SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'Court appearance' SPAM - JS malware
- http://myonlinesecurity.co.uk/notice...rt-js-malware/
5 Sep 2015 - "An email with the subject of 'Notice of appearance in Court #0000440904' [random numbered] pretending to come from County Court with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...0000440904.png

5 September 2015: 0000440904.zip: Extracts to: 0000440904.doc.js
Current Virus total detection 9/57* ... which downloads 2 files 14136619.exe (Virus total**) and 1e0e6fda2680957[1].gif (VirusTotal***) from a combination of these 3 sites:
selmaryachtmarket .com
fibrasinteticafm .com
laterrazzafiorita .it
... None of the automatic analysers even mention any reference to digital signatures whatsoever: Hybrid Analysis Win8.1 [1] | Hybrid Analysis Win 7 [2] | MALWR [3]
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441437273/

** https://www.virustotal.com/en/file/2...is/1441413005/

*** https://www.virustotal.com/en/file/7...is/1441438363/

1] https://www.hybrid-analysis.com/samp...nvironmentId=3

2] https://www.hybrid-analysis.com/samp...nvironmentId=1

3] https://malwr.com/analysis/ZDE5ODQxN...MzNTM2ZGU1OTY/

selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-add...2/information/
fibrasinteticafm .com:
54.228.191.204: https://www.virustotal.com/en/ip-add...4/information/
45.55.195.124: https://www.virustotal.com/en/ip-add...4/information/
177.71.183.219: https://www.virustotal.com/en/ip-add...9/information/
54.241.242.142: https://www.virustotal.com/en/ip-add...2/information/
54.83.41.200: https://www.virustotal.com/en/ip-add...0/information/
177.71.188.70: https://www.virustotal.com/en/ip-add...0/information/
laterrazzafiorita .it: 208.43.65.115: https://www.virustotal.com/en/ip-add...5/information/
___

UK bank phish-sites on teamhelpers .com
- http://myonlinesecurity.co.uk/uk-ban...amhelpers-com/
5 Sep 2015 - "I received a couple of -phishing- emails this morning that both lead to UK bank phishing sites on teamhelpers .com. So far I have seen one for Halifax Bank and one for Lloyds Bank. The subjects include 'Your Halifax online banking needs updating' and 'Your Lloyds online banking needs updating'. I would not be at all surprised to find out that there are many other different UK bank phishing sites on teamhelpers .com. I just haven’t found them yet...

Screenshot1: http://myonlinesecurity.co.uk/wp-con...g-1024x610.png

Screenshot2: http://myonlinesecurity.co.uk/wp-con...g-1024x612.png

They are both common subjects in a bank phishing attempt. We see them pretending to be from PayPal and your Bank or Credit Card, with a message saying some thing like :
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your online banking needs updating
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
... These will NEVER be genuine emails from PayPal or Your Bank so don’t ever follow the link-in-the-email which leads to a website that looks at first glance like the genuine bank website. This particular phishing campaign starts with an email with-a-link. In this case to a newly created base domain teamhelpers .com Which is hosted on Godaddy .com... you would be very hard-pressed to tell the difference from the -fake- one and the genuine site. The only way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)... This either means that the new domain has been hacked already due to insecurities in the site software and Godaddy servers or more likely that the entire site was set up to act as a -fraud- site and Godaddy are not being as efficient and proactive as they should be with weeding out fake registrations..."

Phish1: http://myonlinesecurity.co.uk/wp-con...s-1024x678.png

Phish2: http://myonlinesecurity.co.uk/wp-con...s-1024x707.png

Genuine: http://myonlinesecurity.co.uk/wp-con...e-1024x672.png

teamhelpers .com: 107.180.41.152: https://www.virustotal.com/en/ip-add...2/information/

[AplusWebMaster]

FYI...

Fake 'Companies House' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...ies-house.html
7 Sep 2015 - "This spam does -not- come from Companies House, but is instead a simple forgery with a malicious attachment:
From "Companies House" [WebFiling@ companieshouse .gov.uk]
Date Mon, 7 Sep 2015 12:40:01 +0100
Subject RE: Case 0676414
The submission number is: 0676414
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@ companies-house .gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file. This executable has a detection rate of 4/56*. The Hybrid Analysis report** shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre."
* https://www.virustotal.com/en/file/c...is/1441627466/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'scanner notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
7 Sep 2015 - "An email with the subject of 'Important system scanner notice' coming from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Our system scanner indicates 69405063 error(s). Please see the attached documentation and contact with us ASAP.
Regards,
Online system security
Mrs. Kendall Howell
tel. 503-012-0597
Email : prabha@ klcc .com.my

The alleged sender matches the name of the company and email address in the body of the email. The numbers of errors are random. Some of the other subjects inn this series of -Upatre- downloaders include:
Important system e-mail
Protection shield system scanner report
Urgent security system notification
Protection shield system scanner e-mail
Security system scanner notification
Urgent system scanner notice
Protection shield system scanner e-mail
And -hundreds- of other variations along the same theme...
7 Serptember 2015: Cary PlazaGL_report-HUDY9Ife7_.zip: Extracts to: Imogene CoveBR_report.exe
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1441621866/
___

Something evil on 184.105.163.192/26 ...
- http://blog.dynamoo.com/2015/09/some...226-white.html
7 Sep 2015 - "... I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243* hosted on what appears to be a Hurricane Electric IP... I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26... given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking-traffic to 184.105.163.192/26 to be on the safe side."
(More detail at the dynamoo URL above.)
* 184.105.163.243: https://www.virustotal.com/en/ip-add...3/information/

[AplusWebMaster]

FYI...

Evil network: 89.144.2.0/24 / Echo Romeo LLP (AS199762)
- http://blog.dynamoo.com/2015/09/some...cho-romeo.html
8 Sep 2015 - "This post at malware.kiwi* caught my eye after a sort-of challenge by Techhelplist**. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.
* http://malware.kiwi/compromised-pti-...hing-campaign/
...
** https://twitter.com/Techhelplistcom/...07799796137984
This appears to be a binary options scam*** that is using illegally -hacked- sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit .me...
*** http://www.cftc.gov/ConsumerProtecti..._binaryoptions
It turns out that dailybusinessdirect .com is hosted alongside a cluster of related domains on a set of IPs belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they operate an IP range 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites... Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, -none- of those customer sites are actually hosted in this IP address range. The first thing I noticed was a cluster of sites and IPs[4] that appear to be closely related to dailybusinessdirect .com:
4] http://pastebin.com/mieQQj5s
... Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon[5] shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?"
5] https://www.damballa.com/new-poseidon-spotted/
(More detail at the dynamoo URL at the top of this post.)

AS199762 (ECHOROMEO-AS)
> https://www.google.com/safebrowsing/...site=AS:199762

- https://www.google.com/safebrowsing/...?site=t9e.net/

- https://www.google.com/safebrowsing/...te=89.144.2.0/

searchingprofit .me: 82.192.91.16: https://www.virustotal.com/en/ip-add...6/information/

dailybusinessdirect .com: 89.144.2.158: https://www.virustotal.com/en/ip-add...8/information/
___

ipserver .su, 5.133.179.0/24 and 212.38.166.0/24
- http://blog.dynamoo.com/2015/09/ipse...238166024.html
8 Sep 2015 - "A follow-up to this post*, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
e-mail: abuse@ ipserver .su
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
changed: abuse@ ipserver .su 20150528
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE

I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165**), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service. Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating... I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all. I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation***, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging.."
* http://blog.dynamoo.com/2015/09/some...cho-romeo.html

** 5.133.179.165: https://www.virustotal.com/en/ip-add...5/information/

*** https://www.abuse.ch/?p=3581

Diagnostic page for AS20860 (IOMART-AS)
- https://www.google.com/safebrowsing/...?site=AS:20860
"... over the past 90 days, 289 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-09-08, and the last time suspicious content was found was on 2015-09-08... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 9 other site(s)... We found 97 site(s)... that infected 127 other site(s)..."
___

Fake 'FedEx' SPAM - JS malware
- http://myonlinesecurity.co.uk/fedex-...el-js-malware/
8 Sep 2015 - "An email with the subject of 'We could not deliver your parcel, #00184416 [ random numbered]' pretending to come from FedEx Standard Overnight <kevin.swartz@ 189-38-86-3 .net2 .com.br> with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Customer,
We could not deliver your parcel.
Delivery Label is attached to this email.
Regards,
Kevin Swartz,
Station Agent.

8 September 2015: Delivery_Notification_00184416.zip: Extracts to: Delivery_Notification_00184416.doc.js
Current Virus total detections 9/56* ... which downloads 2 files 97823c.gif (VirusTotal**) | 12918408.exe (VirusTotal***) from a combination of these 3 sites:
dominaeweb .com
idsecurednow .com
les-eglantiers .fr
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441689276/

** https://www.virustotal.com/en/file/5...is/1441689928/

*** https://www.virustotal.com/en/file/5...is/1441658746/

dominaeweb .com: 174.36.231.69: https://www.virustotal.com/en/ip-add...9/information/
idsecurednow .com: 96.31.36.46: https://www.virustotal.com/en/ip-add...6/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/edits-...e-pdf-malware/
8 Sep 2015 - "An email with the subject of 'Edits of contract #oyMolGA of Tue, 08 Sep 2015 12:33:32 +0200 (random characters and times)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
Please check out the edits of contract 181254053. Pay your particular attention to
paragraphs 121.39 and 148.85.
Until this contract isn’t signed, an amount won’t be remitted. If you have any questions,
please mail or call me on my additional number 63779928.
Emmalee Schaden
phone: 842-690-4561
Robel, McCullough and Gibson

8 September 2015: agreement changes Bruen Mall_jEHqrF.zip: Extracts to: renewed agreement Harber Village.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1441708637/
___

PayPal Overpayment Scams that target Craigslist Sellers
- https://isc.sans.edu/diary.html?storyid=20115
Last Updated: 2015-09-08 - "... when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, I'd like to describe my recent interactions with miscreants who target sellers on Craigslist. This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment -scam- that has been quite prolific in the recent years... The -fake- PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer's pickup agent using MoneyGram... Soon, I received two more messages claiming to be from PayPal and impressing upon me of the 'safety' of the transaction... more of my articles about online scams, take a look at How Victims Are Redirected to IT Support Scareware Sites* and Conversation With a Tech Support Scammer**."
(More detail at the isc URL at the top of this post.)
* https://isc.sans.edu/diary/How+Victi...e+Sites/19487/

** https://zeltser.com/tech-support-scammer-conversation/
___

Com[dot]com site leads to -Fake- Daily Mail Article, Other Dodgy Sites
- https://blog.malwarebytes.org/fraud-...r-dodgy-sites/
Sep 7, 2015 - "When news of “com .com” (previously owned by CNET) being quietly sold to dsparking .com*, a known entity in the realm of browser hijacking and domain squatting, had rippled within the security industry a couple of years ago, some experts expressed concern**...
* https://www.virustotal.com/en/domain...m/information/
...
** https://blog.whitehatsec.com/why-com...uld-scare-you/
... We recently encountered the URL, dw[DOT]com[DOT]com, that directed us to various destinations whenever we refresh it. Although this site is no longer accessible as we write this post, we were still able to visit one particular live URL destination that stood out among the rest during our testing. It is a -fake- Daily Mail news piece[3] reporting about British citizens finding a loophole wherein they can get the iPhone 6 for £1...
3] https://blog.malwarebytes.org/wp-con...ailymail00.png
... All links on the fake Daily Mail article point to one URL, which then leads users to -random- destinations where they are offered freebies-behind-surveys or certain services... A little more digging around about dw[DOT]com[DOT]com has revealed that it also has a history of housing adware, PUPs[4], and spyware[5]... there are relatively few reports of com .com sites getting abused. That may be a good thing — at least for now; however, there may come a time when criminals would make full use of these sites for their malicious campaigns. So be advised, dear Reader, to avoid and proactively -block- them as early as now..."
4] https://www.herdprotect.com/domain-dw.com.com.aspx

5] https://www.f-secure.com/sw-desc/dw_com_com.shtml

dw .com .com: 54.201.82.69: https://www.virustotal.com/en/ip-add...9/information/

com .com: 209.132.243.234: https://www.virustotal.com/en/ip-add...4/information/

dsparking .com: 141.8.225.89: https://www.virustotal.com/en/ip-add...9/information/

[AplusWebMaster]

FYI...

Fake 'Internship' SPAM – doc malware
- http://myonlinesecurity.co.uk/intern...d-doc-malware/
9 Sep 2015 - "An email with the subject of 'Internship' pretending to come from SAMETRICE BLACKBURN <pwlc@ healthassets .net> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...p-1024x571.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content...
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-con...e-1024x604.png
... 9 September 2015: My_Resume_7049.doc . Current Virus total detections 7/56*.
Downloads Dridex banking malware from http ://bakingsoda404 .com/dd/12345.exe (VirusTotal** 1/57)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1441779828/

** https://www.virustotal.com/en/file/e...is/1441780825/
___

Fake 'new contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/we-hav...e-pdf-malware/
9 Sep 2015 - "An email saying 'We have submitted a new contract for your approval. Please view the attached documentation' with the subject of 'Please view' pretending to come from FAX with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...w-1024x481.png

9 September 2015: renewed contract Blanda Common.zip: Extracts to: agreement Braden Views.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1441795477/
___

Fake 'MP2541' SPAM – PDF malware
- http://myonlinesecurity.co.uk/messag...e-pdf-malware/
9 Sep 2015 - "An email with the subject of 'Message from “MP2541” (random numbers)' pretending to come from DoNotReply@ b(your own email domain) with a zip attachment is another one from the current bot runs... The content of the email says :
This E-mail was sent from “MP2541” (MP 2541).
Scan Date: Wed, 09 Sep 2015 10:33:34 GMT
Queries to: DoNotReply@ ...

9 September 2015: omp cheque.zip: Extracts to: omp cheque.scr
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1441799167/
___

Fake 'enrollment contract' SPAM – doc macro malware
- http://myonlinesecurity.co.uk/re-enr...macro-malware/
9 Sep 2015 - "An email with the subject of 'RE: enrollment contract' pretending to come from Calvin Hobbs <accounting@ steelgrill .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x506.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-con...e-1024x604.png
9 September 2015: charles_contract.doc - Current Virus total detections 2/56* ... Which goes through a convoluted download process via thetunaslab .com/wp-snapshots/sasa.txt (which simply contains the download link) and thetunaslab .com/wp-snapshots/66836487162.txt (a VB script to transform the downloaded .exe to a new location and name and autorun it) to end up with what is almost certainly a Dridex banking Trojan from http ://www. heavensound .it/wp-content/uploads/2015/06/pa.exe (VirusTotal 2/57 **)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1441810073/

** https://www.virustotal.com/en/file/f...is/1441811453/
... Behavioural information
TCP connections
93.170.105.115: https://www.virustotal.com/en/ip-add...5/information/
128.199.119.166: https://www.virustotal.com/en/ip-add...6/information/
___

'Famous Spy Software' - SCAM
- https://blog.malwarebytes.org/online...-spy-software/
Sep 9, 2015 - "... received a tip from one of our researchers, Steven Burn, who is continuously investigating on several persistent Facebook hacking scams... the individuals or group behind them merely rehashing the same lures and tactics; services that offer the hacking of Facebook accounts is one such scam. Using a single line of text to look for potential scam destinations, Burn came across not one but -thousands- of compromised sites offering this particular type of hacking service... Once users click any of the search result links, they are -redirected- multiple-times and then land on a page in the domain, trackphone[DOT]tk:
> https://blog.malwarebytes.org/wp-con...trackphone.png
Clicking the big-green-button that says “Go to new site” directs to a page from mspy[DOT]com:
> https://blog.malwarebytes.org/wp-con...15/09/mspy.png
... mSpy is a highly popular and controversial software that markets itself as a tool that a parent can use to monitor their child’s activities on their mobile devices -or- a tool that a doubting husband or wife can use to catch their cheating partners red handed... others who are contemplating on using tools similar to mSpy, especially if you’re a parent, we implore that you think this through carefully before using it, because you may inadvertently expose your child to harm more than good this way."

mspy .com: 104.20.26.47: https://www.virustotal.com/en/ip-add...7/information/
104.20.27.47: https://www.virustotal.com/en/ip-add...7/information/

[AplusWebMaster]

FYI...

Fake 'QuickBooks Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/quickb...e-pdf-malware/
10 Sep 2015 - "An email with the subject of 'Payment Overdue' pretending to come from QuickBooks Invoice <auto-invoice@ quickbooks .com> with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached your invoices for the past months. Remit the payment by 10/09/2015 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Rosendo Numbers
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure...

10 September 2015: Invoice.zip: Extracts to: Invoice.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1441880136/

- http://blog.dynamoo.com/2015/09/malw...by-intuit.html
10 Sep 2015 - "... Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56*. The Hybrid Analysis report** shows traffic patterns that are consistent with the Upatre downloader -and- Dyre banking trojan. In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block ..."
* https://www.virustotal.com/en/file/5...is/1441886437/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'America Airlines' SPAM – JS malware
- http://myonlinesecurity.co.uk/americ...43-js-malware/
10 Sep 2015 - "An email with the subject of 'Your ticket order #00000239643 approved' [random numbered] pretending to come from America Airlines with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x504.png

10 September 2015: Order_00000239643.zip: Extracts to: Order_00000239643.doc.js
Current Virus total detections 13/57* ... which downloads 2 files 42809780.exe (Virus total 1/57 **) (Hybrid analysis***) and 3233543213348c1[1].gif (VirusTotal 10/56 [4]) (Hybrid Analysis[5]) from a combination of these 3 sites:
64.239.115.111: https://www.virustotal.com/en/ip-add...1/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-add...0/information/
readysetgomatthew .com: 205.144.171.28: https://www.virustotal.com/en/ip-add...8/information/
See MALWR report[6] and Wepawet[7] ... which decodes or deobfuscates the javascript... note that the 42809780.exe has a -stolen- digital signature from Microsoft, which has been blocked (at least in Internet Explorer), Smart Filter warns about an invalid digital signature:
> http://myonlinesecurity.co.uk/wp-con...-signature.png
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1441858346/

** https://www.virustotal.com/en/file/b...is/1441845045/

*** https://www.hybrid-analysis.com/samp...nvironmentId=1

4] https://www.virustotal.com/en/file/c...is/1441859040/

5] https://www.hybrid-analysis.com/samp...nvironmentId=1

6] https://malwr.com/analysis/ODEyYTNjZ...ZiNzQ0OGZmMDk/

7] https://wepawet.iseclab.org/view.php...90f4e9&type=js
___

Fake 'New Fax' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...11-uk2fax.html
10 Sep 2015 - "This -fake- fax spam comes with a malicious attachment:
From "UK2Fax" [fax2@ fax1.uk2fax .co.uk]
Date Thu, 10 Sep 2015 14:07:11 +0100
Subject New Fax - 3901535011
UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT

Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the -same- Upatre/Dyre payload as seen in this attack also seen today*."
* http://blog.dynamoo.com/2015/09/malw...by-intuit.html
___

'Spear-phishing' - Know the Risk, Raise Your Shield
- http://arstechnica.com/security/2015...-your-shields/
Sep 9, 2015 - "... the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches. Called 'Know the Risk, Raise Your Shield', the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people -not-to-click-on 'those links'*... The Office of the Director of National Intelligence, which the NCSC is part of, is pushing out materials for the campaign through its website and social media channels..."
* https://www.youtube.com/embed/videos...3CpklC2vNkbtiD
Video 2:53
Know the Risk, Raise Your Shield

[AplusWebMaster]

FYI...

Fake 'e-invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-l...e-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Your latest e-invoice from TNT 1568467424 9445661 (random numbers)' pretending to come from eInvoicing <groupadminstubbinsDONOTREPLY@ tnt .com> with a zip attachment is another one from the current bot runs... The content of the email says :
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Please find attached your TNT Invoice. Please note that our standard payment terms require cleared funds in our account by the 15th of the month following the month of invoice.
IMPORTANT CONTACT DETAILS
To register an invoice query please contact us at ukinvoicequeries@ tnt .co.uk
To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@ tnt .com
To set up a Direct Debit plan please contact us at tntdirectdebit@ tnt .co.uk
For quick and easy access to your invoices simply log in using your user name and password to https ://express .tnt .com/eInvoicing and you’ll be able to view and download your electronic invoices immediately.
If you have forgotten your user name or password please follow the above link where you will be able to reset your log-in details. If you are experiencing any technical issues with your e-Invoicing account please contact us at ukeinvoice@ tnt .co.uk
Rest assured, we operate a secure system, so we can confirm that the invoice PDF originates from TNT and is authenticated with a digital signature. Thank you for using e-invoicing...

11 September 2015: 1568467424_9445661.zip: Extracts to: 0230516548_6835403.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1441967307/
___

Fake 'Sales Order' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sales-...e-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Sales Order Acknowledgement – Order No: 7M661725 – Your Reference: 89 /Bud (random numbers and names)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached your sales order acknowledgement
Order No: 7M661725
Account: MGQ313
Your Reference: 89 /Bud
Web Reference:
Kind Regards
Office Team

11 September 2015: SalesOrderAcknowledgement_2G060028.zip: Extracts to: SalesOrderAcknowledgement.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1441964692/

- http://blog.dynamoo.com/2015/09/malw...les-order.html
11 Sep 2015 - "This -fake- financial spam comes with a malicious payload:
From "reports@officeteam .co.uk" [reports@ officeteam .co.uk]
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085...
... SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet)... the payload is Upatre downloading the Dyre banking trojan."
* https://www.virustotal.com/en/file/9...is/1441972298/

** https://www.hybrid-analysis.com/samp...nvironmentId=1
___

Fake 'SOP Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sop-in...e-pdf-malware/
11 Sep 2015 - "An email with the subject of 'SOP Invoice (Single)' pretending to come from “Carlene Kidd” <Carlene.Kidd@ ppl-leeds .co.uk> (random names @ ppl-leeds .co.uk) with a zip attachment is another one from the current bot runs... The content of the email says :
Hi Nicolas
Please find attached copy Invoice No: J292G64W as requested.
Regards
Carlene
The attached file is a Sage Report in PDF (Adobe Acrobat) format. To view
the report you will need Acrobat Reader, available as a free download...

11 September 2015: Invoice_J292G64W.zip: Extracts to: invoice.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1441965422/
___

Fake 'PO & New Order' SPAM – doc malware
- http://myonlinesecurity.co.uk/po-new...ploit-malware/
11 Sep 2015 - "An email with the subject of 'PO & New Order' pretending to come from Sales with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x599.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be -blank- or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...-macros_21.png
...
> http://myonlinesecurity.co.uk/wp-con...ected-mode.png
11 September 2015: PO & New Order.doc - Current Virus total detections 23/56* .
Downloads http ://creativelinkspk .com/.css/ashok.exe (VirusTotal** 18/57). This looks like an old exploit CVE-2012-0158 that was fixed in MS12-027... but there is always a possibility that the exploit creators have added to it to work in modern office versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1441931051/

** https://www.virustotal.com/en/file/2...is/1441887586/

creativelinkspk .com: 192.3.105.250: https://www.virustotal.com/en/ip-add...0/information/

[AplusWebMaster]

FYI...

Fake 'Pretrial requirements' SPAM – JS malware
- http://myonlinesecurity.co.uk/pretri...ts-js-malware/
13 Sep 2015 - "An email with the subject of 'Pretrial requirements' pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x388.png

12 September 2015: pretrial_requirements488.zip: Extracts to: pretrial_requirements488.js
Current Virus total detections 21/57* . (Wepawet**) (MALWR***) which downloads multiple files including Adobe_update-S3NS81Y2MJC[1].exe (virus total 0/56 [4]) and Adobe_update-1SGMQ65OVG[1].exe (VirusTotal 0/57 [5]) and a genuine pdf (Adobe_update-BI5T99S2B9W[1].pdf) which displays an invoice to think that the entire download is innocent from a combination of these sites (this particular version only uses the first 2 sites, but if it cannot contact either of them, it will try each site in turn until it downloads the malware):
ERVINSOLAR .NET: 88.198.60.20: https://www.virustotal.com/en/ip-add...0/information/
JAIINSTITUTEFORPARENTING .NET: 50.62.232.1: https://www.virustotal.com/en/ip-add...1/information/
C3SMS .COM: 72.249.68.39: https://www.virustotal.com/en/ip-add...9/information/
www .prairiehouse .ie: 80.93.29.15: https://www.virustotal.com/en/ip-add...5/information/
DIGITALCONTACT .COM: 54.154.210.110: https://www.virustotal.com/en/ip-add...0/information/
LIVINGLAVIDAPYME .COM: 72.47.236.23: https://www.virustotal.com/en/ip-add...3/information/
LASALCHICHONERIA .COM: 72.47.236.23
AZHINEHPS .COM: 149.3.137.13: https://www.virustotal.com/en/ip-add...3/information/
XINHFURNITURE .COM: 112.78.2.205: https://www.virustotal.com/en/ip-add...5/information/
The PDF is genuine and obviously a stolen invoice from an Italian company Eco srl being -reused- to try to fool you into thinking that it is only an invoice being displayed while the other malware is silently downloaded and run in the background:
> http://myonlinesecurity.co.uk/wp-con...f-1024x619.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1442130826/

** https://wepawet.iseclab.org/view.php...a149de&type=js

*** https://malwr.com/analysis/Mjk4ZDIyY...M3MzNhOWM1ZTQ/

4] https://www.virustotal.com/en/file/1...is/1442105203/

5] https://www.virustotal.com/en/file/4...is/1442131135/

[AplusWebMaster]

FYI...

HMRC Tax Refund / Phish ...
- https://blog.malwarebytes.org/fraud-...-refund-phish/
Sep 14, 2015 - "... here’s the spam mail, which is titled 'Tax Refund New Message Alert!':
> https://blog.malwarebytes.org/wp-con.../hmrcform0.jpg
Some standouts:
1. The -typo- in the sender address. Yes, we already mentioned it but it’s such an amazingly silly way to blow the cover of an attempted phish that I’m going to point and roll my eyes at it twice.
2. Do Tax Departments send anybody emails with exclamation-marks in the subject? It doesn’t seem in line with the notion of serious people sending out serious tax emails, really.
3. “See this email? Yeah, don’t tell anyone about it okay? It’s our little secret. Cough cough.”
4. “Download and fill out a form” HMRC don’t send out mails about tax rebates.
5. “Allow 5 to 9 business days, because we won’t have enough time to rip-off the card details you just sent us if you’re checking your account every five minutes”.
Note that in the above example, the mail was sent to an Outlook account and was-flagged as spam – not all mail providers catch something, so it pays to always be on your guard.
Clicking the link offers up a HTML file download from: liveinlove(dot)us/index(dot)php:
> https://blog.malwarebytes.org/wp-con.../hmrcform1.jpg
Opening up the file in a browser will fetch elements of real HMRC pages to add that little extra splash of authenticity:
> https://blog.malwarebytes.org/wp-con.../hmrcform2.jpg
There is, of course, no HTTPS / padlock which one would hope sets off a few alarm bells. The form follows the common pattern of not letting you proceed unless you’ve entered information in the relevant boxes. They want full card details, bank name, security code, name, DOB, address – the works. Once the submit button is hit, the victim will be redirected to a real HMRC page via the liveinlove URL. It seems the website being used for this scam has been -hacked-... In a first for me, I’ve had to let someone know their site has been compromised via a wedding RSVP form. As the wedding was due to take place back in -2014- I’m not entirely sure someone will be there to pick up the message but we’ll see how it goes. Should you receive one of these mails, feel free to delete it."

liveinlove .us: 192.186.248.162: https://www.virustotal.com/en/ip-add...2/information/
___

Next Gen ATM Malware
- https://www.fireeye.com/blog/threat-...xt_genera.html
Sep 11, 2015 - "You dip your debit card in an automated teller machine (ATM) and suddenly realize it is stuck inside, what happened?
a) You took too much time entering details.
b) There was an error in the network connection to the bank.
c) The machine is infected with malware and your card was intentionally retained to be ejected to the crooks once you walk away asking for help.
If you answered ‘c’ you might be correct! FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks. ATM malware is not new, back in 2013 and 2014 threats like Ploutus[1] or PadPin[2] (Tyupkin) were used to empty ATMs in Mexico, Russia and other countries, but SUCEFUL offers a new twist by targeting the cardholders. SUCEFUL was recently uploaded to VirusTotal (VT) from Russia, and based on its timestamp, it was likely created on August 25, 2015. It might still be in its development phase; however, the features provided are shocking and never seen before in ATM malware:
> https://www.fireeye.com/content/dam/...L/suceful1.png
Potential SUCEFUL capabilities in Diebold or NCR ATMs include:
1. Reading all the credit/debit card track data
2. Reading data from the chip of the card
3. Control of the malware via ATM PIN pad
4. Retention or ejection of the card on demand: This could be used to steal physical cards
5. Suppressing ATM sensors to avoid detection ..."
(More detail at the fireye URL above.)

[AplusWebMaster]

FYI...

Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/paymen...e-pdf-malware/
15 Sep 2015 - "2 sets of emails pretending to come from payslip@ hss.health.nsw. gov.au with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' or 'Payslip for the period 31 Aug 2015 to 14 sep 2015' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x506.png

15 September 2015: PAYG-EoY-2014-15-11577085-181466719.zip: Extracts to: PAYG-EoY-2014-15-04831806-000718002.scr
Current Virus total detections 11/56*
15 September 2015: Payslip13526234054137704-78242.zip: Extracts to: Payslip00477196470196471-00038.scr
Current Virus total detections 6/57**
... Techhelplist.com have done a breakdown of these Upatre downloaders from yesterday’s versions of these emails with similar attachments... HERE[3] and Here[4].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1442293989/

** https://www.virustotal.com/en/file/c...is/1442282228/

3] https://techhelplist.com/spam-list/9...l-year-malware

4] https://techhelplist.com/spam-list/9...o-date-malware
___

Fake 'Unsettled invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsett...e-pdf-malware/
15 Sep 2015 - "The latest -Upatre- style downloaders are attached to series of emails with the subject of 'Unsettled invoice e-mail notice' pretending to come from random addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Hello dear customer,
I urgently ask you to settle an invoice from Tue, 15 Sep 2015 11:39:13 +0100

Other subjects in this malspam run include:
Unsettled invoice e-mail reminder
Important invoice e-mail notice
Overdue invoice e-mail reminder
Unsettled invoice notification
Outstanding invoice e-mail notice
Important invoice final reminder
The times are all random, but the dates all say Tue, 15 Sep 2015..
15 September 2015: Voluptas soluta laborum illum aperiam praesentium molestiae sequi..zip:
Extracts to: Consequatur sint consectetur qui esse..exe
Current Virus total detections 1/57*
This doesn’t actually appear to be Upatre and we haven’t managed to get any other downloads from it via automatic analysis so far... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1442313814/
___

WhatsApp scam/SPAM ...
- https://blog.malwarebytes.org/fraud-...sapp-stickers/
Sep 15, 2015 - "We’ve spotted a WhatsApp scam using the same general template as the previously covered WhatsApp Elegant Gold*, located at:
stickers-whatsapp(dot)com
... which asks for your WhatsApp Number in return for some “stickers“. You typically have to pay for stickers via a number of Apps, so potential freebies are always going to pull in some eyeballs.
> https://blog.malwarebytes.org/wp-con...tstickers1.jpg
It follows the familiar pattern of “Spam a bunch of people and we’ll give you what you want”, complete with inevitable Shyamalan-style plot twist at the end (no, your phone wasn’t a ghost the whole time). Here’s the spam request:
> https://blog.malwarebytes.org/wp-con...tstickers2.jpg
... As with other sites of a similar nature**, we advise you to not bother and stick to legit apps on your mobile store of choice if you really want to plaster your texts with images. All you’ll get for your time and trouble with these websites are adverts, PUPs and surveys (also, your phone was totally a ghost the whole time)."
* https://blog.malwarebytes.org/fraud-...gital-catwalk/

** https://blog.malwarebytes.org/fraud-...p-voice-users/

stickers-whatsapp(dot)com: 54.254.185.159: https://www.virustotal.com/en/ip-add...9/information/
___

Cisco router break-ins bypass cyber defenses
- http://www.reuters.com/article/2015/...0RF0N420150915
Sep 15, 2015 - "... researchers* say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected. In the attacks, a highly sophisticated form of malicious software, dubbed "SYNful Knock'*, has been implanted in routers made by Cisco..."
* https://www.fireeye.com/blog/threat-...ck_-_acis.html
Sep 15, 2015 - "... recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least -14- such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India... Conclusion: ... It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence..."
1] http://www.cisco.com/web/about/secur...assurance.html

[AplusWebMaster]

FYI...

Fake 'Renewed insurance policy' SPAM – PDF malware
- http://myonlinesecurity.co.uk/renewe...e-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Renewed insurance policy' e-mail pretending to come from random companies (all appearing to be either Australian or New Zealand addresses) with a zip attachment is another one from the current bot runs... The content of the email says :
Good afternoon,
This email address was specified to get a new insurance policy. Your policy is attached

Other subjects include:
Important insurance e-mail notice
Insurance policy e-mail notice
Health insurance notice
Renewed insurance policy e-mail notice
Important insurance e-mail
16 September 2015: 23720.zip: Extracts to: 96998.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1442351794/
___

Fake 'HSBC SecureMail' SPAM - malicious payload
- http://blog.dynamoo.com/2015/09/malw...-you-have.html
16 Sep 2015 - "This -fake- HSBC email message has a malicious payload:
From: HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@ hsbc .co.uk]
Date: 16 September 2015 at 13:13
Subject: You have received a secure message ...

... file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56*. Automated analysis is pending... but the payload is most likely to be Upatre/Dyre."
* https://www.virustotal.com/en/file/a...is/1442407433/
___

Fake 'Lloyds Bank' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/you-ha...sheet-malware/
16 Sep 2015 - "A BOGOF (Buy one, get one free) today pretending to come from various Lloyds bank email addresses with 2 different subjects both containing the same word macro downloader malware: 'You have received a new debit and Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 1831383/' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshots:
> http://myonlinesecurity.co.uk/wp-con...d-1024x742.png
-Or-
> http://myonlinesecurity.co.uk/wp-con...t-1024x511.png

DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-con...e-1024x604.png
The version of this word doc that I received actually has this content which tries to suggest it is protected with an RSA digital signature key that needs you to enable macros and editing to be able to see the proper content. You definitely do-not-want-to-enable-macros or editing or you-will-be-infected:
> http://myonlinesecurity.co.uk/wp-con...c-1024x597.png

16 September 2015: ReportonTitle0045168.1Final.doc - Current Virus total detections 4/53* .
The malicious macros in this malware are giving problems to the automatic analysers, who aren’t able to actually get the malware. The macro contacts:
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/
... which is an open directory where it gets various instructions to download the actual malware from http ://vandestaak .com/css/libary.exe and autorun it (VirusTotal**) which is itself an Upatre downloader that will download today’s version of the Dyre/dyreza/dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1442403104/

** https://www.virustotal.com/en/file/0...is/1442407381/

obiectivhouse .ro: 178.156.230.216: https://www.virustotal.com/en/ip-add...6/information/

- http://blog.dynamoo.com/2015/09/malw...pendeford.html
16 Sep 2016 - "...In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56*)... malicious macro. The macro attempts to download components from the following locations:
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download then takes place from:
vandestaak .com/css/libary.exe
This has a detection rate of 3/56**. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run [3] (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak .com
thebackpack .fr
obiectivhouse .ro "
* https://www.virustotal.com/en/file/a...is/1442408475/

** https://www.virustotal.com/en/file/0...is/1442411964/

3] http://blog.dynamoo.com/2015/09/malw...-you-have.html

vandestaak .com: 213.179.202.11: https://www.virustotal.com/en/ip-add...1/information/
thebackpack .fr: 195.144.11.40: https://www.virustotal.com/en/ip-add...0/information/
obiectivhouse .ro: 178.156.230.216: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'Autopay information' SPAM – PDF malware
- http://myonlinesecurity.co.uk/autopa...e-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Autopay information' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
A new monthly invoice for the services is available to view online and is included as an attachment.
No action is required because you’ve signed up for the AutoPay.
Just review and retain this invoice #52467 for your records.

Other subjects in this series of emails include:
Settled invoice info
Online service invoice info ...
16 September 2015: Get new check MacGyver Station.zip: Extracts to: Repay insurance bill Ullrich Falls.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1442410631/
___

Fake Amazon UK Mail - phish...
- https://blog.malwarebytes.org/fraud-...-after-breach/
Sep 16, 2015 - "There is an Amazon phishing scam currently making rounds, so you better keep an eye on your inboxes, assuming your spam traps haven’t picked up on this one yet. And much like majority of phish campaigns, this one also begins with an email. The samples we retrieved all originated from the Linode server (24.236.39.51):
> https://blog.malwarebytes.org/wp-con...phish-mail.png
... The “Get Started” text is, of course, a link leading to the phishing page (screenshot below), which is at ukamazonverify[DOT]com:
> https://blog.malwarebytes.org/wp-con...h-page-one.png
... After text boxes have been filled out, the user is taken to another page asking for -more- details, which includes personally identifiable information (PII), payment card details, and account security details (screenshot below), while data about email address and password are saved to Verify.php, which is located within the domain:
> https://blog.malwarebytes.org/wp-con...erify-page.jpg
Data that users enter on this page are saved to Finish.php after clicking the Validate button. The page then changes to tell users to wait as this site processes all their details, complete with a “spinny” indicator to denote that indeed some semblance of data processing is taking place at the background:
> https://blog.malwarebytes.org/wp-con...ish-spinny.png
What users don’t realize is that they’re actually taking their cue from a GIF file, and not an actual indicator, as they wait for what happens next. In the end, they are directed to the real Amazon UK site.
ukamazonverify[DOT]com was created two-days-ago, along with other domains registered under a specific email address from 126[DOT]com, a popular email provider in China. Some browsers have already flagged the domain as a potential threat, which is great... when you see a similar email like the one above in your inbox, simply delete them..."

ukamazonverify[DOT]com: 103.42.180.253: https://www.virustotal.com/en/ip-add...3/information/
___

Fake 'New payment for tax refund' SPAM – JS malware
- http://myonlinesecurity.co.uk/new-pa...99-js-malware/
16 Sep 2016 - "An email with the subject of 'New payment for tax refund #0000255599' [random numbered] pretending to come from Internal Revenue Service <office@ irs .gov> with a zip attachment is another one from the current bot runs... The content of the email says :
This is to inform you that your tax refund request has been processed.
Please find attached a copy of the approved 94035N form you have submitted.
Transaction type – Tax Refund
Payment method – Wire transfer
Amount – $ 3214.00
Status – Processed
Form – 94035N
Additional information regarding tax refunds can be found on our website...
Regards,
Internal Revenue Service
Address: 1111 Constitution Avenue, NW
Washington, DC 20224 ...
Phone: 1-800-829-1040

16 September 2015: Tax_Refund_0000255599_Processed.zip: Extracts to: Tax_Refund_0000255599_Processed.doc.js
Current Virus total detections 22/56* ... which downloads -3- files
53212428.exe (Virustotal 1/57 **)
13876688.exe (VirusTotal 2/57 ***) and
0cedc1[1].gif (VirusTotal 1/57 ****) from a combination of these 3 sites:
crossfitrepscheme .com
dickinsonwrestlingclub .com
les-eglantiers .fr
(MALWR[5])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1442419074/

** https://www.virustotal.com/en/file/4...is/1442414485/

*** https://www.virustotal.com/en/file/d...is/1442414434/

**** https://www.virustotal.com/en/file/5...is/1442419912/

5] https://malwr.com/analysis/MDc5NThhY...BlMzNmMDU0OTU/

crossfitrepscheme .com: 199.175.49.19: https://www.virustotal.com/en/ip-add...9/information/
dickinsonwrestlingclub .com: 72.20.64.58: https://www.virustotal.com/en/ip-add...8/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-add...0/information/