa/pxos/
    The following MD5s are also known to have phoned back to this very same IP:
    MD5: a5c8fb478ff7788609863b83079718ec ... Worm:Win32/Cridex.E
    MD5: f739f99f978290f5fc9a812f2a559bbb ... Trojan.Win32.Bublik.swr
    The third sample used in the IRS themed campaign: MD5: 32b4227ae379f98c1581f5cb2b184412 *** ... Worm:Win32/Cridex.E phones back to 202.143.189.180 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS23974, Ministry of education, Thailand)..."
    * https://www.virustotal.com/file/4188...is/1352985385/
    File name: IRS_Letter.exe
    Detection ratio: 36/44
    Analysis date: 2012-11-15
    ** https://www.virustotal.com/file/4c22...is/1352985520/
    File name: IRS_Rejected.exe
    Detection ratio: 35/44
    Analysis date: 2012-11-15
    *** https://www.virustotal.com/file/e72b...is/1352985751/
    File name: IRS-AppID.exe
    Detection ratio: 36/44
    Analysis date: 2012-11-15
    ___

    Fake "Southwest Airlines" SPAM / headerandfooterprebuilt .pro
    - http://blog.dynamoo.com/2012/11/sout...ines-spam.html
    19 Nov 2012 - "This fake Southwest Airlines spam leads to malware at headerandfooterprebuilt .pro:
    Date: Mon, 19 Nov 2012 19:33:04 +0000
    From: "Southwest Airlines" [no-reply @luv .southwest .com]
    To: [redacted]
    Subject: Southwest Airlines Confirmation: 5927NI
    [redacted] 2012-11-19 86KY9Z INITIAL SLC WN PHX0.00T/TFF 0.00 END AY3.50$SLC2.50 1445164773311 2013-11-22 1655 2012-11-20 Depart SAN LEONARD CITY UT (SLC) at 8:08 PM on Southwest Airlines Arrive in PHOENIX AZ (PHX) at 9:02 PM
    You're all set for your traveling!
    My Account | Review My Itinerary Online
    Check Up Online | Check Flight Status | Change Flight | Special Offers | Hotel Deals | Car Deals
    Ready for lift-off!
    Thanks Southwest for your travel! You can find everything you need to know about your booking below. Happy voyage!
    Upcoming Cruise: 11/20/12 - SLC - Phx Knight


    The malicious payload is at [donotclick]headerandfooterprebuilt .pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution."
    ___

    Fake "End of Aug. Statement Reqiured" SPAM / bamanaco .ru
    - http://blog.dynamoo.com/2012/11/end-...ured-spam.html
    19 Nov 2012 - "This spam leads to malware on bamanaco .ru:
    Date: Mon, 19 Nov 2012 03:55:08 -0500
    From: ups [admin@ups.com]
    Subject: Re: FW: End of Aug. Statement Reqiured << sp?
    Attachments: Invoices-1119-2012.htm
    Hallo,
    as reqeusted I give you inovices issued to you per oct. 2012 ( Internet Explorer/Mozilla Firefox file)
    Regards


    The malicious payload is at [donotclick]bamanaco .ru:8080/forum/links/column.php hosted on the following IPs:
    203.80.16.81 (MYREN, Malaysia)
    216.24.196.66 (Psychz Networks, US)
    These IPs have been used to deliver malware several times recently, you should block access to them if you can."
    ___

    Rolex SPAM rolls out in time for Black Friday
    - http://www.gfi.com/blog/rolex-spam-r...-black-friday/
    Nov 19, 2012 - "... no surprise that online shenanigans abound when big holidays and major events are just around the corner. What remains to be seen are the forms of these shenanigans we ought to expect to see online and in our inboxes. This Thanksgiving and Black Friday week, cyber criminals did not disappoint. We found this particular email spam in user inboxes these last few days:
    > http://www.gfi.com/blog/wp-content/u...il-231x300.png
    From: Designer Watches by LR (could be random, too)
    To: {random}
    Subject: Start Black Friday today
    Message body:
    BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD!
    The best quality watch replicas on PLANET EARTH!
    The lowest priced high-end watches on the PLANET!
    www(dot)LRblackfridaytoday(dot)com
    BLACK FRIDAY HAS STARTED!
    Black Friday every day until November 23!
    All items reduced by 25-50% as of TODAY.
    Over 25,000 exact watch-copies have been reduced until Friday November 23rd.
    There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible.
    This will ensure INSTOCK availability and fast delivery.
    NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY!
    Currently every watch model is INSTOCK and ready to ship within 1 hour.
    THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS:
    These are hand crafted high-end watch-copies.
    These are made using identical parts and materials.
    These are tested inside and out to be identical.
    There is no difference between our watch-copies and the originals!
    www(dot)LRblackfridaytoday(dot)com


    Clicking either the image or the URLs on the email body leads users to the LRblackfridaytoday domain, which looks like this:
    > http://www.gfi.com/blog/wp-content/u...ca-300x274.png
    The domain resolves to an IP in the Czech Republic that does not only have a bad reputation but also uses a network that Google* warned us about. Our friends at Symantec** have also mentioned several variants of this spam mail (and published other Black Friday-related threats) that you might want to check out, too. Fake Rolex replica spammers, like fake pharma scammers, promise little luxuries but often never deliver. Giving out your credit card information to spammed sites is a sure way of putting yourself in potential debt with no “luxury replica item” in return..."
    * http://www.google.com/safebrowsing/d...c?site=AS:6830

    ** http://www.symantec.com/connect/blog...spammers-radar
    ___

    More here (also links to Screenshots):
    - http://www.gfi.com/blog/gfi-labs-ema...or-the-week-3/
    Nov 19, 2012

    Last edited by AplusWebMaster; 2012-11-19 at 23:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #63
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM Malware sites to block and other badness

    FYI...

    Malware sites to block 20/11/12
    - http://blog.dynamoo.com/2012/11/malw...ck-201112.html
    20 Nov 2012 - "This huge pile of malware sites and IPs is connected with these malicious emails being distributed in the Netherlands. All the sites are interconnected through their black hat infrastructure and are either being used for malware distribution or some other evil activity:
    5.39.8.105 (OVH, Ireland)
    46.249.38.27 (Hotkey, Russia)
    62.109.31.36 (TheFirst, Russia)
    64.79.64.170 (XLHost, US)
    78.46.198.143 (GPI Holding,US)
    78.110.61.186 (Hosting Telesystems, Russia)
    91.220.35.42 (Zamahost, Russia)
    91.220.35.74 (Zamahost, Russia)
    91.231.156.55 (Sevzapkanat-Unimars, Russia)
    93.174.90.81 (Ecatel, Netherlands)
    95.211.9.46 (Leaseweb, Netherlands)
    95.211.9.55 (Leaseweb, Netherlands)
    149.154.67.103 (TheFirst, Russia)
    176.9.179.170 (Siteko, Russia)
    178.63.226.203 (Avist, Russia)
    178.63.247.189 (GPI Holding,US)
    178.162.134.205 (AlfaInternet, Russia)
    184.82.101.52 (HostNOC, US)
    193.161.86.43 (Host-Telecom, Czech Republic)
    194.62.233.19 (Stils-Grupp, Russia)
    198.23.139.199 (Chicago VPS, US)
    208.88.226.231 (WZ Communications, US)
    If you want to block those Russian hosts more widely, perhaps use the following list:
    46.249.38.0/24
    62.109.28.0/22
    64.79.64.170
    78.46.198.136/29
    78.110.61.186
    91.220.35.0/24
    91.231.156.0/24
    93.174.90.81
    95.211.9.46
    95.211.9.55
    149.154.66.0/23
    176.9.179.128/26
    178.63.226.192/26
    178.63.247.128/26
    178.162.134.192/26
    184.82.101.52
    193.161.86.43
    194.62.233.0/24
    198.23.139.199
    ...
    (More detail at the dynamoo URL above.)
    ___

    Fake "Don't forget about meeting tomorrow" SPAM / hamasutra .ru
    - http://blog.dynamoo.com/2012/11/dont...rrow-spam.html
    20 Nov 2012 - "This spam leads to malware on hamasutra .ru:
    From: Lula Stevens [... JolieWright @ shaw .ca]
    Sent: 20 November 2012 05:57
    Subject: Don't forget about meeting tomorrow
    Don't forget this report for meeting tomorrow.
    See attached file. (Internet Explorer file)


    In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra .ru:8080/forum/links/column.php hosted on the following IPs:
    82.165.193.26 (1&1, Germany)
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)
    216.24.196.66 (Psychz Networks, US)
    Plain list:
    82.165.193.26
    202.180.221.186
    203.80.16.81
    216.24.196.66

    ___

    Fake ‘Copies of Missing EPLI Policies’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/11/20/c...e-exploit-kit/
    Nov 20, 2012 - "Attempting to achieve a higher click-through rate for their exploits and malware serving malicious campaign, cybercriminals are currently spamvertising millions of emails attempting to trick users into thinking they’ve become part of a private conversation about missing EPLI policies (Employment practices liability). In reality, clicking on any of the links in the oddly formulated email will expose them to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Sample client-side exploits serving URL: hxxp ://monacofrm.ru :8080/forum/links/column.php
    Malicious domain name reconnaissance:
    monacofrm .ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 216.24.194.66, AS40676
    Name server: ns1.monacofrm .ru – 62.76.178.233
    Name server: ns2.monacofrm .ru – 41.168.5.140
    Name server: ns3.monacofrm .ru – 132.248.49.112
    Name server: ns4.monacofrm .ru – 209.51.221.247 ...
    We also know is that on 2012-11-12 10:58:07, the following client-side exploits serving domain was also responding to the same IP (202.180.221.186) - hxxp ://canadianpanakota .ru:8080/forum/links/column.php. Upon successful client-side exploitation, this URL dropped MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E.
    We’re also aware of two more client-side exploits serving domains responding to the same IP (202.180.221.186) on 2012-11-15 19:49:33 – hxxp ://investomanio .ru/forum/links/public_version.php, and on the 2012-11-15 04:40:06 – hxxp ://veneziolo .ru/forum/links/column.php...
    * https://www.virustotal.com/file/a070...eb2b/analysis/
    File name: contacts.exe.x-msdownload
    Detection ratio: 33/44
    Analysis date: 2012-11-13
    (More detail at the webroot URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #64
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Linux Rootkit doing iFrame Injections

    FYI...

    Linux Rootkit doing iFrame Injections
    - https://www.securelist.com/en/blog/2...ame_Injections
    Nov 19, 2012 - "... an interesting piece of Linux malware came up on the Full Disclosure mailing-list*... not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario... The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy. The binary is more than 500k, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information). Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet. The malware ensures its startup by adding an entry to the /etc/rc.local script... Then it extracts the memory addresses of several kernel functions and variables and stores them in the memory for the later use... the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets... In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication... the malicious server is still active and it hosts other *NIX based tools, such as log cleaners... So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future. An excellent, detailed analysis of this rootkit was recently posted on CrowdStrike blog**."
    * http://seclists.org/fulldisclosure/2012/Nov/94

    ** http://blog.crowdstrike.com/2012/11/...x-rootkit.html
    ___

    - http://h-online.com/-1753969
    21 Nov 2012
    ___

    - http://atlas.arbor.net/briefs/index#2007317889
    64-bit Linux Rootkit Doing iFrame Injections
    Nov 20, 2012
    New development on a Linux-based rootkit shows increased attention from cybercriminals.
    Analysis: It's been a while since public linux rootkit activity has raised much attention. This particular rootkit is poorly designed however is/was effective at delivering malicious links to website visitors, it's primary goal. Several write-ups on the threat exist, including a post to the Full-Disclosure list, the Kapsersky blog and the CrowdStrike blog to provide plenty of analysis material to help admins detect this threat. Arbor is interested to hear if any customers have found this threat on their hosting platforms.
    Source: http://www.securelist.com/en/blog/20...ame_Injections

    Last edited by AplusWebMaster; 2012-11-22 at 12:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #65
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus ‘MS License Orders’ serve client-side exploits and malware

    FYI...

    Bogus ‘MS License Orders’ serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/21/c...s-and-malware/
    Nov 21, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating Microsoft Corporation in an attempt to trick users into clicking on a link in a -bogus- ‘License Order” confirmation email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Sample client-side exploit served: CVE-2010-0188
    Malicious domain name reconnaissance:
    fidelocastroo .ru – 209.51.221.247; 203.80.16.81
    Name server: ns1.fidelocastroo .ru – 85.143.166.170
    Name server: ns2.fidelocastroo .ru – 132.248.49.112
    Name server: ns3.fidelocastroo .ru – 84.22.100.108
    Name server: ns4.fidelocastroo .ru – 213.251.171.30 ...
    (Full detail available at the webroot URL above.)
    ___

    5.estasiatica .com / 66.228.57.248
    - http://blog.dynamoo.com/2012/11/5est...622857248.html
    20 Nov 2012 - "It looks like another variant of this* malicious spam run could be brewing on 5.estasiatica .com / 66.228.57.248 (Linode, US). A bit of pre-emptive blocking might be in order..."
    * http://blog.dynamoo.com/2012/11/w-1-...tonericom.html

    Last edited by AplusWebMaster; 2012-11-21 at 16:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #66
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Intuit emails || Malware sites to block...

    FYI...

    Fake ‘Payroll Account Cancelled by Intuit’ emails serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/22/c...s-and-malware/
    Nov 22, 2012 - "Cybercriminals have resumed spamvertising the Intuit Direct Deposit Service Informer themed malicious emails, which we intercepted and profiled earlier this month. While using an identical email template, the cybercriminals behind the campaign have introduced new client-side exploits serving domains, which ultimately lead to the latest version of the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....malware_01.png
    ... Sample client-side exploits served: CVE-2010-0188
    Malicious domain name reconnaissance:
    cosmic-calls .net – 108.171.243.172, AS40676 – Email: samyidea @aol .com, used to respond to 75.127.15.39
    108.171.243.172 also resolves to lanthaps .com (used to respond to 199.167.31.121) – Email: A1kmmm @ gmail .com
    Name Server: NS1.CHELSEAFUN .NET
    Name Server: NS2.CHELSEAFUN .NET
    ... Upon successful client-side exploitation, the campaign drops MD5: 896bae2880071c3a63d659a157d5c16f * ... Worm:Win32/Cridex.E.
    Upon execution, the sample phones back to hxxp ://203.172.238.18 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (AS23974, Ministry of Education, Thailand). The following domain has also responded to this IP in the past: phnomrung .com (Name server: ns1 .banbu.ac .th – currently responding to 208.91.197.101)...
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/cf4a...871a/analysis/
    File name: 896bae2880071c3a63d659a157d
    Detection ratio: 33/44
    Analysis date: 2012-11-17
    ___

    Malware sites to block 22/11/12
    - http://blog.dynamoo.com/2012/11/malw...ck-221112.html
    22 Nov 2012 - "This is part of a cluster of malware sites being promoted through finance related spam, spotted by GFI Labs here* and on this blog here**.
    * http://gfisoftware.tumblr.com/post/3...e-message-spam
    ** http://blog.dynamoo.com/2012/11/w-1-...tonericom.html
    50.61.155.86 (Fortress ITX,US)
    69.194.196.5 (Solar VPS, US)
    70.42.74.152 (Nuclear Fallout Enterprises, US)
    173.246.103.112 (Gandi, US)
    192.155.83.186 (Linode, US)
    192.155.83.191 (Linode, US)
    198.74.53.207 (Linode, US)
    Plain list of IPs and domains for copy-and-pasting:
    5.estasiatica .com
    5.chinottoneri .com
    6.grapainterfood .com
    6.grapaimport .com
    6.grapafood .com
    6.pascesoir .net
    50.61.155.86
    69.194.196.5
    70.42.74.152
    173.246.103.112
    192.155.83.186
    192.155.83.191
    198.74.53.207
    ..."
    ___

    Facebook SPAM / ceredinopl .ru
    - http://blog.dynamoo.com/2012/11/face...edinoplru.html
    22 Nov 2012 - "This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl .ru:
    Date: Thu, 22 Nov 2012 01:30:38 -0700
    From: Habbo Hotel [auto-contact @ habbo .com]
    Subject: You have notifications pending
    facebook
    Hi,
    Here's some activity you may have missed on Facebook.
    REFUGIA MERRILL has posted statuses, photos and more on Facebook.
    Go To Facebook
    See All Notifications
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
    Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


    The malicious payload is at [donotclick]ceredinopl .ru:8080/forum/links/column.php hosted on the following IPs:
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)
    208.87.243.131 (Psychz Networks, US)
    216.24.196.66 (Psychz Networks, US)
    The following IPs and domains are all connected:
    202.180.221.186
    203.80.16.81
    208.87.243.131
    216.24.196.66

    ceredinopl .ru
    investinindia .ru
    hamasutra .ru
    feronialopam .ru
    monacofrm .ru
    bamanaco .ru
    ionalio .ru
    investomanio .ru
    veneziolo .ru
    fanatiaono .ru
    analunakis .ru ..."

    Last edited by AplusWebMaster; 2012-11-22 at 19:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #67
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FDIC, Changelog emails lead to malware

    FYI...

    Malware sites to block 23/11/12
    - http://blog.dynamoo.com/2012/11/malw...ck-231112.html
    23 November 2012 - "This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one*). The payload is apparently "Ponyloader".
    * http://blog.dynamoo.com/2012/11/w-1-...tonericom.html
    The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them...
    Plain list of IPs for copy-and-pasting:
    50.116.16.118
    64.94.101.200
    69.194.194.216
    70.42.74.152
    94.76.235.199
    173.246.103.59
    173.246.103.112
    173.246.103.124
    173.246.103.184
    173.246.104.21
    174.140.168.143
    198.74.52.86
    209.188.0.118
    ..."
    (More detail at the dynamoo URL above.)
    ___

    Malware sites to (block) 23/11/12 - Part 2
    - http://blog.dynamoo.com/2012/11/malw...12-part-2.html
    23 November 2012 - "Some more bad domains, closely related to this malicious spam run, spotted at the GFI blog*, hosted on 192.155.83.191 (Linode, US)
    * http://gfisoftware.tumblr.com/post/3...e-message-spam
    192.155.83.191
    5.estasiatica .com
    5.finesettimana .com
    5.italycook .com
    5.hdsfm .com
    5.eventiduepuntozero .com
    5.finesettimana .net ..."
    ___

    An Overview of Exploit Packs (kits)...
    - http://contagiodump.blogspot.de/2010...ks-update.html
    "... Updates/new entries for 13 packs have been added (see exploit listing)..."
    CVE's also listed.
    ____

    Bogus Tsunami Warning leads to Arcom RAT
    - http://blog.trendmicro.com/trendlabs...-to-arcom-rat/
    Nov 23, 2012 - "... the website “Hoax Slayer”* pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve...
    > http://blog.trendmicro.com/trendlabs...ntent_spam.jpg
    The “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A... It remains unclear who is behind the attack and what the motivation may be... The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00... There are also free cracked versions available for download from a variety of sources. Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT..."
    * http://www.hoax-slayer.com/tsunami-w...-malware.shtml
    Nov 19, 2012
    ___

    Bogus Prize Offers on Facebook - 'Like and Share To Win'
    - http://www.hoax-slayer.com/facebook-share-win.shtml
    Nov 22, 2012 - "Outline: Various messages distributed on Facebook claim that users can win expensive prizes such as Apple products or designer headphones just by liking and sharing a Facebook Page.
    Analysis: A great many of these supposed prize offers are totally bogus. The "promotions" are created primarily to artificially inflate the number of "likes" gained by the offending Facebook Page and to promote the page further by way of shared posts and images. Those who participate will -never- receive the promised prize. In some cases, the perpetrators of these fake promotions may also try to trick people into divulging their personal information... don't give these unscrupulous people what they want! Don't "like" their bogus Pages. Don't be tricked into spamming your friends with their fake promotions by sharing their pictures. Do not send your personal information to these people in the vain hope of winning a prize. Before entering any type of promotion or prize draw always take a closer look. If it seems suspect or dodgy, give it a miss."
    ___

    Some evil on 5.135.192.16/30
    - http://blog.dynamoo.com/2012/11/some...351921630.html
    23 Nov 2012 - "It looks like there are a set of exploit sites in the range 5.135.192.16/30 serving up TrueType exploits (such as CVE-2011-3402) which is being pushed by a malicious URL at [donotclick]mwko.zsomteltepngs .info/40c0dee71a9b9d715539b7d56c3d5f23.eot . The potentially malicious sites in this range include:
    10bloodek.info
    1bloodek .info
    5helnima .net
    anotepad .info
    asomteltepngs .info
    jhqp.bcodec .info
    ksmuaelteory .net
    mwko.zsomteltepngs .info
    osmuaelteory .net
    psmuaelteory .net
    qfgc.hlegolaj .net
    qsomteltepngs .info
    rsomelostell .net
    shelnima .net
    whelnima .net
    xsomteltepngs .info
    ysomteltepngs .info
    zbav.hsomteltepngs .info
    If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:
    10bloodek .info
    1bloodek .info
    5helnima .net
    anotepad .info
    asomteltepngs .info
    bcodec .info
    hlegolaj .net
    hsomteltepngs .info
    ksmuaelteory.net
    osmuaelteory .net
    psmuaelteory .net
    qsomteltepngs .info
    rsomelostell .net
    shelnima .net
    whelnima .net
    xsomteltepngs .info
    ysomteltepngs .info
    zsomteltepngs .info ..."

    > https://www.google.com/safebrowsing/...?site=AS:16276
    "... over the past 90 days, 5626 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-24, and the last time suspicious content was found was on 2012-11-24... we found 856 site(s) on this network... that appeared to function as intermediaries for the infection of 6279 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1369 site(s)... that infected 21258 other site(s)..."
    ___

    Fake "Changlog 10.2011" SPAM / efaxinok .ru
    - http://blog.dynamoo.com/2012/11/chan...faxinokru.html
    23 Nov 2012 - "This spam leads to malware on efaxinok .ru:
    Date: Fri, 23 Nov 2012 10:14:22 +0600
    From: "Contact" [customer-notification @ ups .com]
    Subject: Re: Changlog 10.2011
    Attachments: changelog-212.htm
    Good morning,
    as promised changelog (Internet Explorer File)


    The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok .ru:8080/forum/links/column.php hosted on the following IPs:
    202.180.221.186
    203.80.16.81
    208.87.243.131
    216.24.196.66

    These are the same IPs as used in this attack yesterday*, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator .ru which I haven't seen yet being used in a malicious spam run, but it probably will be.
    * http://blog.dynamoo.com/2012/11/face...edinoplru.html
    ___

    Fake FDIC ‘Your activity is discontinued’ emails serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/23/c...s-and-malware/
    Nov 23, 2012 - "A currently ongoing spam campaign attempts to trick users into thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process of monetizing the anticipated traffic. Once users click on the bogus ‘secure download link’, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Client-side exploits served: CVE-2010-0188
    Malicious domain name reconnaissance:
    stifferreminders .pro – 198.27.94.80 (AS16276) – Email: kee_mckibben0869 @macfreak .com
    Name Server:NS1.CHELSEAFUN .NET
    Name Server:NS2.CHELSEAFUN .NET
    These are well known name servers currently in use by the same cybercriminals that launched the following malicious campaigns – “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“.
    The following malicious domains also respond to the same IP:
    headerandfooterprebuilt .pro
    fixedmib .net
    stafffire .net ...
    Upon successful client-side exploitation, the campaign drops MD5: 61bc6ad497c97c44b30dd4e5b3b02132 * ... UDS:DangerousObject.Multi.Generic.
    Once executed, the sample phones back to hxxp ://182.237.17.180 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/.."
    * https://www.virustotal.com/file/5de7...fa98/analysis/
    File name: test45286142972065.bin
    Detection ratio: 2/43
    Analysis date: 2012-11-21

    Last edited by AplusWebMaster; 2012-11-24 at 15:19.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #68
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phishing SCAM asks for TAN list photo

    FYI...

    Phishing SCAM asks for TAN list photo
    - http://h-online.com/-1757018
    26 Nov 2012 - "A new phishing email circulating in Germany is asking customers of the country's largest banking establishment, Deutsche Bank, to upload photographs or scans of their bank-issued TAN (Transaction Authentication Number) list to a maliciously fabricated web site. TANs are used by many banks in Germany to authenticate transactions during online banking sessions. The customer receives a printed list of TANs, essentially one-time passwords, via mail and has to use a randomly selected number from the list each time they want to send money or approve other transactions. The phishing email directs users to a deceptive web page where the scammers claim that the upload of the TAN list is needed as Deutsche Bank supposedly changes their iTAN technology for a mobile TAN (mTAN) system on 1 January 2013... The short time frame is apparently designed to increase the pressure on the victims of the phishing emails. The H's associates at heise online received copies of similar emails that were apparently asking for the information to be uploaded by the next day or the customer's account would be disabled... The web sites are a professional reproduction of Deutsche Bank's actual online banking interface..."
    ___

    - https://isc.sans.edu/diary.html?storyid=14578
    Last Updated: 2012-11-27

    >> http://www.antiphishing.org/resources/apwg-reports/

    Last edited by AplusWebMaster; 2012-11-27 at 16:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #69
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus Facebook SPAM and more...

    FYI...

    Bogus Facebook ‘pending notifications’ emails serve client-side exploits and malware
    - http://blog.webroot.com/2012/11/27/b...s-and-malware/
    27 Nov 2012 - "A recently launched malicious spam campaign is impersonating Facebook, Inc. in an attempt to trick its one billion users into thinking that they’ve received a notification alerting them on activities they may have missed on Facebook. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....s_malware1.png
    ... Malicious payload serving URL: hxxp ://ceredinopl .ru:8080/forum/links/column.php?cfcjm=xbc229&fnhcuc=njx&svdp=2v:1k:1m:32:33:1k:1k:31:1j:1o&xdva=
    Sample client-side exploits served: CVE-2010-0188
    Malicious domain name reconnaissance:
    ceredinopl .ru – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...
    Upon successful client-side exploitation the campaign drops MD5: 9db13467c50ef248eaf6c796dffdd19c * ...PWS-Zbot.gen.aqw.
    Responding to the same IPs – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...
    If users feel they received a bogus email that may not be coming from Facebook, they can alert Facebook by forwarding the message to phish@fb.com . In addition, users can check to see if their account has been compromised by visiting https://www.facebook.com/hacked ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/1748...290d/analysis/
    File name: 413823066bcca9a7b298015fcba37b74a94d1950
    Detection ratio: 28/43
    Analysis date: 2012-11-25
    ___

    Fake Browser Updates - Malicious Ads...
    - http://blog.trendmicro.com/trendlabs...owser-updates/
    Nov 26, 2012 - "Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system. Just recently, we were alerted to a report* of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads. The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:
    > http://blog.trendmicro.com/trendlabs...e_browsers.gif
    Instead of an update, users download a malware detected asJS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload. The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as hxxp ://{BLOCKED}browserupdate/install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to hxxp ://{BLOCKED}rtpage .com, a site that may host other malicious files that can further infect a user’s system... To avoid this ruse, users must exclusively download updates from a legitimate source or the software vendor’s official websites. Many browsers also include an integrated auto-update feature..."
    * http://stopmalvertising.com/malverti...h-malware.html
    securebrowserupdate .com = malvertisement...
    23 Nov 2012 - "... Internet users are told that their current browser version is out of date and they are invited to install the latest update. Victims are redirected to securebrowserupdate .com via a malvertisement. The domain securebrowserupdate .com has been registered on the 16th November 2012 via name .com. The registrant details are protected by a privacy service..."
    ___

    Bogus ‘Pay by Phone Parking Receipts’ serve malware
    - http://blog.webroot.com/2012/11/27/c...serve-malware/
    Nov 27, 2012 - "U.K users, beware! Cybercriminals are currently mass mailing yet another malicious spam campaign, enticing users into viewing a -bogus- list of parking transactions. Upon executing the malicious attachment, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the host...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....am_malware.png
    Sample detection rate for the malicious attachment: MD5: fbde5bcb8e3521149d2f83888e1716c4 * ... Worm:Win32/Gamarue.I**
    * https://www.virustotal.com/file/2e8f...is/1353772427/
    File name: Pay_by_Phone_Parking_Receipt.pdf.exe
    Detection ratio: 38/44
    Analysis date: 2012-11-24

    ** https://www.microsoft.com/security/p...32%2FGamarue.I
    ___

    Fake Multiple ‘Inter-company’ invoice emails serve malware and client-side exploits
    - http://blog.webroot.com/2012/11/27/m...side-exploits/
    27 Nov 2012 - "... cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ts_malware.png
    ... Sample client-side exploits served: CVE-2010-0188
    Malicious domain name reconnaissance:
    controlleramo .ru
    Name server: ns1.controlleramo .ru – 62.76.186.190
    Name server: ns2.controlleramo .ru – 132.248.49.112
    Name server: ns3.controlleramo .ru – 84.22.100.108
    Name server: ns4.controlleramo .ru – 65.99.223.24 ...
    Upon successful client-side exploitation the campaign drops MD5: de48416449621ecd62b116cc41aa5bcc * ... Worm:Win32/Cridex.E...
    The second sample obtained from yet another spamvertised archive with MD5: 3a8ce3d72b60b105783d74dbc65c37a6 ** ... Worm:Win32/Cridex.E. Upon execution it phones back to the following URL: 188.40.0.138 :8080/AJtw/UCyqrDAA/Ud+asDAA (AS24940, HETZNER-AS)..."
    * https://www.virustotal.com/file/cac2...bf6a/analysis/
    File name: de48416449621ecd62b116cc41aa5bcc
    Detection ratio: 30/44
    Analysis date: 2012-11-11
    ** https://www.virustotal.com/file/245d...is/1353769289/
    File name: Invoices_12_N88283.exe
    Detection ratio: 37/44
    Analysis date: 2012-11-24
    ___

    "Copies of Policies" spam / ganiopatia .ru
    - http://blog.dynamoo.com/2012/11/copi...iopatiaru.html
    27 Nov 2012 - "This spam leads to malware on ganiopatia .ru:
    Date: Mon, 26 Nov 2012 02:31:10 -0500
    From: sales1 @ victimdomain .com
    Subject: RE: ALINA - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    ALINA Prater,
    ==========
    Date: Mon, 26 Nov 2012 02:26:33 +0300
    From: ALISHIADBSukwQEf @aol .com
    Subject: RE: ALISHIA - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    ALISHIA Gee,
    ==========
    From: accounting @ victimdomain .com
    Sent: 26 November 2012 08:42
    Subject: RE: MARCELLE - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    MARCELLE SPENCE,
    ==========
    From: accounting @ victimdomain .com
    Sent: 26 November 2012 07:54
    Subject: RE: KASSIE - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    KASSIE ROMANO,


    The malicious payload is at [donotclick]ganiopatia .ru:8080/forum/links/column.php hosted on the following IPs:
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)
    208.87.243.131 (Psychz Networks, US)
    Note that ganalionomka .ru is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea."
    ___

    BeyondTek IT / beyondtekit .com SPAM
    - http://blog.dynamoo.com/2012/11/beyo...nd-tek-it.html
    27 Nov 2012 - "Here's an annoying spammer.. but who are they exactly?
    From: Nick Snow ---- BeyondTekIT Nick @ beyondtekit .com
    Date: 27 November 2012 10:24
    Subject: Your IT Jobs - HR
    Hello:
    The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.
    That being said please let me know if you currently have any hard-to-fill IT positions at that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.
    We have candidates available across all technologies and skill-sets, including (this is only a partial list):
    Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
    Systems Analysts / Business Analysts
    QA Engineers/Analysts/Testers
    DBA's - SQL Server, Oracle, MySQL, etc
    SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
    Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
    Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
    Project Managers
    Systems Administrators - Linux, Window, etc
    Executive - CIO, CTO, VP of IT, etc
    PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.
    Thank you.
    Nick Snow
    BeyondTek IT
    Tel: 714-572-1544
    nick @ beyondtekit .com
    www .BeyondTekIT .com


    The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit .com and beyondtechit .com domains...
    I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam)..."

    Last edited by AplusWebMaster; 2012-11-27 at 22:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #70
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Wire transfer / FedEx SPAM ...

    FYI...

    Wire transfer SPAM / gurmanikia .ru
    - http://blog.dynamoo.com/2012/11/wire...manikiaru.html
    27 Nov 2012 - "This fake wire transfer spam leads to malware on gurmanikia.ru:
    Date: Tue, 27 Nov 2012 01:14:15 -0500
    From: Emerita Ayers via LinkedIn [member @ linkedin .com]
    Subject: RE: Your Wire Transfer N27172774
    Dear Customers,
    Wire debit transfer was canceled.
    Canceled transfer:
    FED NUMBER: 6946432301WIRE298280
    Transaction Report: View
    Federal Reserve Wire Network


    The malicious payload is at [donotclick]gurmanikia .ru:8080/forum/links/column.php hosted on the following well-known malicious IPs:
    202.180.221.186 (GNet, Mongolia)
    203.80.16.81 (MYREN, Malaysia)
    208.87.243.131 (Psychz Networks, US)..."
    ___

    FedEx SPAM / PostalReceipt .zip
    - http://blog.dynamoo.com/2012/11/fede...eceiptzip.html
    27 Nov 2012 - "A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip
    Date: Tue, 27 Nov 2012 13:04:37 -0400
    From: "Office Mail" [no_replyFRL @ cleveland .com]
    Subject: ID (I)JI74 384 428 2295 7492
    FedEx
    Order: AX-7608-99659670234
    Order Date: Sunday, 25 November 2012, 10:35 AM
    Dear Customer,
    Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
    To receive a parcel, please, go to the nearest our office and show this postal receipt.
    GET POSTAL RECEIPT
    Best Regards, The FedEx Team.
    FedEx 1995-2012


    In this case the download site was [donotclick]amsterdam.cathedralsoft .com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www .cathedralsoft .com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft .com has been compromised in this attack.
    VirusTotal detection rates are very low*. I don't currently have an analysis of the malicious payload."
    * https://www.virustotal.com/file/f0b2...is/1354056475/
    File name: PostalReceipt.exe
    Detection ratio: 1/44
    Analysis date: 2012-11-27

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •