SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2015-09-17, 14:39

FYI...

Fake 'E-Bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...r-week-38.html
17 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From [invoices@ ebillinvoice .com]
To administrator@ victimdomain .com
Date Thu, 17 Sep 2015 11:10:15 GMT
Subject Shell E-Bill for Week 38 2015
Customer No : 28834
Email address : administrator@ victimdomain .com
Attached file name : 28834_wk38_2015.PDF
Dear Customer,
Please find attached your invoice for Week 38 2015.
In order to open the attached PDF file you will need
the software Adobe Acrobat Reader...
Yours sincerely
Customer Services...

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56*. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you -block- or monitor that IP."
* https://www.virustotal.com/en/file/1...is/1442489503/
___

Fake 'REFURBISHMENT' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...cashirego.html
17 Sep 2015 - "This -fake- financial spam... comes in several different variants (I saw two):
From "Workflow Mailer" [hrwfmailerprod@ lancashire. gov.uk]
To hp_printer@ victimdomain .com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
__
From Mabel Winter
To hp_printer@ victimdomain .com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.

The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55*. The payload appears to be Upatre/Dyre..."
* https://www.virustotal.com/en/file/e...is/1442492094/
___

Fake 'Important notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
17 Sep 2015 - "An email with the subject of 'Important notice about document signing' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
You have been sent the document to sign it using Signority. To view this document, user’s personal data and secured link to signing, please open the attachment.
Regards,
The Signority Team

Other subjects in this malspam run delivering Upatre downloaders include:
Notice of documentation signing
Important notification of document signing
Important notice about documentation signing ...
17 September 2015: Gain infringement fine .zip: Extracts to: Send proposed sum .exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1442507711/

**AplusWebMaster** · 2015-09-18, 14:09

FYI...

Fake 'Transaction confirmation' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...firmation.html
18 Sep 2015 - "This -fake- banking spam comes with a malicious attachment:
From donotreply@ lloydsbank .co.uk
Date Fri, 18 Sep 2015 11:52:36 +0100
Subject Transaction confirmation
Dear Customer,
Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.
Best regards,
Your personal Manager
Thora Blanda
tel: 0345 300 0000
LLOYDS BANK.

Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria."
* https://www.virustotal.com/en/file/1...is/1442574773/

** https://www.hybrid-analysis.com/samp...nvironmentId=1
___

Fake 'Approval' SPAM - PDF malware
- http://myonlinesecurity.co.uk/approv...e-pdf-malware/
18 Sep 2015 - "An email with the subject of 'Approval of the pages' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hi,
Please take a quick look at the headlines of the attached docs.
As I’ve told you before, the main part of project is almost ready.
I guarantee that I’ll send it to you within this week.
Please remember: the attached information is strongly confidential.

Other subjects in this series of -Upatre- downloaders include:
Check out the following pages
Approval of renewed project part
See the part of work
Check updated part of work
Review updated pages
View renewed pages ...
18 September 2015: Do obligatory agreeement .zip: Extracts to: Maintain remittance fund .exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1442583621/
___

'Tax Credits Refund' - Phish ...
- https://blog.malwarebytes.org/fraud-...-refund-phish/
Sep 18, 2015 - "... scammers leap onto the bandwagon with promises of tax credit refunds – effectively targeting those already most under threat from potential financial loss. If you’ve clicked-on-a-message along these lines in the last few days, you may want to get in touch with your bank as soon as possible. The message, which reads as follows, makes use of a Goo.gl shortening URL to -redirect- victims to what appears to be a compromised website:
"Dear valued customer, we are happy to inform you that you have a new tax credit refund from HMRC. Click on the following link [URL] to claim your HMRC refund"
... Here’s the stats for the shortened URL:
> https://blog.malwarebytes.org/wp-con...ditsphish1.jpg
• 731 clicks so far, with the majority of them coming from the UK.
• 440 of those were on iPhone, and 252 were using Android. Just 31 people were browsing via Windows.
• The shortened link is 4 days old, so the scam is pretty fresh.
Here’s the phishing page, located at savingshuffle(dot)com/hmrc/Tax-Refund(dot)php:
> https://blog.malwarebytes.org/wp-con...ditsphish3.jpg
As you can see, they want name, address, phone, email, telephone number, card details, sort code and account number. Further down the page, they also want some “Identity Verification” in the form of driving license number, national insurance number and mother’s maiden name. There’s also a pre-filled refund amount of £265.48 next to the submit button:
> https://blog.malwarebytes.org/wp-con...ditsphish4.jpg
... By the time you end up checking to see if the money has gone in, they’ll likely have tried to clean you out. Given we’re talking about those who might be severely affected by the changes to the tax credits system, this would be quite the blow to say the least (and even if you’re not impacted, it’s still not a nice thing to happen either way)... HMRC does -not- send out missives offering refunds."

savingshuffle(dot)com: 50.63.202.37: https://www.virustotal.com/en/ip-add...7/information/
___

Malicious SYNful Cisco router implant found on more devices...
- https://zmap.io/synful/
Sept 16, 2015 - "... The attack is known to affect Cisco 1841, 2811, and 3825 series routers, but may also affect similar Cisco devices... Further details on the -firmware- implant can be found in the original FireEye post:
> https://www.fireeye.com/blog/threat-...ck_-_acis.html
... by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found -79- hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in -19- countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the -25- hosts in the United States belong to a single service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa. A map of devices is available here:
> https://zmap.io/synful/map.html "

> https://zmap.io/synful/graph.png

> https://www.eecs.umich.edu/eecs/abou...2013/zmap.html

>> http://net-security.org/malware_news.php?id=3104
18.09.2015
___

Fake 'Monthly account report' SPAM – PDF malware
17 Sep 2-15 - "An email with the subject of 'Monthly account report' pretending to come from info@ nab. com.au with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x645.png

17 September 2015: Finance received statement .zip: Extracts to: Transfer online paying system cashback .exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1442524683/

**AplusWebMaster** · 2015-09-19, 18:58

FYI...

Active malware campaign uses thousands of WordPress sites to infect visitors
15-day-old campaign has spiked in past 48 hours, with >5,000 new infections daily.
- http://arstechnica.com/security/2015...fect-visitors/
Sep 18, 2015 - "Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday. The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post*. The hijacked sites are being used to -redirect- visitors to a server hosting attack code made available through the Nuclear exploit kit**, which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor... On Thursday, Sucuri detected thousands of compromised sites, 95 percent of which are running on WordPress. Company researchers have not yet determined how the sites are being hacked, but they suspect it involves vulnerabilities in WordPress plugins. Already, 17 percent of the hacked sites have been blacklisted by a Google service that warns users before they visit booby-trapped properties... Administrators can use this Sucuri scanning tool*** to check if their site is affected by this ongoing campaign."

* https://blog.sucuri.net/2015/09/word...-campaign.html
Sep 18, 2015

** https://heimdalsecurity.com/blog/nuc...-flash-player/

*** https://sitecheck.sucuri.net/

Latest Wordpress update: https://forums.spybot.info/showthrea...l=1#post466236
___

Trojan targets online poker sites, peeks at players’ cards
Malware targets two of the largest gambling sites, PokerStars and Full Tilt Poker.
- http://arstechnica.com/security/2015...players-cards/
Sep 18, 2015 - "Anybody who has ever played poker, online or offline, always suspects that they might be the victim of cheating when the cards aren't going their way. Now there's evidence to suspect that the hunch is real when it comes to two of the world's most popular online gambling portals. "Several hundred" gamblers on the Pokerstars and Full Tilt Poker platforms have been hit with a cheating trojan, according to ESET* security researcher Robert Lipovsky:
' Every once in a while, though, we stumble upon something that stands out, something that doesn’t fall into the “common” malware categories that we encounter every day — such as ransomware, banking trojans, or targeted attacks (APTs) — just to name a few of those that are currently causing the most problems. Today, we’re bringing you one of those uncommon threats — a trojan devised to target players of online poker.'
The latest Windows malware discovery, called Odlanor, comes two years after ESET warned of the PokerAgent botnet propagating on Facebook in connection to the Zynga Poker app..."
* http://www.welivesecurity.com/2015/0...eats-at-poker/
17 Sep 2015
(Country locations infected with Odlanor)
- http://www.welivesecurity.com/wp-con...r_infected.jpg

Threat Detail: http://virusradar.com/en/Win32_Spy.Odlanor/detail

**AplusWebMaster** · 2015-09-21, 13:51

FYI...

Fake 'Paymark' SPAM – PDF malware
- http://myonlinesecurity.co.uk/paymar...e-pdf-malware/
21 Sep 2015 - "An email with the subject of 'Paymark TransTrack Report' pretending to come from Paymark TransTrack <onlineassist@ paymark .co.nz> with a zip attachment is another one from the current bot runs... The content of the email says:
Thank you for using the Paymark TransTrack Transaction Reporting email service.
Please find attached your requested transaction report.
The report is in PDF format, suitable for importing into a variety of finance and spreadsheet applications such as Xero, MYOB and Microsoft Excel.
The attached report is in a zip-formatted compressed file so you will need to extract it before viewing it.
If you experience any difficulties or would like more information about Paymark TransTrack please visit ...
This email was sent to [REDACTED]
This email has been filtered by SMX. For more information visit ...

21 September 2015: report.zip: Extracts to: report.scr
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1442811837/
___

Fake 'Sage invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-s...e-pdf-malware/
21 Sep 2015 - "An email with the subject of 'Your Sage subscription invoice is ready' pretending to come from noreply@ sage .com with a link-for-you-to-download a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...y-1024x674.png

21 September 2015: invoice.zip: Extracts to: invoice.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1442827749/

- http://blog.dynamoo.com/2015/09/malw...scription.html
21 Sep 2015 - "... contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56*. The Hybrid Analysis report** shows that this is -Upatre- dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria."
* https://www.virustotal.com/en/file/a...is/1442835086/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'order not competed' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-o...e-pdf-malware/
21 Sep 2015 - "The Upatre malware spreading gang are hard at work again today with a new set of emails with the subject of 'Your order is not competed' pretending to come from random companies with a zip attachment is another one from the current bot runs... The body of the email simply contains the -name- of the attachment, so in this case the body reads: 'file: Receive rental contract.pdf'. Every email so far received has had a -different- subject and attachment name. Other subjects include:
Order isn’t done
Your order is not done
Order is not finished
Your order is not paid
Order is not processed ...

21 September 2015: Receive rental contract.zip: Extracts to: Imprint tax business.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1442828635/
___

Tainted Network - VPS Hosting of Latvia (91.226.32.0/23) ...
- http://blog.dynamoo.com/2015/09/tain...onescomsn.html
21 Sep 2015 - "I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery*] which sends traffic to:
[donotclick]kfc.i.illuminationes .com/snitch
This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action:
> https://2.bp.blogspot.com/-9JiDUjob_...600/tds-ek.png
The injected script sends the keywords and referring site upstream... Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock... shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish (-block-) this range from your network."
* https://urlquery.net/report.php?id=1442826023324

illuminationes .com: 91.226.32.69: https://www.virustotal.com/en/ip-add...9/information/

91.226.33.54: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/domain...m/information/
___

NSW Health Payslip Spam
- http://threattrack.tumblr.com/post/1...h-payslip-spam
Sep 21, 2015 - "Subjects Seen
Payslip for the period 21 Aug 2015 to 21 sep 2015
Typical e-mail details:
This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender.
Views expressed in this message are those of the individual sender, and are not necessarily the views of NSW Health or any of its entities.

Screenshot: https://40.media.tumblr.com/433050ff...r6pupn_500.png

Malicious File Name and MD5:
Payslip-21092015.scr (fa73a8adc4a7a1b037b8dded1eb9ac90)

Tagged: NSWHealth, Upatre
___

iOS users endangered by Trojanized apps from the App Store
- http://net-security.org/malware_news.php?id=3105
21.09.2015 - "Unknown malware pushers have managed to trick Apple into offering for download from the company's official App Store a considerable number of malicious apps - apps that collect device information and try to get users' iCloud login credentials. The current list* of infected iOS apps includes many extremely popular apps in China and the rest of the world..."

Malware XcodeGhost Infects 39 iOS Apps ...
* http://researchcenter.paloaltonetwor...ions-of-users/
Sept 18, 2015
- http://researchcenter.paloaltonetwor...cted-ios-apps/
Sep 21, 2015

- https://blog.malwarebytes.org/mac/20...tes-app-store/
Sep 21, 2015
___

Skype 'glitch' preventing some users from making calls
- http://www.reuters.com/article/2015/...0RL0YC20150921
Sep 21, 2015 - "Skype, Microsoft's online telephone and video service, said some users are unable to make calls on Monday because their settings show that they and their contacts are offline, even when they are logged in. In an updated blog post*, Skype also said some messages to group chats are not being delivered and that users who are not already signed in may face difficulty while accessing their accounts:
> http://heartbeat.skype.com/2015/09/s...ce_issues.html
Skype added that users could experience delays in seeing changes made to their accounts, such as credit balance and profile details. Users may also face difficulty loading web pages on the Skype Community... In an earlier post, Skype had said its instant messaging and Skype for Web services were not facing technical issues."

**AplusWebMaster** · 2015-09-22, 15:11

FYI...

Malvertising attack hits Realtor .com visitors
- https://blog.malwarebytes.org/malver...-com-visitors/
Sep 22, 2015 - "... malvertising keeps on striking high profile sites. The latest victim is popular real estate website realtor.com, ranked third in its category with an estimated 28 million monthly visits... People browsing the site in the last few days may have been exposed to this malvertising campaign and consequently infected if their computers were -not- patched or did -not- have adequate security software. Like all other malvertising attacks, this one did -not- require to click on the -bogus- ad to get infected. The same gang that was behind the recent campaign we documented on this blog is still going at it using the same stealth tactics, which we will elaborate on a little more here:
> https://blog.malwarebytes.org/wp-con...altor_flow.png
Rogue advertisers are putting a lot of efforts into making ad banners that look legitimate and actually promote real products or services. We should also note that the use of SSL to encrypt web traffic is getting more and more common in the fraudulent ad business and that only makes tracking bad actors more difficult. We have alerted both the publisher (Realtor .com) and the ad serving technology platform (AdSpirit) about this attack and the latter has already taken action to disable the malicious creative... the Bedep Trojan (ad fraud, ransomware) via the Angler exploit kit."
___

Fake 'Dislike' Facebook scam ...
- http://www.theregister.co.uk/2015/09...e_survey_scam/
22 Sep 2015 - "Survey scammers have already capitalised on Facebook's tentative plans to develop a 'Dislike' button... no such app is yet available and the offers are a scam, designed to hoodwink people into filling in pointless online surveys or buying into get-rich-quick schemes. Survey scams are a well-worn short con on the internet that, at best, waste surfers' time while yielding nothing in return. Victims are not infrequently tricked into disclosing their mobile numbers through survey scams and are subsequently signed up to premium rate services. Either ruse might also be used to coax marks into handing over Facebook login credentials. More details on the resurgence of Facebook Dislike -scams- can be found in a blog post by security industry veteran Graham Cluley here*, and by on Sophos's Naked Security blog here**."
* https://grahamcluley.com/2015/09/rig...-button-scams/

** https://nakedsecurity.sophos.com/201...cams-are-back/
___

Fake 'Grand Theft Auto online' scams ...
- https://blog.malwarebytes.org/fraud-...e-wheelie-bad/
Sep 22, 2015 - "Grand Theft Auto online is still as popular as ever, with new content being released soon and everybody ramping up their “Must play it now” levels to the max. Money makes the online GTA world go round, and you certainly need a lot of it to progress. With that in mind, you might want to avoid the following sites claiming to offer up ridiculous amounts of money via a few “simple steps”. First out of the gate, we have
gta5moneyserver(dot)com
... which has an amazing line in -faked- videogame site news pieces about their awesome money grabbing technique. Totally can’t see the Photoshop, guys:
> https://blog.malwarebytes.org/wp-con.../gtamoney1.jpg
...
> https://blog.malwarebytes.org/wp-con.../gtamoney2.jpg
... The focus of this one is what they’ve chosen to call “Genius Theft Auto”, where you enter your Username into the box and a pile of money awaits (or something):
> https://blog.malwarebytes.org/wp-con.../gtamoney3.jpg
... Elsewhere, we have
gta5moneyhackonline(dot)com
... which doesn’t beat about the bush, dispensing with pretty much everything other than a box asking for your info, desired money amount and a -survey- pop immediately after hitting the generate button... it’s a safe bet that every single “Money Generator” website you visit will end in little more than -spamming- a website to your friends, lots of -surveys- and the occasional download:
> https://blog.malwarebytes.org/wp-con.../gtamoney8.jpg
... you’ll likely see a burst of activity on the GTA fakeout front, so steer clear of the following:
Money generators
Free DLC generators
Rank improvement
Account unbanning
“DNS codes“
Follow these steps, and you won’t get caught up in a 'Grand Theft Internet'."

gta5moneyserver(dot)com: 104.152.168.16: https://www.virustotal.com/en/ip-add...6/information/

gta5moneyhackonline(dot)com: 162.255.118.48: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'Worldpay' SPAM - xls malware
- http://myonlinesecurity.co.uk/premiu...excel-malware/
21 Sep 2015 - "An email with the subject of 'Premium Charging MI Package for Merchant 82682006' pretending to come from GEMS@ Worldpay .com with a zip attachment is another one from the current bot runs... The content of the email says :
*** Please do not reply to this Message *** Attached is the Management
Information to support your Monthly Invoice. Should you have any queries,
please refer to your usual helpdesk number.
This e-mail and any attachments are confidential, intended only for the
addressee and may be privileged. If you have received this e-mail in error,
please notify the sender immediately and delete it. Any content that does
not relate to the business of Worldpay is personal to the sender and not
authorised or endorsed by Worldpay. Worldpay does not accept responsibility
for viruses or any loss or damage arising from transmission or access.
Worldpay (UK) Limited (Company No: 58544680/ Financial Conduct Authority
No: 42068), Worldpay Limited (Company No:03424752 / Financial Conduct
Authority No: 640149), Worldpay AP Limited (Company No: 82351023 ...

21 September 2015: 82682006.zip: Extracts to: 70346783.scr
Current Virus total detections 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Xls Excel file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1442846468/

**AplusWebMaster** · 2015-09-23, 13:51

FYI...

Fake 'NDISPlan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ndispl...e-pdf-malware/
23 Sep 2015 - "An email with the subject of 'NDISPlan' pretending to come from random names @ndis .gov.au <filepoint@ dss .gov.au> with a zip attachment is another one from the current bot runs... The content of the email says:
You have received 1 secure file from Edgar.Townsend@ ndis .gov.au.
Use the secure link below to download.
Hi Loik, As requested, please find attached a copy of Shelby’s plan. Cheers, Edgar
Secure File Downloads:
Available until: 16 October 2015
Click link to download:
Shelby-MyNDISPlan.zip
681.07 KB, Fingerprint: 3F540085E625C8C2E5EB84A6B060E403 (What is this?)
You have received secure links within this email sent via filepoint.dss .gov.au. To retrieve the files, please click on the links above.
The link is to https ://www.sugarsync .com/pf/D8992504_764_6670557430?directDownload=true and not any gov.au site

Todays Date: Shelby-MyNDISPlan.zip: Extracts to: Shelby-MyNDISPlan.scr
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1442985111/

sugarsync .com: 74.201.86.21: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Bankline ROI' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...ssword-re.html
23 Sep 2015 - "This -fake- banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:
From "RBS" [secure.message@ rbs .co.uk]
Date Wed, 23 Sep 2015 11:28:48 GMT
Subject Bankline ROI - Password Re-activation Form
Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk
On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.
Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.
If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.
Regards
Bankline Product Support ...

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56*. The Hybrid Analysis report** shows behaviour consistent with Upatre/Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend -blocking- or monitoring."
* https://www.virustotal.com/en/file/9...is/1443010402/

** https://www.hybrid-analysis.com/samp...nvironmentId=1
___

'DHL Courier' - Phish ...
- http://blog.dynamoo.com/2015/09/phis...l-courier.html
23 Sep 2015 - "This DHL-themed spam is actually a phishing email:
From: DHL Courier Services [roger@community .mile .org]
To:
Date: 23 September 2015 at 11:15
Subject: SHIPMENT LABEL
Signed by: community. mile.org
Dear customer,
Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.
The mailing label is attached in this email. Please print and show at the nearest DHL office to receive the shipment.
Thank you for using DHL services...

Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report*):
> https://4.bp.blogspot.com/-dIqTVhvNL...s1600/dhl5.png
If the potential victim clicks "Click here" then they are directed to ow .ly/Sq9to and from there to a phishing page at br1-update .be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which -also- looks highly suspect:
> https://1.bp.blogspot.com/-mNlcOztRL...s1600/dhl6.png
The phishing page itself is a complex script which is Base 64 encoded, then hex encoded... which is presumably phishing for email accounts. The spam itself appears to have been sent from a -compromised- webmail account at community .mile.org . For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be -blocked-."
* https://www.hybrid-analysis.com/samp...nvironmentId=1

br1-update .be: 64.20.51.22: https://www.virustotal.com/en/ip-add...2/information/

**AplusWebMaster** · 2015-09-24, 14:30

FYI...

Evil network: 64.20.51.16/29 ...
- http://blog.dynamoo.com/2015/09/evil...erver-inc.html
24 Sep 2015 - "This DHL-themed phish* got me looking at an IP address range of 64.20.51.16/29 which is a range belonging to Interserver Inc in the US, but which has been -reallocated- to a customer... the WHOIS details for that block are not valid..
* http://blog.dynamoo.com/2015/09/phis...l-courier.html
... an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of -phishing- sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered. I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing... a very large number of sites -flagged- by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range. In addition, a large number of phishing and other malicious sites have been hosted on 64.20.51.16/29 in the past and are now hosted elsewhere...
Conclusion: I really just skimmed the surface with my analysis here, but it is clear that the 64.20.51.16/29 block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like -fake- business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.
Recommended blocklist:
64.20.51.16/29
76.73.85.136/29
185.24.233.16 "
(Much more detail at the dynamoo URL at the top of this post.)
___

Fake 'Federal Fiscal evasion' SPAM - PDF malware
- http://myonlinesecurity.co.uk/federa...e-pdf-malware/
24 Sep 2015 - "An email with the subject of 'Federal Fiscal evasion notification' pretending to come from random email addresses at random companies with a zip attachment is another one from the current bot runs... The content of the email says:
Hi
Last Monday our colleagues were delivered final notice letter of tax authority.
They are accusing You of tax avoidance that is considered a federal crime and might lead to considerable fines.
In the attachment kindly see scan-copy of above official notice.
You are highly asked inspect the enclosure very carefully so as to argue to the contrary later.
According to our executive management’s information the appointment with Internal Revenue authorities is to be confirmed this week.
We strictly advise You to be prepared for upcoming deposition because serious charges are brought against You.
Right after getting Your approval specialists will commence filling required form-sheets.
Katherine Dowson Senior Associate

Other subjects in this malspam run include:
Federal levy avoidance prosecution
Federal levy avoidance indictment
State Fiscal evasion charges
Federal levy avoidance conviction
Federal Fiscal dodging notification ...
24 September 2015: Doc_320762_Federal Fiscal evasion notification .pdf.zip:
Extracts to: timber carrier dive gamma.exe - Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1443113149/
___

Apple tackles XcodeGhost by removing apps, alerting devs and users
- http://net-security.org/malware_news.php?id=3111
24.09.2015 - "The XcodeGhost incident has demonstrated that however secure a system is thought to be, there's always a way in. It also shows how the very human tendency of trying to simplify and hasten the execution of a task can lead to decreased security. Apple has expanded on its initial comment about the malware and its proliferation in the App Store, and has explained that they have removed the infected apps from the store and that they are blocking submissions of new apps that contain the malware. They listed* the top 25 most popular apps impacted, among which is the popular messaging app WeChat, and noted that "after the top 25 impacted apps, the number of impacted users drops significantly."
Users are advised to update those apps as soon as possible (once they are available on the App Store once again). Uninstalling the affected apps until that time is also a good idea, although the company says that the found malware was only capable of harvesting some general information about the apps and the OS... This incident might ultimately prove very beneficial for both Apple and app developers. As noted above, the former has already decided to do something about the downloading difficulties developers outside the US are facing..."
* https://www.apple.com/cn/xcodeghost/#english

**AplusWebMaster** · 2015-09-25, 12:49

FYI...

Fake 'Cancellation' SPAM – PDF malware
- http://myonlinesecurity.co.uk/cancel...e-pdf-malware/
25 Sep 2015 - "Another series of emails delivering Upatre downloaders with the subject of 'Cancellation of your last transaction' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :

Unfortunately your remittance transfer was cancelled. Please verify your transaction details. Full info attached.

Other subjects in this malspam run include:
Cancellation of transaction
Suspension transaction
Invaild data in your transaction
Suspension your transaction
Blocking transaction
Problems with your last transaction ...
25 September 2015: Doc_26638351_Cancellation of your last transaction .pdf.zip
Extracts to: mgt emblem abreact.exe - Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1443176862/
___

Fake online -Avast- scanner
- https://blog.malwarebytes.org/social...avast-scanner/
Sep 25, 2015 - "... we came across a -fake- online scanner that abuses the good name of Avast. The idea to get you to visit this site is by waiting for someone to make a typo and end up at facebooksecuryti(dot)com; The site shows a picture of a pornographic nature just long enough to -redirect- you to the fake online scanner at avast(dot)services:
> https://blog.malwarebytes.org/wp-con...15/09/site.png
The scanner page looks a bit like Jotti’s malware scan, and they have quite a few logos in common:
> https://blog.malwarebytes.org/wp-con...5/09/jotti.png
The -fake- scanner will end up showing you that there is only one antivirus that can find a problem which is... you guessed it, avast! A bit predictable given the name and the logo of the site. This is where we hope that our readers would get very suspicious. A security software company offering to scan your computer using the scanning engines of competitors would be strange enough, but I’m sure if anyone did they would make it a fair competition and not declare themselves the one and only solution every time:
> https://blog.malwarebytes.org/wp-con.../09/prompt.png
It immediately offers you the options to “Install” or “Save” the file Avast.exe which is obviously -not- the installer for the actual Avast antivirus software. What the installer really does is drop an information stealing Trojan in several places on the victims system and point to them from two startup locations. One is a Run key for the current user pointing to a file in a temporary “System Restore” folder... This type of Trojan can be used to gather information on the victims’ computer and encrypt it. The encrypted information will be sent to the operator, who can determine which kind of information will be gathered from the compromised system... The files involved are detected as Trojan.InfoStealer.Generic and Stolen.Data. Thanks to our friend at hpHosts* for the tip."
* http://www.hosts-file.net/

avast(dot)services: 160.153.16.36: https://www.virustotal.com/en/ip-add...6/information/

> https://www.virustotal.com/en/url/20...036a/analysis/
2015-09-25
7/65
___

Scandinavian users hit with -fake- post office emails, ransomware
- http://net-security.org/malware_news.php?id=3112
25.09.2015 - "Scandinavian PC users are the latest group to be targeted with Cryptolocker ransomware. According to Heimdal Security*, the threat comes via email. The malware peddlers are impersonating the Norwegian, Swedish and Danish postal services, and are trying to trick users into believing that there has been a failed delivery of a package. They are instructed to click-on-the-link in the email, supposedly to download the document needed to claim the package at the post office, but what they'll get is an executable. Those users who -fail- to find this suspicious and run the file will have all their files encrypted (both on the computer and on connected devices), and will be faced with a ransom message... The emails are usually written in the victim's language, and are equipped with the logos and images associated with that country's postal services (e.g. in Denmark: Post Denmark and PostNord):
> http://www.net-security.org/images/a...k-25092015.jpg
The delivered malware is Cryptolocker2. When the campaign was first noticed earlier this week, the delivered malware variant had an extremely low AV detection rate - only one out of 56 AV engines used by VirusTotal** flagged it as malware. Three days later, the numbers are better (34 out of 55), but the danger is still present. Anyone can fall for this type of scheme, although it has been most successful with home users and employees of small-to-medium size businesses. Users of all kinds should educate themselves about the danger, and first and foremost should stop clicking-on-links contained in emails whose senders they haven't verified..."
* https://heimdalsecurity.com/blog/sec...ign-continues/

** https://www.virustotal.com/en/file/1...is/1442488273/

dshome .ru: 37.140.192.89: https://www.virustotal.com/en/ip-add...9/information/
___

Cisco releases tool for detecting malicious router implants
- http://net-security.org/malware_news.php?id=3114
25.09.2015 - "Cisco Systems has provided a tool* that allows -enterprise- users to scan their networks and discover if their routers have been compromised with malicious SYNful Knock implants:
* http://talosintel.com/scanner/
... If a compromised router is found, the scanner will provide instructions on what to do next. Users are can also contact the Cisco Product Security Incident Response Team (PSIRT) for help. The SYNful Knock router implant was first discovered by FireEye researchers, and other researchers have found instances of compromised routers around the world. The discovery came roughly a month after Cisco warned about attackers replacing the Cisco IOS ROMMON (IOS bootstrap) with a -malicious- ROMMON image, after gaining administrative or physical access to a Cisco IOS device. These compromises are not the result of the exploitation of a vulnerability, but of a legitimate feature that allows network admins to install an upgraded ROMMON image on IOS devices for their own purposes. For more technical details and tool caveats, check out McVey's blog post**."
** http://blogs.cisco.com/security/talos/synful-scanner
Sep 23, 2015 - "... We updated the tool to version 1.0.1."

**AplusWebMaster** · 2015-09-28, 13:49

FYI...

Fake 'toll road payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsett...e-pdf-malware/
28 Sep 2015 - "Another load of emails from the Upatre downloaders with the subject of 'Unsettled toll road payment reminder' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Good day!
Your toll road ticket #2515380112 is still unsettled. Please make a remittance to avoid additional fees within 12 days.
The copy of ticket is attached to this e-mail.

Other subjects in today’s malspam run include:
Turnpike road invoice reminder
Outstanding turnpike invoice message
Outstanding turnpike payment email reminder
Oustanding toll road ticket notification
Oustanding toll road payment notification
Unsettled toll road bill notice
Turnpike road bill reminder
Toll road bill notice
Toll road payment message
Turnpike road ticket notification

28 September 2015: Doc_9911815_Unsettled toll road payment reminder .pdf.zip:
Extracts to: copious strumpet kernel mode.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1443433322/

Similar: https://isc.sans.edu/diary.html?storyid=20191
2015-09-28
Screenshot: https://isc.sans.edu/diaryimages/ima...25_33%20AM.png
[1] https://www.virustotal.com/en/file/8...is/1443436044/
4/55
___

Fake 'latest proposal' SPAM – PDF malware
- http://myonlinesecurity.co.uk/the-la...e-pdf-malware/
28 Sep 2015 - "Another set of emails with Upatre downloaders involve the subject of 'The latest proposal' pretending to come from random email addresses and companies with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
I’ve attached a new project and business proposal to this e-mail. I suppose it will interest you.
... This message and any attachments are confidential and intended for the named
addressee(s) only.If you have received this message in error, please notify
immediately the sender, then delete the message. Any unauthorized modification,
edition, use or dissemination is prohibited. The sender does not be liable for
this message if it has been modified, altered, falsified, infected by a virus
or even edited or disseminated without authorization...

Other subjects in this Malspam run include:
My commercial proposal
Please read my new commercial proposal
Please read my new business project
Please view my new project
New business proposal
The latest proposal of common business ...
28 September 2015: Doc_21123802_My commercial proposal .pdf.zip:
Extracts to: attendee parent bank manage to.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1443448919/
___

Pornhub, YouPorn - Malvertising ...
- https://blog.malwarebytes.org/malver...sing-campaign/
Sep 28, 2015 - "The xHamster malvertising campaign we wrote about last week[1] was part of several attacks against many top adult sites. It is unclear whether this was a planned effort from threat actors but the timing is certainly strange. Over the week-end we detected -another- incident affecting Pornhub and YouPorn, some of the biggest adult websites with a combined 800 million monthly visits... Overview:
Publishers: Pornhub .com/YouPorn .com
Ad network: syndication.exoclick .com/{redacted}
Malicious code: trackitsup .com/cookiecheck.js?{redacted}
Redirection to exploit-kit: beatiful.sextubehard .pw/{redacted}
Angler Exploit Kit: knutterigemukaantulolleen.colleenmhammond .org
Rogue advertisers abused the ExoClick ad network by inserting a seemingly legitimate piece of code as an ad banner. The first documented instance of the ‘cookiecheck.js‘ campaign appears to have taken place on Sept. 19th according to this tweet from malware hunter Malekal:
> https://twitter.com/malekal_morte/st...48983959113728
#Browlock #Ransomware at @Exoclick network...
'The ‘cookiecheck’ malvertising campaign. Rotating domain names all use the same JavaScript snippet.'
Fortunately, the malvertising on Pornhub and YouPorn did not last as long, thanks to an immediate action from both the publisher and ad network... During the past several months, high profile malvertising attacks against top adult sites have been sparse. This makes what we have seen during the past couple of weeks very unusual but also impactful given the sheer volume of traffic these sites receive. What’s more, the attack against top adult ad network TrafficHaus we documented last week[1] may have been the result of a security breach, according to a comment left on security blogger Graham Cluley’s site**. Users should make sure that their computers are fully patched and protected with several layers of security (the 3 A’s is a very effective line of defense: Anti-exploit, Antivirus, Anti-malware) in order to defeat malvertising and drive-by download attacks."
1] https://blog.malwarebytes.org/malver...p-adult-sites/
Sep 24, 2015
* https://grahamcluley.com/2015/09/xhamster-malware/
Sep 25, 2015
** https://grahamcluley.com/2015/09/xha...#comment-49405
Sep 27, 2015 - "... 89.187.142.208..."
> https://www.virustotal.com/en/ip-add...8/information/

Pornhub .com: 31.192.117.132: https://www.virustotal.com/en/ip-add...2/information/

exoclick .com: 178.33.165.129: https://www.virustotal.com/en/ip-add...9/information/

trackitsup .com: 80.86.89.178: https://www.virustotal.com/en/ip-add...8/information/

sextubehard .pw: "A temporary error occurred during the lookup..."

colleenmhammond .org: 184.168.221.56: https://www.virustotal.com/en/ip-add...6/information/

**AplusWebMaster** · 2015-09-29, 14:23

FYI...

Fake 'Western Union' SPAM – PDF malware
- http://myonlinesecurity.co.uk/contra...e-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Contract 61936417 About to Expire: Final Notice – Western Union Business Solutions Online FX for Corporate' pretending to come from Western Union via random email addresses and companies with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x779.png

29 September 2015: WU Business Contract 45827544.zip:
Extracts to: WU Business Contract 770352457.scr
Current Virus total detections 18/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1443506282/
___

Fake 'Blocked profile' SPAM – PDF malware
- http://myonlinesecurity.co.uk/blocke...e-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Blocked profile management notification' pretending to come from NAB Bank Australia with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
We have detected suspicious activity with Your Online-Banking profile. Please be informed that
the access and some capabilities of Your profile were restricted for security reasons. Temporarily
You cannot conduct transactions with online-banking profile. In order to obtain full management
powers You have to fill in and send back the attached form.
Please use codename for authorization (contained in the attachment).
Online-Banking profile: 8947626947780852875
Code Name: no doubt insolvent noncancerogenic
Our security department representative will contact You later to provide further instructions.
Regards,
Patrick Olsen
NAB Support Team.

29 September 2015: Bank_no doubt insolvent noncancerogenic_protection.zip:
Extracts to: whose noodle soullessness.exe
Current Virus total detections 15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1443507454/
___

Fake 'SantanderBillpayment' SPAM - malware attachment
- http://blog.dynamoo.com/2015/09/malw...info-from.html
29 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From "Santanderbillpayment-noreply@ SantanderBillPayment .co.uk" [Santanderbillpayment-noreply@ SantanderBillPayment .co.uk]
Date Tue, 29 Sep 2015 12:33:56 GMT
Subject Info from SantanderBillpayment .co.uk
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 29 September 2015 at 09:11:36.
Payment type: VAT
Customer reference no: 0343884
Card type: Visa Debit
Amount: GBP 4,683.00
For more details please check attached payment slip.
Your transaction reference number for this payment is IR0343884.
Please quote this reference number in any future communication regarding this payment.
Yours sincerely,
Banking Operations ...

The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 197.149.90.166 in Nigeria which is worth -blocking- or monitoring."
___

Fake 'Attorney-client' SPAM – PDF malware
- http://myonlinesecurity.co.uk/attorn...e-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Attorney-client agreement' pretending to come from random names and random companies with a zip attachment is another one from the current bot runs... The content of the email says :
It went OK. The court understood that it may be that you might not have much relevant
information but he couldn’t rule as a matter of law that you had no relevant information
and did not need to appear. However he ordered the other side to make clear when they were
going to call you and provide information on that so that you are not standing around
waiting to be called. He also made it clear that I preserve my right to object to their
questions on grounds of relevance, so, you need to be available on Monday or Tuesday the
29th and 30th to appear but I will let you know as we get closer what time and day.
We will also need to prepare for your testimony the week before.
With regard to the other motions, the court ruled that they cannot present any evidence as
damages of costs incurred or the fee received while Gary Ferguson was representing the
Grover’s. That is pretty good ruling.
As to many of the other issues he simply punted them for trial, preserving our arguments
The only issue that we need to discuss is the Court’s willingness to consider their claim
for breach of contract. The court is going to allow them to assert a claim for breach of
contract. The Court indicated that it was a close call, but they have one paragraph in
their complaint suggesting a claim for breach of contract, but he limited the breach of
contract claim to their allegation that under the fee agreement you would not take any
money without paying the Grovers under your retainer agreement. That is the only breach
of contract claim. If you look at the retainer agreement attached, I don’t think it says
that (paragraph 1) . What it says is that if the case is settled, you can take your fee
and pay costs. However they are arguing that the whole case had to be settled before you
took any fee.
Even if that were the case, then you should have been able to receive the 63,665 at the end
of the case after they lost to Timpanogos (either under P&M’s agreement or your agreement.)
and they would’ve had to pay the costs. In other words, I think we have the stronger
argument here. And, if we win, we will be able to assert a claim for attorny’s fees.
But if they win, they also have that right.
However, because the court allowed them to assert this claim for breach of contract ruled
that he would allow me to conduct more limited discovery before trial if I think I needed to.
Upon first glance of the issue, I don’t think I need any additional discovery. But I wanted
to run this by you guys. Let me know your thoughts as soon as possible. He also said he
might consider bumping the trial if I tell him why I need to for this new claim. but I think
if it is limited to that issue. I don’t think ‘ll be able to convince him to bump the trial
unless I simply demand it.
I would like your thoughts.
Ana Marvin | Grady-Wintheiser | 49544 Josue Hills | Lake Kennith City, 32914
Direct: (628) 652-6347 | Facsimile: (628) 652-6347 ... vCard
This email is from a law firm and may contain privileged or confidential information.
Any unauthorized disclosure, distribution, or other use of this email and its contents
is prohibited. If you are not the intended recipient, please contact the sender and
delete this email. Thank you.

29 September 2015: View financial bargain.zip: Extracts to: Finish past due invoice.exe
Current Virus total detections 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1443537708/
___

Instagram Account preys on Trust Issues
- https://blog.malwarebytes.org/online...-trust-issues/
Sep 29, 2015 - "Questionable posts from random users — usually from those with a significant number of (bot) followers — are already becoming not uncommon within the photo- and video- sharing social site, Instagram. In fact, we have encountered a number of them before, with some falsely claiming to increase your follower count — an attempt we’ve seen floating around on Twitter and Facebook in the past — and with others attesting to a mass purge of accounts unless they have been verified. Recently, we’ve discovered an attempt at baiting users with the lure of catching his/her potentially cheating partner red-handed using a “trusted” service. All one needs is their target’s phone number.
Enter @INSTANTPHONELOOKUP.
Below is mobile screenshot of the post that my test account received:
> https://blog.malwarebytes.org/wp-con...dodgy-post.png
... whoever came up with this kind of bait has been following stories revolving around the Ashley Madison hacking incident, probably a little too closely. Anyway, the link on the profile page of @INSTANTPHONELOOKUP is a bit.ly shortened URL that points to the destination, cheaterslookup[DOT]com:
> https://blog.malwarebytes.org/wp-con...post-bitly.png
As of this writing, traffic to the destination has reached more than -100K- clicks since the bit.ly URL has been created last month. And this is just one of the many high-trafficked sub-pages from the same domain we’ve seen so far:
> https://blog.malwarebytes.org/wp-con...on-traffic.png
Clicking the shortened link points to try[DOT]textspy[DOT]us, wherein one is asked to enter their target’s mobile number. Once done, he/she sees a series of pages that were created to make him/her believe that the site is scanning for data related to the number. The final destination is an advertorial piece written on instantcheckmate[DOT]com... Users of Malwarebytes Anti-Malware are already protected from accessing cheaterslookup[DOT]com, including other sites such as the following that are found to be similar or related to it:
caughtcheating[DOT]co
spytext[DOT]us
textingspy[DOT]com
textspy[DOT]us
Although it’s tempting to try out such services either out of curiosity or for the fun of it, it’s still best to -avoid- shenanigans such as these. Your wallet and perhaps your partner will thank you for it."

caughtcheating[DOT]co: 192.64.119.193: https://www.virustotal.com/en/ip-add...3/information/
spytext[DOT]us: 162.255.119.144: https://www.virustotal.com/en/ip-add...4/information/
textingspy[DOT]com: 160.153.47.40: https://www.virustotal.com/en/ip-add...0/information/
textspy[DOT]us: 162.255.118.48: https://www.virustotal.com/en/ip-add...8/information/
instantcheckmate[DOT]com:
141.101.113.31: https://www.virustotal.com/en/ip-add...1/information/
190.93.242.31: https://www.virustotal.com/en/ip-add...1/information/
141.101.123.31: https://www.virustotal.com/en/ip-add...1/information/
190.93.241.31: https://www.virustotal.com/en/ip-add...1/information/
190.93.240.31: https://www.virustotal.com/en/ip-add...1/information/
cheaterslookup[DOT]com: 192.163.198.92: https://www.virustotal.com/en/ip-add...2/information/
___

Scam Texts 'Phish' for Banking Info
- https://www.bbb.org/blog/2015/09/sca...-banking-info/
Sep 29, 2015 - "Watch out for this text message scam. Con artists are trying to fool users into sharing personal information by sending text messages that look like alerts from banks.
How the Scam Works:
You receive a text message that appears to be from a bank. It’s prompting you to update your profile and provides a link to a website. The link may even have the bank’s name as -part- of the domain...
If you click on the URL, you will be taken to a form that looks-like part of the bank’s website. The page will prompt to “confirm” your identity by entering your name, user ID, password and/or bank account number.
Don’t do it! Sharing this information puts you at-risk for identity theft.
Protect yourself from text message scams.
> Just hit delete! -Ignore- instructions to confirm your phone number or visit-a-link. Some scam texts instruct you to text “STOP” or “NO” to prevent future texts. But this is a common ploy by scammers to confirm they have a real, active phone number.
> Read your phone bill. Check your phone bill for services you haven’t ordered. Some charges may appear only once, but others might be monthly 'subscriptions'..."
___

Malvertising Via Google AdWords - Fake BSOD
- https://blog.malwarebytes.org/fraud-...-to-fake-bsod/
Sep 28, 2015 - "... fraudulent businesses also use online advertising as a way to reel in potential victims. This is nothing new and we have seen many examples of targeted keywords on search engine results before. Many times these rogue advertisers will abuse legitimate brands to trick people and provide services on behalf of these companies. Beyond copyright infringement laws, there is also the almost always present social engineering aspect that follows, to con people into spending hundreds of dollars for no good reason. And then you have advertisers that aren’t shy about doing their dirty deed at all. Take for example this recent campaign we spotted on AdWords, Google’s largest online advertising service:
> https://blog.malwarebytes.org/wp-con...ube_search.png
Here the crooks bid on the “youtube” keyword and got their ads displayed way at the top, before the organic search results. What’s interesting in this case is that the supposed destination URL is the actual YouTube.com site itself, and even placing the mouse over the ad shows a link to a YouTube channel. This really makes it look like a click-on-the-link would take you directly to YouTube but unfortunately that was not the case:
> https://blog.malwarebytes.org/wp-con...5/09/flow2.png
Clicking on either one of the ads leads to a scary and convincing looking web page with the infamous Blue Screen of Death.The BSOD is a popular theme as of late and an effective way to display -bogus- but legitimate error codes that would trouble many internet users. As with most similar -scam- pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all however; con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages. Innocent and unsavvy computer users will be defrauded from anywhere between $199 to $599. However, many online crooks don’t stop here, often committing identity theft and trying to empty out their victims’ bank accounts:
> https://blog.malwarebytes.org/wp-con...ODandpopup.png
The actors behind this particular malvertising attack had registered (at least) two domains to perform the illicit redirection from the Google advert to the BSOD page... Both of these domains are hosted on IP address 166.62.28.107 where the rest of the -fraudulent- sites also reside... We reported this campaign to Google and the bogus ads were pulled right away. The best defense against tech support scams (in all their forms) is awareness. For more information on this topic, please check out our help page*."
* https://blog.malwarebytes.org/tech-support-scams/

166.62.28.107: https://www.virustotal.com/en/ip-add...7/information/
___

Compromised WordPress Campaign - Spyware Edition
- http://research.zscaler.com/2015/09/...n-spyware.html
Sep 25, 2015 - "... started investigating multiple WordPress related security events earlier this month and came across a -new- widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo* and has been reported by some users on official WordPress forums**...
* http://blog.dynamoo.com/2015/09/tain...onescomsn.html
...
** https://wordpress.org/support/topic/...d-in-wordfence
During our research, we discovered that this campaign started in the first week of August, 2015 and has been fairly active since then resulting in over 20,000 security events to date from over 2,000 web pages. Majority of the WordPress sites affected by this campaign -are- running latest version 4.3.1 but the compromise could have occurred -prior- to the update... The infection starts when a user visits a compromised WordPress site. The compromised pages will have injected JavaScript... Although the target domains varied across the transactions that we saw, the associated server IP address has remained the same... The IP Address 91.226.33.54 associated with these domains is hosted in Latvia through a VPS hosting provider... In one of the cases, we observed the user is prompted to update the Flash Player as seen below:
> https://4.bp.blogspot.com/-GCAJIizxu...lc/s1600/1.png
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a -fake- Adobe Flash Player application is downloaded...
> https://3.bp.blogspot.com/-UpnA1hfbf...bs/s1600/2.png
... Conclusion: WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors and Exploit Kit operators, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements..."

91.226.33.54: https://www.virustotal.com/en/ip-add...4/information/
2015-09-29

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'E-Bill', 'REFURBISHMENT', 'Important notice' SPAM

Fake 'Transaction confirmation', 'Approval', 'Monthly report' SPAM, 'TaxRefund' Phish

Active malware campaign uses WordPress sites, Online poker sites - trojan

Fake 'Paymark', 'Sage invoice', 'order not competed' SPAM, 91.226.32.0/23

Malvertising, Fake 'Dislike' Facebook, 'Grand Theft Auto online' scams

Fake 'NDISPlan', 'Bankline ROI' SPAM, 'DHL Courier' Phish

Evil network: 64.20.51.16/29, Fake 'Federal Fiscal evasion' SPAM

Fake 'Cancellation', 'Post Office emails' SPAM, Fake Avast scanner

Fake 'toll road payment', 'latest proposal' SPAM, Malvertising

Fake 'Western Union', 'Blocked profile', 'SantanderBillpayment' SPAM, Malvertising

Posting Permissions