FYI...
Fake 'Shareholder alert' SPAM – PDF malware
- http://myonlinesecurity.co.uk/shareh...e-pdf-malware/
22 Jun 2015 - "'Shareholder alert' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to
resolution of the Board of Directors. Please see attached. Glen McCoy, Partner
22 June 2015: instructions.zip size=21120.zip : Extracts to: instructions_document.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1434971131/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-...3/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-...2/information/
109.86.226.85: https://www.virustotal.com/en-gb/ip-...5/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/
- http://blog.dynamoo.com/2015/06/malw...der-alert.html
22 June 2015
"... Recommended blocklist:
64.111.36.35
93.93.194.202 "
___
Fake 'Tax inspection notification' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malw...nspection.html
22 June 2015 - "This -fake- tax notification comes with a malicious payload.
Date: 22 June 2015 at 19:10
Subject: Tax inspection notification
Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor
Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57*... Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http ://93.93.194.202 :13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://93.93.194.202 :13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today[1] and it belongs to Orion Telekom in Serbia. This VirusTotal report*** also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report[2] also shows traffic to 37.57.144.177 (Triolan, Ukraine). Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57***] and sveezback.exe [VT 15/57****]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177 "
* https://www.virustotal.com/en/file/9...2f40/analysis/
** https://www.virustotal.com/en/file/9...2f40/analysis/
*** https://www.virustotal.com/en/file/5...is/1434994679/
**** https://www.virustotal.com/en/file/1...is/1434994696/
1] http://blog.dynamoo.com/2015/06/malw...der-alert.html
2] https://www.hybrid-analysis.com/samp...nvironmentId=1
___
'Password recovery' SCAM hitting Gmail, Outlook and Yahoo Mail users
- http://net-security.org/secworld.php?id=18537
22 June 2015 - "A simple yet ingenious scam is being used by scammers to compromise accounts of Gmail, Outlook and Yahoo Mail users, Symantec researcher Slawomir Grzonkowski warns*. 'To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort... The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their -mobile- phone.' Once the verification code is sent to the legitimate user's mobile phone, it's followed by a message by the scammer, saying something like: 'Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.' The victim sends the verification code to the scammers, and they use it to access the email account.
Occasionally, the code is sent too late and doesn't work anymore, so the scammers -reiterate- the need for the code to be sent in. When they finally get access to the email account, they don't shut the real owner out. Instead, they usually add an -alternate- email to the account and set it up so that copies of all messages are forwarded to it. Then they change the password, and send it to victim via SMS ('Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]') in order to complete the illusion of legitimacy. 'The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups'... It's likely that they use those email accounts to gain access to other online accounts tied to them. Users are advised to be suspicious of SMS messages asking about verification codes, especially if they did -not- request one, and check their authenticity directly with their email provider."
* https://www.youtube.com/watch?v=_dj_...ature=youtu.be
Video 2:17