FYI...
Fake 'Court appearance' SPAM - JS malware
- http://myonlinesecurity.co.uk/notice...rt-js-malware/
5 Sep 2015 - "An email with the subject of 'Notice of appearance in Court #0000440904' [random numbered] pretending to come from County Court with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...0000440904.png
5 September 2015: 0000440904.zip: Extracts to: 0000440904.doc.js
Current Virus total detection 9/57* ... which downloads 2 files 14136619.exe (Virus total**) and 1e0e6fda2680957[1].gif (VirusTotal***) from a combination of these 3 sites:
selmaryachtmarket .com
fibrasinteticafm .com
laterrazzafiorita .it
... None of the automatic analysers even mention any reference to digital signatures whatsoever: Hybrid Analysis Win8.1 [1] | Hybrid Analysis Win 7 [2] | MALWR [3]
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441437273/
** https://www.virustotal.com/en/file/2...is/1441413005/
*** https://www.virustotal.com/en/file/7...is/1441438363/
1] https://www.hybrid-analysis.com/samp...nvironmentId=3
2] https://www.hybrid-analysis.com/samp...nvironmentId=1
3] https://malwr.com/analysis/ZDE5ODQxN...MzNTM2ZGU1OTY/
selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-add...2/information/
fibrasinteticafm .com:
54.228.191.204: https://www.virustotal.com/en/ip-add...4/information/
45.55.195.124: https://www.virustotal.com/en/ip-add...4/information/
177.71.183.219: https://www.virustotal.com/en/ip-add...9/information/
54.241.242.142: https://www.virustotal.com/en/ip-add...2/information/
54.83.41.200: https://www.virustotal.com/en/ip-add...0/information/
177.71.188.70: https://www.virustotal.com/en/ip-add...0/information/
laterrazzafiorita .it: 208.43.65.115: https://www.virustotal.com/en/ip-add...5/information/
___
UK bank phish-sites on teamhelpers .com
- http://myonlinesecurity.co.uk/uk-ban...amhelpers-com/
5 Sep 2015 - "I received a couple of -phishing- emails this morning that both lead to UK bank phishing sites on teamhelpers .com. So far I have seen one for Halifax Bank and one for Lloyds Bank. The subjects include 'Your Halifax online banking needs updating' and 'Your Lloyds online banking needs updating'. I would not be at all surprised to find out that there are many other different UK bank phishing sites on teamhelpers .com. I just haven’t found them yet...
Screenshot1: http://myonlinesecurity.co.uk/wp-con...g-1024x610.png
Screenshot2: http://myonlinesecurity.co.uk/wp-con...g-1024x612.png
They are both common subjects in a bank phishing attempt. We see them pretending to be from PayPal and your Bank or Credit Card, with a message saying some thing like :
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your online banking needs updating
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
... These will NEVER be genuine emails from PayPal or Your Bank so don’t ever follow the link-in-the-email which leads to a website that looks at first glance like the genuine bank website. This particular phishing campaign starts with an email with-a-link. In this case to a newly created base domain teamhelpers .com Which is hosted on Godaddy .com... you would be very hard-pressed to tell the difference from the -fake- one and the genuine site. The only way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)... This either means that the new domain has been hacked already due to insecurities in the site software and Godaddy servers or more likely that the entire site was set up to act as a -fraud- site and Godaddy are not being as efficient and proactive as they should be with weeding out fake registrations..."
Phish1: http://myonlinesecurity.co.uk/wp-con...s-1024x678.png
Phish2: http://myonlinesecurity.co.uk/wp-con...s-1024x707.png
Genuine: http://myonlinesecurity.co.uk/wp-con...e-1024x672.png
teamhelpers .com: 107.180.41.152: https://www.virustotal.com/en/ip-add...2/information/