Fake 'suspicious account activity', 'Please Find Attached', 'Air France' SPAM
FYI...
Fake 'suspicious account activity' SPAM – doc malware
- http://myonlinesecurity.co.uk/import...d-doc-malware/
28 July 2015 - "'Important Notice: Detecting suspicious account activity' pretending to come from 'Service Center' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Subject: Important Notice: Detecting suspicious account activity
Date: Mon, 27 Jul 2015 22:51:16 +0000 (GMT)
From: Service Center <redacted >
Detecting suspicious account activity
<https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
The attachment contain steps to secured your account. If you are viewing
this email on a mobile phone or tablets, please save the document first
and then open it on your PC.
Click Here to download attachment.
<https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
Thanks,
Account Service
If you are unwise enough to follow the links then you will end up with a word doc looking like:
> http://myonlinesecurity.co.uk/wp-con...tivity_doc.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named Account Details.exe which has an icon of an Excel spreadsheet to fool you into thinking it is innocent and infect you.
28 July 2015 : Email activity.doc Current Virus total detections: 21/55*
... Downloads https ://onedrive.live .com/download?resid=9AC15691E4E70C4D!123&authkey=!AL1jJDlqNUg-vAM&ithint=file%2cexe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1438037595/
** https://www.virustotal.com/en/file/f...is/1438062482/
___
Fake 'Please Find Attached' SPAM – doc malware
- http://myonlinesecurity.co.uk/please...d-doc-malware/
28 July 2015 - "'Please Find Attached – Report form London Heart Centre' pretending to come from lhc.reception@ heart. org.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...art-Centre.png
28 July 2015: calaidzis, hermione.docm - Current Virus total detections: 9/55*
... Downloads what looks like Dridex banking malware from http ://chloedesign .fr/345/wrw.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1438067899/
** https://www.virustotal.com/en/file/9...is/1438068193/
... Behavioural information
TCP connections
93.171.132.5: https://www.virustotal.com/en/ip-add...5/information/
2.18.213.25: https://www.virustotal.com/en/ip-add...5/information/
chloedesign .fr: 85.236.156.24: https://www.virustotal.com/en/ip-add...4/information/
___
Fake 'Air France' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-a...sheet-malware/
28 June 2015 - "'Your Air France boarding documents on 10Jul pretending to come from Air France <cartedembarquement@ airfrance .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...s-on-10Jul.png
28 July 2015: Boarding-documents.docm - Current Virus total detections: 9/55*
... which downloads Dridex banking malware from http ://laperleblanche .fr/345/wrw.exe which is the -same- malware as in today’s earlier malspam run using malicious word docs with macros**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1438071620/
** http://myonlinesecurity.co.uk/please...d-doc-malware/
laperleblanche .fr: 94.23.1.145: https://www.virustotal.com/en/ip-add...5/information/
- http://blog.dynamoo.com/2015/07/malw...-boarding.html
28 June 2015 - "... -same- exact payload as this earlier attack* today..."
* http://blog.dynamoo.com/2015/07/malw...-attached.html
"... phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you -block- that IP. The malware is the Dridex banking trojan..."
___
Fake 'Invoice notice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
28 July 2015 - "A series of emails with subjects of: 'Invoice delivery / Invoice notice / Receipt alert / DHL notice / UPS notification / Invoice information' and numerous -other- similar subjects with a malicious word doc attachment is another one from the current bot runs... The email looks like:
You had got the bill !
Delivered at: Tue, 28 Jul 2015 16:15:36 +0500.
Number of sheets: 0.
Mailer ID: 3.
Delivery number: 843.
Kindly be advised that attached is photo-copy of the 1st page alone.
We are going to mail the originals to You at the address indicated already.
-Or-
You have received the bill !
Received at: Tue, 28 Jul 2015 11:43:15 +0000.
Amount of sheets: 9.
Addresser ID: 79187913.
Delivery order: 6199843296.
Kindly be advised that attached is scan-copy of the 1st page alone.
We are going to dispatch the originals to You at the location mentioned earlier.
And multiple similar content. If you are unwise enough to open the attachment then you will end up with a word doc looking like this:
> http://myonlinesecurity.co.uk/wp-con...6199843296.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named word.exe which has an icon designed to fool you into thinking it is innocent and infect you. These emails have attachments with names like Invoice_number_6199843296.doc / Order_No._843.doc / Bill_No._95.doc and -multiple- variations of the names and numbers.
28 July 2015 : Invoice_number_6199843296.doc - Current Virus total detections:7/56*
... goes through a convoluted download procedure giving you http ://bvautumncolorrun .com/wp-content/themes/minamaze/lib/extentions/prettyPhoto/images/78672738612836.txt which is a base 64 encoded file that transforms into a password stealer. It also goes to http ://iberianfurniturerental .com/wp-content/plugins/nextgen-gallery/admin/js/Jcrop/css/fafa.txt which automatically downloads http ://umontreal-ca .com/word/word.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1438080189/
** https://www.virustotal.com/en/file/4...is/1438081346/
bvautumncolorrun .com: 184.168.166.1: https://www.virustotal.com/en/ip-add...1/information/
iberianfurniturerental .com: 173.201.169.1: https://www.virustotal.com/en/ip-add...1/information/
umontreal-ca .com: 89.144.10.200: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Voice Message' SPAM – wav malware
- http://myonlinesecurity.co.uk/voice-...e-wav-malware/
28 July 2015 - "'Voice Message Attached from 08439801260' pretending to come from voicemessage@ yourvm .co.uk with a wav (sound file) attachment is another one from the current bot runs... The email looks like:
Time: Jul 28, 2015 3:08:34 PM
Click attachment to listen to Voice Message
28 July 2015: 08439801260_20150725_150834.wav - Current Virus total detections: 2/55*
... Which downloads Dridex banking malware from laurance-primeurs .fr/345/wrw.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1438082138/
laurance-primeurs .fr: 94.23.1.145: https://www.virustotal.com/en/ip-add...5/information/
___
Fake 'Incoming Fax' SPAM - malware
- http://blog.dynamoo.com/2015/07/malw...rnal-only.html
28 July 2015 - "This -fake- fax message leads to malware:
From: Incoming Fax [Incoming.Fax@ victimdomain]
Date: 18 September 2014 at 08:39
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 28/07/2015
Company : http ://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc
********** Confidentiality Notice ********** ...
(#2023171)Renewal Invite Letter sp.exe
Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http ://umontreal-ca .com/word/word.exe ... This has a VirusTotal detection rate of 2/55*.
umontreal-ca .com (89.144.10.200 / ISP4P, Germany) is a -known- bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE: This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208 "
* https://www.virustotal.com/en/file/4...is/1438087963/
___
Fake 'cash prizes for shopping' SPAM – PDF malware
- http://myonlinesecurity.co.uk/get-ca...e-pdf-malware/
28 July 2015 - "Another set of emails with subjects including 'Get cash prizes for shopping' and 'Get cash payments for purchasing' with a zip attachment is another one from the current bot runs... The email looks like:
Love purchasing? We have something special for you!
Do you want to get cash compensations on buys you make in your favorite stores? Just get our debit card to make your purchases, and then you will commence enhancing the rewards. Bear in mind only one rule – the more you use it – the more you receive. So kindly check out the applied info to learn how this offer proceeds and how to open your bank account.
It was never so pure, fast and so close to your dreams. Don’t lose your time. Join us, keep to us and shopping will give!
-Or-
Being fond of shopping? We propose something special for you!
Do you want to get cash rewards on purchases you make in your favorite shops? Just use our debit card to make your purchases, and then you will start increasing the remunerations. Bear in mind one rule – the more you use it – the more you get. So please read the enclosed documentations to see how it operates and how to open your account.
It was never so elementary, fast and so close to your dreams. Don’t lose your chance. Join us, stick to us and shopping will pay!
And numerous other similar computer generated text...
28 July 2015: bank_offering_and_card_information.zip: Extracts to: special_offering_and_card_details.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1438090452/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
93.185.4.90: https://www.virustotal.com/en/ip-add...0/information/
24.33.131.116: https://www.virustotal.com/en/ip-add...6/information/
95.100.255.176: https://www.virustotal.com/en/ip-add...6/information/
___
Russian Underground - Revamped
- http://blog.trendmicro.com/trendlabs...ound-revamped/
July 28, 2015 - "When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices. News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence. 2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot. The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?... right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc... several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of -fresh- credit card leaks... Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement..."
> https://www.trendmicro.com/vinfo/us/...sticated-tools
July 28, 2015
