SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-01-18, 14:09

FYI...

Fake 'Invoice January' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ary-baird.html
18 Jan 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers but is instead a simple -forgery- with a malicious attachment.
From "A . Baird" [ABaird@ jtcp .co.uk]
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller ...

Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday... The payload is meant to be the Dridex banking trojan...
UPDATE: A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo .com/786585d/08g7g6r56r.exe
esecon .com.br/786585d/08g7g6r56r.exe
outago .com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54*. The same source identifies the following C2 servers which are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173 "
* https://www.virustotal.com/en/file/2...4bcf/analysis/
TCP connections
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

- http://myonlinesecurity.co.uk/invoic...ls-attachment/
18 Jan 2016 - "The Dridex bots are -still- not having a good day today. On Friday they sent -3- different malformed/damaged /broken malspams. Today, the first damaged/malformed broken one is an email with the subject of 'Invoice January- pretending to come from A . Baird <ABaird@ jtcp .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The -damaged/broken- attachment has a name something like INV-IN174074-2016-386.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc..
VirusTotal Detections 5/55* which will attempt to download Dridex banking malware from
[emirelo .com/786585d/08g7g6r56r.exe] (VirusTotal 3/54**) Payload Security /Reversit Analysis***
The email looks like:
From: A . Baird <ABaird@ jtcp .co.uk>
Date: Mon 18/01/2016 09:45
Subject: Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller ...

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you. Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you...
By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/6...is/1453114324/

** https://www.virustotal.com/en/file/2...is/1453115492/
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

*** https://www.reverse.it/sample/629bfd...nvironmentId=1
Contacted Hosts
194.24.228.5: https://www.virustotal.com/en/ip-add...5/information/
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
___

Fake 'Statements' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ts-alison.html
18 Jan 2016 - "This -fake- financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From Alison Smith [ASmith@ jtcp .co.uk]
Date Mon, 18 Jan 2016 18:27:36 +0530
Subject Statements
Sent 12 JAN 16 15:36
J Thomson Colour Printers
14 Carnoustie Place
Glasgow
G5 8PB ...

Attached is a file S-STA-SBP CRE (0036).xls which is actually -corrupt- due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since -Friday- the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one*, also spoofing the same company."
* http://blog.dynamoo.com/2016/01/malw...ary-baird.html

- http://myonlinesecurity.co.uk/j-thom...ls-attachment/
18 Jan 2016 - "... damaged/broken attachment has a name something like S-STA-SBP CRE (0036).xls ... it would if fixed, download -Dridex- from the same locations as today’s earlier malspam runs..."
___

LastPass - Phish...
- https://www.seancassidy.me/lostpass.html
2016-01-18 - "... discovered a -phishing- attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack 'LostPass'... Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well:
> https://www.seancassidy.me/images/lastpass_login.png
...
> https://www.seancassidy.me/images/lastpass_2fa.png
... Here's an image of LastPass and LostPass for Firefox on Windows 8 side-by-side. Which one is which?:
> https://www.seancassidy.me/images/lastpass_firefox.png "

**AplusWebMaster** · 2016-01-19, 15:25

FYI...

Fake 'Insurance' SPAM - doc malware
- http://myonlinesecurity.co.uk/thank-...d-doc-malware/
19 Jan 2016 - "The Dridex bots are still having problems again today. Their latest attempt is an email with the subject of 'Thank you for purchasing from Cheaper Travel Insurance – 14068156' pretending to come from info87@ Resellers.insureandgo .com (the info number is random) with a malicious word doc attachment is another one from the current bot runs... While they appear to have fixed the malware attachments, they instead have introduced a new bug and are sending broken emails with -garbled- content... when corrected it will look something like this:

Screenshot: http://myonlinesecurity.co.uk/wp-con...PER-TRAVEL.png

19 January 2016: 14068156.doc - Current Virus total detections 4/55*
[MALWR**] attempts to download Dridex banking malware from
http :// www .cnbhgy .com/786585d/08g7g6r56r.exe but seems to be having problems and timing out... Update: it eventually downloaded (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1453193244/

** https://malwr.com/analysis/ODliNGI1N...Q1MDFjYmNiNDc/
123.1.157.76
216.59.16.175
13.107.4.50

*** https://www.virustotal.com/en/file/e...is/1453194356/
TCP connections
216.59.16.175
8.254.218.14

- http://blog.dynamoo.com/2016/01/malw...urchasing.html
19 Jan 2016 - "This -fake- financial spam comes with a malicious attachment:

Header screenshot: http://www.insureandgo.com/emails/07...per_header.jpg
Your policy number: MF/CP/205121/14068156
Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156 ...

The sender appears to be from info[some-random-number]@ Resellers.insureandgo .com, but it is just a simple forgery. Attached is a malicious Word document that I have seen -five- different versions... download locations as:
www .cnbhgy .com/786585d/08g7g6r56r.exe
seaclocks .co .uk/786585d/08g7g6r56r.exe
mosaicambrosia .com/786585d/08g7g6r56r.exe
This has a VirusTotal result of 3/54*.... combined with this Hybrid Analysis** show traffic to:
216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign...
Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103

* https://www.virustotal.com/en/file/e...is/1453194985/
TCP connections
216.59.16.175
8.254.218.14

** https://www.hybrid-analysis.com/samp...nvironmentId=4
___

Fake 'Payment overdue' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...t-overdue.html
19 Jan 2016 - "This -fake- financial spam does not come from the Daily Mail, but is instead a simple -forgery- with a malicious attachment:
From Raashida Sufi [Raashida.Sufii@ dmgmedia .co.uk]
Date Tue, 19 Jan 2016 11:40:37 +0300
Subject Daily Mail - Payment overdue
Hi,
I have currently taken over from my colleague Jenine so will be your new POC going
forward.
I have attached an invoice that is currently overdue for £360.00. Kindly email me
payment confirmation today so we can bring your account up to date?
Kind Regards
Rash Sufi ...

I have seen -three- different versions of the malicious attachment Invoice.doc (VirusTotal results 4/53[1]...). The Malwr analysis of these documents [4]... shows that the payload is identical to the Dridex banking trojan described here*."
1] https://www.virustotal.com/en/file/3...is/1453197760/

4] https://malwr.com/analysis/ZGRmYTEwN...I0MGM2ODM3ZGY/
23.229.242.73
216.59.16.175
13.107.4.50

* http://blog.dynamoo.com/2016/01/malw...urchasing.html

- http://myonlinesecurity.co.uk/daily-...d-doc-malware/
19 Jan 2016 - "... an email with the subject of 'Daily Mail – Payment overdue'... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x775.png

19 January 2016: Invoice.doc - Current Virus total detections 4/53*
This will download Dridex banking malware [ http :// www .cnbhgy .com/786585d/08g7g6r56r.exe ] which is the same location and malware as today’s earlier malspam run**..."
* https://www.virustotal.com/en/file/3...is/1453195633/

** http://myonlinesecurity.co.uk/thank-...d-doc-malware/
___

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-1b859e37.html
19 Jan 2016 - "This -fake- financial does not come from Bellingham + Stanley but is instead a simple -forgery- with a malicious attachment. Reference numbers and sender names will vary.
From: Adeline Harrison [HarrisonAdeline20@ granjacapital .com.br]
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Adeline Harrison ...

I have seen at least -four- different variations of the attachment, named in the format remittance_advice14DDA974.doc ... Malwr reports... show those samples communicating with:
http :// 179.60.144.19/victor/onopko.php
http :// 5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
UPDATE 1: this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine. A file aarab.exe is dropped... [VT 4/53*] which appears to communicate** with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2: This other Dridex 120 spam run[1] uses different download locations:
46.17.100.209 /aleksei/smertin.php
31.131.20.217 /aleksei/smertin.php
The dropped "aarab.exe" file is also different... and a detection rate of just 2/54***.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217 "
* https://www.virustotal.com/en/file/6...is/1453202263/

** https://malwr.com/analysis/OWMwZWMzO...cxZmNhYjNkNjk/
198.50.234.211
13.107.4.50

1] http://blog.dynamoo.com/2016/01/malw...dvice-for.html

*** https://www.virustotal.com/en/file/e...is/1453211427/

- http://myonlinesecurity.co.uk/remitt...d-doc-malware/
19 Jan 2016 - "Dridex is definitely back with a vengeance today. The latest one of a long line is an email with the subject of 'Remittance Advice For Invoice 04050722' from C-Tech (random numbers) pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Carey Lucas <LucasCarey44@ search4what .com>
Date: Tue 19/01/2016 09:41
Subject: Remittance Advice For Invoice 04050722 From C-Tech
Dear Accounts
Please find attached our current remittance advice.
Kind Regards
Carey Lucas MAAT
Accounts Assistant ...

19 January 2016: C-Tech Remittance04050722.doc - Current Virus total detections 3/55*
downloads an -updated- Dridex banking malware from the ones described in this earlier run** from
http :// 46.17.100.209 /aleksei/smertin.php or http :// 31.131.20.217 /aleksei/smertin.php (VirusTotal 2/54***)
Each attempt at download seems to give me a -different- named file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1453211898/

** http://myonlinesecurity.co.uk/ac-433...sheet-malware/

*** https://www.virustotal.com/en/file/e...is/1453211427/
aarab.exe

46.17.100.209: https://www.virustotal.com/en/ip-add...9/information/

31.131.20.217: https://www.virustotal.com/en/ip-add...7/information/
___

Twitter is back up ...
- http://www.theinquirer.net/inquirer/...r-major-outage
Jan 19 2016 - "... Twitter was down for a decent time this morning. Long enough for people to start noticing and complaining about it on things like Facebook and in person... Twitter's status page*, which is presented through Yahoo's Tumblr, shows a trio of recent incidents..."
* http://twitterstatus.tumblr.com/
___

2016 Cisco Annual Security Report
- http://blogs.cisco.com/security/fore...ecurity-report
Jan 19, 2016 - "Our just-released 2016 Cisco Annual Security Report (ASR*) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom... attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks... This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge... Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%... Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late."
(More detail at the cisco URL above.)
* http://www.cisco.com/c/m/en_us/offer...Code=001031952

**AplusWebMaster** · 2016-01-20, 12:40

FYI...

The 25 worst passwords of 2015
- https://nakedsecurity.sophos.com/201...make-the-list/
20 Jan 2016
> https://sophosnews.files.wordpress.c...-rank-list.png
___

Fake 'Tax Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/tax-in...d-doc-malware/
20 Jan 2016 - "The Dridex bots seem to have fixed their problems with this email pretending to be a tax invoice with the subject of 'Tax Invoice IN092649' pretending to come from Karin Edwards <karin.edwards@ batonlockuk .com> with a malicious word doc or Excel XLS spreadsheet attachment which downloads Dridex banking Trojan/Malware... The email looks like:
From: Baton Lock Ltd <karin.edwards@ batonlockuk .com>
Date:Wed 20/01/2016 10:36
Subject: Tax Invoice IN092649
Tax Invoice IN092649 from Baton Lock Ltd.
Best Regards
Karin Edwards
Baton Lock Ltd

20 January 2016: Tax Invoice IN092649.DOC - Current Virus total detections 3/54*
Downloads Dridex banking malware... [I expect it to be the same locations as this earlier run[1] and will update if there is any difference]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1453285912/

1] http://myonlinesecurity.co.uk/your-c...ls-attachment/

- http://blog.dynamoo.com/2016/01/malw...649-karin.html
20 Jan 2016 - "This -fake- financial spam is not from Baton Lock Ltd but is instead a simple -forgery- with a malicious attachment.
From: Karin Edwards [karin.edwards@ batonlockuk .com]
Date: 20 January 2016 at 09:34
Subject: Tax Invoice IN092649
Tax Invoice IN092649 from Baton Lock Ltd.
Best Regards
Karin Edwards
Baton Lock Ltd

Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
www .helios .vn/98jh6d5/89hg56fd.exe
The dropped file is Dridex, the same as used in this campaign*."
* http://blog.dynamoo.com/2016/01/malw...n-its-way.html

1] https://www.virustotal.com/en/file/4...is/1453286684/

2] https://www.virustotal.com/en/file/f...is/1453286698/

3] https://malwr.com/analysis/N2VlNmM3N...RjMmMwM2MyNTE/
198.173.254.216
37.49.223.235
62.221.68.80
216.224.175.92
13.107.4.50

4] https://malwr.com/analysis/MzNjNGI1M...I3NDgzZTNiOGY/
103.28.38.14
216.224.175.92
13.107.4.50
___

Fake 'Invoice / Credit Note' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...edit-note.html
20 Jan 2016 - "This -fake- financial spam is not from Express Newspapers but is instead a simple -forgery- with a malicious attachment:
From: georgina.kyriacoumilner@ express .co.uk
Reply-To: hannah.johns@ express .co.uk
Date: 20 January 2016 at 14:28
Subject: Invoice / Credit Note Express Newspapers (S174900)
Please find attached Invoice(s) / Credit Note(s) from Express Newspapers...
N.B. Please do not reply to this email address as it is not checked.
Kind Regards,
Express Newspapers...

Attached is a file S174900.DOC which comes in at least three different versions... and the Malwr reports for those... shows the following download locations:
www .helios .vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60 /~n02022-1/98jh6d5/89hg56fd.exe
www .lassethoresen .com/98jh6d5/89hg56fd.exe
These are the same locations as seen here*, but now the payload has -changed- ... and a detection rate of 1/54**. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you -block-"
* http://blog.dynamoo.com/2016/01/malw...n-its-way.html

** https://www.virustotal.com/en/file/8...is/1453307125/
TCP connections
216.224.175.92
13.107.4.50

- http://myonlinesecurity.co.uk/invoic...macro-malware/
20 Jan 2016 - "... an email that pretends to be an invoice/credit note from express newspapers with the subject of 'Invoice / Credit Note Express Newspapers (S174900)' pretending to come from georgina.kyriacoumilner@ express .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...0-1024x609.png

20 January 2016: S174900.DOC - Current Virus total detections 1/53*
Downloads Dridex from www .lassethoresen .com/98jh6d5/89hg56fd.exe and I am sure other versions of this attachment will download from all the other Dridex locations today** ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1453306851/

** http://myonlinesecurity.co.uk/emaili...d-doc-malware/
___

Fake 'Letter-response' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...05-letter.html
20 Jan 2016 - "... this -fake- financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple -forgery- with a malicious attachment.
From Tim Speed [Tim@ plan4print .co.uk]
Date Wed, 20 Jan 2016 14:33:24 +0300
Subject Emailing: 120205 Letter-response A3 2-2
Hi
Please find estimate attached for Letter-response A3 2-2
Kind regards
Tim Speed
Estimator / Account Handler ..

Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54*. The Malwr report** shows it downloading from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
This is the same malicious binary as used in this earlier attack***. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/3...is/1453293437/

** https://malwr.com/analysis/ZWViMDQyZ...c5Y2UyYjFiMjc/
198.173.254.216
216.224.175.92
8.253.44.158

*** http://blog.dynamoo.com/2016/01/malw...n-its-way.html

- http://myonlinesecurity.co.uk/emaili...d-doc-malware/
20 Jan 2016 - "... an email with the subject of 'Emailing: 120205 Letter-response A3 2-2' pretending to come from Tim Speed <Tim@plan4print .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...2-1024x676.png

20 January 2016: 120205 Letter-response A3 2-2.doc - Current Virus total detections 3/54*
Downloads an -updated- Dridex version from today’s earlier ones from http ://www.helios .vn/98jh6d5/89hg56fd.exe (VirusTotal 1/54**) I am sure all the other same locations*** will also be used in different version of this attachment..."

* https://www.virustotal.com/en/file/1...is/1453296447/

** https://www.virustotal.com/en/file/8...is/1453296242/
TCP connections
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

*** http://myonlinesecurity.co.uk/your-c...ls-attachment/
___

Fake 'Order Confirmation' SPAM - doc/xls attachment
- http://myonlinesecurity.co.uk/emaile...ls-attachment/
20 Jan 2016 - "The Dridex bots are back to having another bad day. Over the last few days they have sent numerous different malformed/damaged/broken malspams. Today, the first one is a damaged/malformed/broken one is an email with the subject of 'Emailed Order Confirmation – 94602:1' pretending to come from DANE THORNTON <dane@ direct-electrical .com> with a damaged attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The damaged/broken attachment has a name something like Order_94602~1.doc . It would if fixed, download Dridex. The email looks like:
From: DANE THORNTON <dane@ direct-electrical .com>
Date: Wed 20/01/2016 08:55
Subject: Emailed Order Confirmation – 94602:1
DANE THORNTON

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

- http://blog.dynamoo.com/2016/01/malw...led-order.html
20 Jan 2016 - "This -fake- financial spam is meant to have a malicious attachment.
From "DANE THORNTON" [dane@ direct-electrical .com]
Date Wed, 20 Jan 2016 16:31:21 +0800
Subject Emailed Order Confirmation - 94602:1
--
DANE THORNTON

Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up..."
___

MSN - More Malware via Malvertising
- https://blog.malwarebytes.org/malver...-malvertising/
Jan 19, 2015 - "Malvertisers are once again abusing ad technology platform AdSpirit and exposing visitors of the MSN homepage to malware. These attacks appeared to have been primarily focused on Germans users via an ad for Lidl, one of the Germany’s leading supermarkets. This is not the first time we have caught malvertising on MSN or via AdSpirit. Each time, we spot telltale signs of suspicious activity with advertiser domains freshly created a few days prior the attack or hiding behind the CloudFlare service.
Perhaps the only surprise here was to find -different- exploit kits than the usual Angler EK to carry out the execution to the malware payload. In two separate incidents, we observed the RIG and Neutrino exploit kits... While we did not collect the payload in these specific attacks, other similar captures of RIG during the same time frame show that -CryptoWall-ransomware- was downloaded onto vulnerable machines:
> https://blog.malwarebytes.org/wp-con...Cryptowall.png
We immediately notified AdSpirit about those incidents which were confirmed and addressed promptly. AppNexus also deactivated the offending ad objects and will be doing a further review about these attacks. To prevent these malvertising infections please ensure that your computer is up-to-date and that you are running the right security tools to mitigate those attacks..."
___

Trojan for Linux takes screenshots
- https://news.drweb.com/show/?i=9790&c=5&lng=en&p=0
Jan 19, 2016 - "Malware for Linux becomes more and more diverse. Among them are spyware programs, ransomware, and Trojans designed to carry out DDoS attacks. Doctor Web security researchers examined yet another cybercriminals’ creation dubbed Linux.Ekoms.1. This Trojan can periodically take screenshots and download different files to a compromised machine. Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals..."

**AplusWebMaster** · 2016-01-21, 14:19

FYI...

Fake Facebook emails deliver malware / phish ...
- http://net-security.org/malware_news.php?id=3191
21.01.2016 - "A new spam campaign is targeting Facebook users. It uses the same approach as the recent one aimed at WhatsApp users, and Comodo researchers* believe that the authors of both campaigns are likely the same. The -fake- emails are made to look like an official communication from the popular social network, and their goal is to make the victims believe they have received a voice message..."
* https://blog.comodo.com/comodo-news/...alware-attack/
Jan 21, 2016 - "... As part of a random -phishing- campaign, cybercriminals were sending -fake- emails representing the information as official WhatsApp content to spread malware when the attached “message” was clicked on. Now, researchers at the Threat Research Lab have identified a very similar phishing campaign targeted at businesses and consumers who use Facebook – most likely designed by the same cyber criminals who developed the WhatsApp malware. And just like the WhatsApps malware, the new Facebook malware tries to represent itself as an email from Facebook which states there is a new message for the recipient. The email address and sender’s name tries to brand itself as Facebook, but the sender’s email address is from different domains and not in any way related with the Facebook company... The malware in the email itself is in a .zip file, sent as an attachment. Inside the zip file there is an executable file. Upon executing the file (e.g. clicking on the attachment), the malware will automatically replicate itself into “C:\” directory and add itself into an auto-run in the computer’s registry, spreading the malware. Additionally, like the WhatsApp malware, the engineers have Comodo have also identified this new Facebook malware as a variant of the “Nivdort” malware** family... A screen grab of the -malicious- email has been captured below:
> https://blog.comodo.com/wp-content/uploads/Nivdort.png

** https://file-intelligence.comodo.com...1d3f0dbad90efd
___

Fake '201552 ebill' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...nvoicecom.html
21 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
From invoices@ ebillinvoice .com
Date Thu, 21 Jan 2016 15:13:36 +0530
Subject 201552 ebill
Customer No : 8652
Email address : [redacted]
Attached file name : 8652_201552.DOC
Dear customer
Please find attached your invoice for 201552.
To manage your account online - please visit Velocity...

There are at least -three- different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop .com/8h75f56f/34qwj9kk.exe
bolmgren .com/8h75f56f/34qwj9kk.exe
return-gaming .de/8h75f56f/34qwj9kk.exe
montaj-klimat .ru/8h75f56f/34qwj9kk.exe [spotted here*]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54**. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173 "
1] https://www.virustotal.com/en/file/9...is/1453373816/

2] https://www.virustotal.com/en/file/e...is/1453373886/

3] https://www.virustotal.com/en/file/9...is/1453373898/

4] https://malwr.com/analysis/MTQ2ZjM1M...ExNGEyMThlODk/

5] https://malwr.com/analysis/N2I4MDJlO...NlNDQ2OTlmZjE/

6] https://malwr.com/analysis/ZGVkZWYxM...E2NDAwODY3OWU/

* http://blog.dynamoo.com/2016/01/malw...tkeyscouk.html

** https://www.virustotal.com/en/file/c...is/1453374873/
TCP connections
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/

- http://myonlinesecurity.co.uk/201552...d-doc-malware/
21 Jan 2016 - "An email with the subject of '201552 ebill' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: invoices@ ebillinvoice .com
Date: Thu 21/01/2016 09:37
Subject: 201552 ebill
Customer No : 8652
Email address : rob@ securityandprivacy .co.uk
Attached file name : 8652_201552.DOC
Dear customer
Please find attached your invoice for 201552.
To manage your account online – please visit Velocity...

21 January 2016: 8652_201552.DOC - Current Virus total detections 4/54*
... this will download Dridex banking malware from [ return-gaming .de/8h75f56f/34qwj9kk.exe ] (VirusTotal 2/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1453370622/

** https://www.virustotal.com/en/file/6...is/1453371930/
TCP connections
216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Telephone Bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...hone-bill.html
21 Jan 2016 - "This -fake- financial spam has a malicious attachment.
From "The Billing Team" [noreply@ callbilling .co.uk]
Date Thu, 21 Jan 2016 11:44:19 +0100
Subject Your Telephone Bill Invoices & Reports
Please see the attached Telephone Bill & Reports.
Please use the contact information found on the invoice if you wish to contact your
service provider.
This message was sent automatically...

I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53*. The Malwr report** for that document shows a download location of:
bolmgren .com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run***, and the payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/b...is/1453376703/

** https://malwr.com/analysis/MjYwZTRhY...E0Y2JlZWY0Y2Q/
195.128.175.9
216.224.175.92
13.107.4.50

*** http://blog.dynamoo.com/2016/01/malw...nvoicecom.html

- http://myonlinesecurity.co.uk/your-t...sheet-malware/
21 Jan 2016 - "An email with the subject of 'Your Telephone Bill Invoices & Reports' pretending to come from The Billing Team <noreply@ callbilling .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: The Billing Team <noreply@ callbilling .co.uk>
Date: Thu 21/01/2016 10:20
Subject: Your Telephone Bill Invoices & Reports
Please see the attached Telephone Bill & Reports.
Please use the contact information found on the invoice if you wish to contact your service provider.
This message was sent automatically...

21 January 2016: Invoice_316103_Jul_2013.doc - Current Virus total detections 2/54*
This will also download Dridex banking malware from
http ://return-gaming .de/8h75f56f/34qwj9kk.exe which is the -same- download site as today’s other concurrent malspam run**..."
* https://www.virustotal.com/en/file/1...is/1453371806/

** http://myonlinesecurity.co.uk/201552...d-doc-malware/
___

Fake 'Replacement Keys' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...tkeyscouk.html
21 Jan 2016 - "This spam has a malicious attachment. It does not come from admin@ replacementkeys .co.uk but is instead a simple -forgery- with a malicious attachment.
From Replacement Keys [admin@ replacementkeys .co.uk]
Date Thu, 21 Jan 2016 17:15:08 +0530
Subject =?utf-8?B?TmV3IE9yZGVyICMgMTAwMTE0MDAw?=
Order Received!
We will send you another email when it has been dispatched . If you have any questions about your order please reply to this email. Your order confirmation is below. Thank you for ordering from us.
Thank you again,
Replacement Keys

Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53* and the Malwr report** indicates a download location from:
montaj-klimat .ru/8h75f56f/34qwj9kk.exe
The binary dropped is identical to the one in this earlier spam run*** and it leads to the Dridex banking trojan."
* https://www.virustotal.com/en/file/e...is/1453377591/

** https://malwr.com/analysis/NGZlMDk1Y...Q5NTU0NjcyZGY/

*** http://blog.dynamoo.com/2016/01/malw...nvoicecom.html

- http://myonlinesecurity.co.uk/new-or...sheet-malware/
21 Jan 2016 - "An email with the subject of 'New Order # 100114000' pretending to come from Replacement Keys <admin@ replacementkeys .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Replacement Keys <admin@ replacementkeys .co.uk>
Date: Thu 21/01/2016 12:21
Subject: New Order # 100114000
Order Received!
We will send you another email when it has been dispatched ...

21 January 2016: logmein_pro_receipt.xls - Current Virus total detections 4/52*
Downloads Dridex from http ://www .bridge-freunde-colonia .de/8h75f56f/34qwj9kk.exe (VirusTotal 1/49**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1453379373/

** https://www.virustotal.com/en/file/a...is/1453382710/
___

Fake 'Healthcare' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...hcare-ltd.html
21 Jan 2016 - "This -fake- financial spam does not come from Gompels Healthcare Ltd but is instead a simple -forgery- with a malicious attachment.
From: Gompels Healthcare ltd [salesledger@ gompels .co.uk]
Date: 21 January 2016 at 12:57
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business [/i]

The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:
return-gaming .de/8h75f56f/34qwj9kk.exe
phaleshop .com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run*. However, the executable has -changed- from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal**. However, the malware still phones home to the same IP of 216.224.175.92 as before."
1] https://www.virustotal.com/en/file/3...is/1453381421/

2] https://www.virustotal.com/en/file/d...is/1453381734/

3] https://malwr.com/analysis/NGQ4NzYyN...AzNTg1ZDNjNjE/
82.165.218.65
216.224.175.92
8.254.249.78

4] https://malwr.com/analysis/OWZmYWQzO...EyZWU3M2VjNmU/
112.78.2.113
216.224.175.92
184.28.188.186

* http://blog.dynamoo.com/2016/01/malw...nvoicecom.html

** https://www.virustotal.com/en/file/a...is/1453381954/

216.224.175.92: https://www.virustotal.com/en/ip-add...2/information/

phaleshop .com: 112.78.2.113: https://www.virustotal.com/en/ip-add...3/information/

- http://myonlinesecurity.co.uk/gompel...d-doc-malware/
21 Jan 2016 - "An email with the subject of 'Gompels Healthcare Ltd Invoice' pretending to come from Gompels Healthcare ltd <salesledger@ gompels .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Gompels Healthcare ltd <salesledger@gompels.co.uk>
Date: Thu 21/01/2016 13:12
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business

21 January 2016: fax00375039.DOC - Current Virus total detections 5/54*
Downloads Dridex banking malware from
http ://phaleshop .com/8h75f56f/34qwj9kk.exe which is the -same- Dridex payload as described HERE**..."
* https://www.virustotal.com/en/file/d...is/1453383052/

** http://myonlinesecurity.co.uk/new-or...sheet-malware/

**AplusWebMaster** · 2016-01-22, 12:45

FYI...

Fake 'scanner' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...caminolta.html
22 Jan 2016 - "At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
Subject: Message from KONICA_MINOLTA
Subject: Message from MFD
Subject: Message from scanner
The spam appears to come from within the victim's own domain, from one of the following email addresses:
MFD@ victimdomain .tld
scanner@ victimdomain .tld
KONICA_MINOLTA@ victimdomain .tld
This is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in -three- versions... reports... indicate executable download locations at:
www .showtown-danceband .de/ghf56sgu/0976gg.exe
ausonia-feng-shui .de/ghf56sgu/0976gg.exe
gahal .cz/ghf56sgu/0976gg.exe
This binary has a detection rate of 1/54* and that VirusTotal report plus this Malwr report** show it phoning home to:
192.241.207.251 (Digital Ocean Inc., US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220."
* https://www.virustotal.com/en/file/e...is/1453454938/
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/

** https://malwr.com/analysis/Y2NhNDhlM...M5NzA0ODM2NmQ/
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
8.254.207.46: https://www.virustotal.com/en/ip-add...6/information/

- http://myonlinesecurity.co.uk/messag...d-doc-malware/
22 Jan 2016 - "An email with the subject of 'Message from KONICA_MINOLTA' (or Message from MFD or any other scanner or printer) pretending to come from scanner@ <your email domain> on behalf of MFD@ <victim domain> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: scanner@ malware-research .co.uk; on behalf of; MFD@ malware-research .co.uk
Date: Fri 22/01/2016 08:56
Subject: Message from KONICA_MINOLTA or Message from MFD or Message from Scanner

Body content: totally empty body
22 January 2016: SKM_4050151222162800.doc - Current Virus total detections 3/54*
Downloads Dridex banking malware from http ://ausonia-feng-shui .de/ghf56sgu/0976gg.exe
(VirusTotal **). Other download locations from different versions of this maldoc attachment are: www .showtown-danceband .de/ghf56sgu/0976gg.exe and gahal .cz/ghf56sgu/0976gg.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1453452819/

** https://www.virustotal.com/en/file/e...is/1453453469/
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'mathforum' SPAM - JS malware
- http://myonlinesecurity.co.uk/hi-mat...rg-js-malware/
22 Jan 2016 - "An email with the subject of 'hi' coming from gshatford <gshatford@ mathforum .org> (probably -compromised- servers, that will be sending these out from multiple email addresses) with a zip attachment is another one from the current bot runs... The content of the email simply says:
DATE:1/22/2016 7:47:24 AM

22 January 2016: yu.zip: Extracts to: invoice_SCAN_1pMVj.js - Current Virus total detections 5/53*
[MALWR**] [WEPAWET***] which downloads 80.exe (virus total 2/55[4]) from a combination of these sites memyselveandi .com/80.exe | deempheal .com/80.exe - These have previously been teslacrypt/cryptowall or similar ransomware... it definitely is a password stealer and ransomware version [MALWR[5]].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1453449215/

** https://malwr.com/analysis/ZGFjNDBjM...Y0MzViM2IwMDg/
51.255.10.132

*** https://wepawet.iseclab.org/view.php...fd0932&type=js

4] https://www.virustotal.com/en/file/d...is/1453449556/
TCP connections
144.76.253.225: https://www.virustotal.com/en/ip-add...5/information/
182.50.147.1: https://www.virustotal.com/en/ip-add...1/information/

5] https://malwr.com/analysis/NmM0MDMzM...dhNjkyZjNjOTI/
144.76.253.225
182.50.147.1
185.24.99.98
176.106.190.60
94.23.247.172
104.28.5.189
69.73.182.201
___

Fake 'tracking info' SPAM - xls malware
- http://myonlinesecurity.co.uk/ukmail...sheet-malware/
22 Jan 2016 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: no-reply@ ukmail .com
Date: Fri 22/01/2016 12:15
Subject: UKMail 988271023 tracking information
UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail

22 January 2016: 988271023-PRCL.xls - Current Virus total detections 4/55*
This will download Dridex banking malware from
http ://www .stijnminne .be/ghf56sgu/0976gg.exe (VirusTotal 1/54**)... Dridex malware was seen in some examples of THIS earlier malspam run***, which was malspammed out in -several- waves throughout the morning. Note: Dridex updates frequently throughout the day..."
* https://www.virustotal.com/en/file/8...is/1453464516/

** https://www.virustotal.com/en/file/e...is/1453462957/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/

*** http://myonlinesecurity.co.uk/messag...d-doc-malware/

- http://blog.dynamoo.com/2016/01/malw...-tracking.html
22 Jan 2016 - "This -fake- delivery email is not from UKMail but is instead a simple -forgery- with a malicious attachment:
From: no-reply@ ukmail .com
Date: 22 January 2016 at 12:14
Subject: UKMail 988271023 tracking information
UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package...
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail

The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:
www .stijnminne .be/ghf56sgu/0976gg.exe
raeva .com.ua/ghf56sgu/0976gg.exe
This binary has a detection rate of 4/54*. It is the -same- payload as found in this earlier spam run**."
1] https://www.virustotal.com/en/file/e...is/1453467080/

2] https://www.virustotal.com/en/file/8...is/1453467094/

3] https://malwr.com/analysis/N2JmNGEyM...cxNjM4MDBlZDg/
91.234.32.117
192.241.207.251
13.107.4.50

4] https://malwr.com/analysis/ZjkyMGFhZ...FkN2Q5Nzc1Mjg/
195.130.132.84
192.241.207.251
184.25.56.42

* https://www.virustotal.com/en/file/e...is/1453467328/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustotal.com/en/ip-add...1/information/
89.149.175.18: https://www.virustotal.com/en/ip-add...8/information/

** http://blog.dynamoo.com/2016/01/malw...caminolta.html

**AplusWebMaster** · 2016-01-24, 14:26

FYI...

Fake 'E-mail-Account Update' SPAM – PHISH ...
- http://myonlinesecurity.co.uk/e-mail...date-phishing/
24 Jan 2016 - "A slightly different -phishing- email today, that pretends to be a notice from your email provider saying that you 'need to update your email'. All the ones I have seen are addressed to different names at different email domains...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x615.png

The links behind all the links go to http ://www .clavadelriverlodge .co.za/images/upgrade/index.php?email=name@ victimdomain .com, where they have set up rather a clever attempt to get your email log in details. They already have your email address and want the -password- to go along with it.
The site does a fairly good imitation of a Cpanel page with a processing bar that gradually increases to 100%. The name on the page is dynamically created based on the email address in the referral. The phishers have gone to quite a lot of trouble and effort with this one. Luckily Internet Explorer smart filter knows about it & warns you with a bright red Address bar in your browser. Unfortunately Chrome & Firefox haven’t caught up yet:
> http://myonlinesecurity.co.uk/wp-con...e-1024x599.png

... Watch for -any- site that invites you to enter ANY personal, log in or financial information... All of these emails use Social engineering tricks to persuade you to open the -attachments- or follow the -links- that come with the email..."

clavadelriverlodge .co.za: 192.185.174.108: https://www.virustotal.com/en/ip-add...8/information/

**AplusWebMaster** · 2016-01-25, 12:57

FYI...

Fake 'Direct Debit' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/direct...d-doc-malware/
25 Jan 2016 - "... mass Dridex malspams. The first is an email with random subject of 'Direct Debit Mandate' from [random companies] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Ezekiel Holcomb <HolcombEzekiel7086@ acttv .in>
Date: Mon 25/01/2016 09:10
Subject: Direct Debit Mandate from Thames Water Authority
Good morning
Please attached Direct Debit Mandate from Thames Water Authority;
complete, sign and scan return at your earliest convenience.
Kind regards,
Ezekiel Holcomb
TEAM SUPPORT
Thames Water Authority ...

25 January 2016 : SharpC1889@acttv.in_4430446<font col...0">.doc</font> - Current Virus total detections 3/52*
MALWR** shows it downloads Dridex from http ://109.234.35.80 /konfetka/roschen.php which gave me a file named mancity.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1453712908/

** https://malwr.com/analysis/MDM5MGFkM...ljYTIyMjUzMDM/
109.234.35.80

*** https://www.virustotal.com/en/file/d...is/1453713995/

109.234.35.80: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Order PO' SPAM - malware
- http://myonlinesecurity.co.uk/order-...00731-malware/
25 Jan 2016 - "An email with the subject of Order PO # 10000731' pretending to come from Parkcom Co.ltd <simpark@ parkcom .co.kr> with a zip attachment is another one from the current bot runs... The email looks like:
From: Parkcom Co.ltd <simpark@ parkcom .co.kr>
Date: Mon 25/01/2016 03:39
Subject: Order PO # 10000731
Attachment: PO _ 10000731.zip
Body content:
Dear Customer,
Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment,We need this Order urgently. kindly confirm the PO and send PI asap.
Thank you.
Ms. Sim Park ...

Todays Date: PO _ 10000731.zip: Extracts to: PO # 10000731.exe - Current Virus total detections 9/54*
I don’t actually know what this one does. The detections are all generic detections. MALWR crashed.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1453717414/
TCP connections
23.206.38.87: https://www.virustotal.com/en/ip-add...7/information/

**AplusWebMaster** · 2016-01-26, 12:26

FYI...

Payment data security - at risk...
- http://net-security.org/secworld.php?id=19369
26 Jan 2016 - "With acceptance of mobile and other new forms of payments expected to double in the next two years, a new global study shows a critical need for organizations to improve their payment data security practices. This is according to a recent survey of more than 3,700 IT security practitioners from more than a dozen major industry sectors conducted by the Ponemon Institute for Gemalto*... 54% of those surveyed said their company had a security or data breach involving payment data, four times in past two years in average. This is not surprising given the security investments, practices and procedures highlighted by the surveyed respondents:
- 55% said they did -not- know where all their payment data is stored or located.
- Ownership for payment data security is -not- centralized with 28% of respondents saying responsibility is with the CIO, 26% saying it is with the business unit, 19% with the compliance department, 15% with the CISO, and 14% with other departments.
- 54% said that payment data security is -not- a top five security priority for their company with only one third (31%) feeling their company allocates enough resources to protecting payment data.
- 59% said their company -permits- third party access to payment data and of these only 34% utilize multi-factor authentication to secure access.
- Less than half of respondents (44%) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored and/or sent to the financial institution.
- 74% said their companies are either -not- PCI DSS compliant or are only partially compliant.
... the study found that nearly three quarters (72%) of those surveyed believe these new payment methods are putting payment data at risk and 54% do not believe or are unsure their organization’s existing security protocols are capable of supporting these platforms..."

* http://blog.gemalto.com/blog/2016/01...bile-payments/
26 Jan 2016
___

Fake 'Refund' SPAM - JS malware
- http://myonlinesecurity.co.uk/refund...en-js-malware/
26 Jan 2016 - "Another run of Nemucod downloaders today starting with an email with the subject of 'Refund for the Purchase' – Kevin Cohen [random names] pretending to come from random senders and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Kevin Cohen <fonenzo@ teletu .it>
Date: Tue 26/01/2016 06:21
Subject: Refund for the Purchase – Kevin Cohen.
Attachment: Kevin Cohen.zip
We are sorry to tell you, however, the item you have purchased is not available at the moment. In the file enclosed you can see the details about the refund policy.

26 January 2016: Kevin Cohen.zip - Extracts to: Kevin Cohen.js - Current Virus total detections 6/55*
which WEPAWET** shows us downloads 3 files
http ://dertinyanl .com/img/script.php?tup1.jpg which is renamed to 3330263.exe (VirusTotal 4/54[3])
http ://dertinyanl .com/img/script.php?tup2.jpg which is renamed to 4441845.exe (VirusTotal 3/53[4])
http ://dertinyanl .com/img/script.php?tup3.jpg which is renamed to 5553619.exe (VirusTotal 3/54[5])
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1453800745/

** https://wepawet.iseclab.org/view.php...11c552&type=js

3] https://www.virustotal.com/en/file/1...is/1453801558/

4] https://www.virustotal.com/en/file/4...is/1453801571/

5] https://www.virustotal.com/en/file/5...is/1453801579/

Nemucod malware spreads ransomware Teslacrypt:
- http://www.welivesecurity.com/2015/1...-around-world/
___

Fake 'Bill' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/fwdbil...sheet-malware/
26 Jan 2016 - "An email with the subject of 'Fwd: Bill to Grant Morgan' coming from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Grant Morgan <rafael.kamal@ compume .com.eg>
Date: Tue 26/01/2016 05:25
Subject: Fwd:Bill to Grant Morgan.
Attachment: 20MEPRZ8WBE.doc
Body content:
Hello.
Please check the report attached. In order to avoid fine for delay you need to pay within 48 hours.
Best regards
Grant Morgan
-or-
Good morning.
Please see the invoice in attachment. In order to avoid penalty for delay you should pay in 24 hours.
Thanks
Barrett Watkins

26 January 2016: 20MEPRZ8WBE.doc - Current Virus total detections 2/54*
... Hybrid Analysis** eventually gave me 209743.exe (VirusTotal 3/45***) downloaded from
icenails .ro/imgwp.jpg?LJGKKxdZEHWYMi=38 .
>> http://myonlinesecurity.co.uk/wp-con...1/WP_image.png
The bad actors behind this campaign are using a new-macro-style which is long and even more complicated than previous ones... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1453787886/

** https://www.hybrid-analysis.com/samp...nvironmentId=1
Contacted Hosts
188.214.17.162
110.138.108.142

*** https://www.virustotal.com/en/file/c...is/1453812606/

icenails .ro: 188.214.17.162: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/file/c...bceb/analysis/
___

Fake 'Heating Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...nnovation.html
26 Jan 2016 - "This -fake- financial email is not from Alpha Heating Innovation but is instead a simple
-forgery- with a malicious attachment:
From Kurt Sexton
Date Tue, 26 Jan 2016 10:59:05 -0500
Subject =?UTF-8?B?UmVtaXR0YW5jZSBBZHZpY2UgNTk2M0U5?=
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on
your account.
Please contact us on the email address below if you would like your remittance sent
to a different email address, or have any queries regarding your remittance.
Kind regards,
Kurt Sexton
Best Regards,
Kurt Sexton
Credit Controller - Alpha Heating Innovation ...

The names of the sender and reference numbers will vary. I have only seen -two- different variants of the attachment, in the format remittance_advice5963E9.doc (VirusTotal [1] [2]) but there are probably more. Analysis is pending... It does seem to have some characterstics of a Dridex downloader."
1] https://www.virustotal.com/en/file/7...is/1453824210/
4/54 - remittance_adviceB177B0.doc

2] https://www.virustotal.com/en/file/7...is/1453824233/
4/54 - remittance_advice5963E9.doc

Labels: DOC, Dridex, Malware, Spam, Viruses

- http://myonlinesecurity.co.uk/alpha-...d-doc-malware/
26 Jan 2016 - "An email with the subject of 'Remittance Advice 17B6D1' (random numbers) pretending to come from random email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Leonardo Bryan <BryanLeonardo1689@ thedogofnashville .com>
Date: Tue 26/01/2016 14:57
Subject: Remittance Advice 17B6D1
Attachment: remittance_advice00AAD7.doc
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Leonardo Bryan
Best Regards,
Leonardo Bryan
Credit Controller – Alpha Heating Innovation...

26 January 2016: remittance_advice00AAD7.doc - Current Virus total detections 4/54*
Waiting for analysis. It is likely to be the Dridex banking malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1453825399/
___

TurboTax Phish
- https://security.intuit.com/alert.php?a=329
1/25/2016 - "People are receiving -fake- emails with the title containing their name. Below is a copy of the email people are receiving:
> https://security.intuit.com/images/T...h201252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."

- https://security.intuit.com/alert.php?a=328
1/25/2016 - " People are receiving -fake- emails with the title "Access to prior year returns is locked". Below is a copy of the email people are receiving:
> https://security.intuit.com/images/T...h101252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."

... more here:
>> https://security.intuit.com/security-alerts.php

**AplusWebMaster** · 2016-01-27, 14:01

FYI...

Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...le-ludlow.html
27 Jan 2016 - "This -fake- financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.
From Michelle Ludlow [Michelle.Ludlow@ dssmith .com]
Date Wed, 27 Jan 2016 17:27:22 +0800
Subject New Order
Hi
Please see attached for tomorrow.
Thanks
Michelle Ludlow
Customer Services Co-Ordinator - Packaging Services
Packaging Division ...

So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:
vinagps .net/54t4f4f/7u65j5hg.exe
trendcheckers .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 5/53*. Those two Malwr reports and the VirusTotal report show the malware phoning home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
I strongly recommend that you -block- traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity."
1] https://www.virustotal.com/en/file/6...is/1453887313/

2] https://www.virustotal.com/en/file/f...is/1453887331/

3] https://malwr.com/analysis/Y2I4ZWFkZ...ZhYjNiNGZjN2I/

4] https://malwr.com/analysis/MzY5MDlkZ...I0M2U3MDM0MmY/

* https://www.virustotal.com/en/file/9...is/1453887706/
TCP connections
119.160.223.115: https://www.virustotal.com/en/ip-add...5/information/
104.86.110.240: https://www.virustotal.com/en/ip-add...0/information/

- http://myonlinesecurity.co.uk/new-or...sheet-malware/
27 Jan 2016 - "An email with the subject of 'New Order' pretending to come from Michelle Ludlow <Michelle.Ludlow@ dssmith .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x650.png

27 January 2016: doc4502094035.doc - Current Virus total detections 5/53*
MALWR** - Downloads http ://vinagps .net/54t4f4f/7u65j5hg.exe
It is almost certain to be Dridex banking Trojan (VirusTotal 4/54***)
I am informed that an alternate download site is trendcheckers .com/54t4f4f/7u65j5hg.exe
[The Auto Analysers at payload security are under very-heavy-load this morning with hundreds of files queued and long delays. I assume the bad actors are deliberately flooding them to slow down analysis] ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1453886419/

** https://malwr.com/analysis/Y2I4ZWFkZ...ZhYjNiNGZjN2I/
112.213.95.154
119.160.223.115
13.107.4.50

*** https://www.virustotal.com/en/file/9...is/1453886821/
TCP connections
119.160.223.115: https://www.virustotal.com/en/ip-add...5/information/
104.86.110.240: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
27 Jan 2016 - "An email with the subject of 'Invoice 9210' pretending to come from Dawn Salter <dawn@ mrswebsolutions .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x802.png

27 January 2016: 9210.doc - Current Virus total detections 1/55*
This downloads Dridex banking Trojan from
http ://www .hartrijders .com/54t4f4f/7u65j5hg.exe (VirusTotal 1/55**)
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1453901338/

** https://www.virustotal.com/en/file/a...is/1453902011/

- http://blog.dynamoo.com/2016/01/malw...wn-salter.html
27 Jan 2016 - "... The attachment is named 9210.doc which I have seen come in -three- versions... The Malwr reports for those... shows executable download locations at:
www .cityofdavidchurch .org/54t4f4f/7u65j5hg.exe
www .hartrijders .com/54t4f4f/7u65j5hg.exe
grudeal .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 1/53*... Hybrid Analysis of the binary shows that it phones home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
This is the -same- IP as seen in this earlier spam run**, I recommend you -block- it."
* https://www.virustotal.com/en/file/a...is/1453903737/

** http://blog.dynamoo.com/2016/01/malw...le-ludlow.html
___

Fake 'Enterprise Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-invoices.html
27 Jan 2016 - "This -fake- financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple -forgery- with a malicious attachment.
From: Vicki Harvey
Date: 27 January 2016 at 15:30
Subject: Enterprise Invoices No.91786
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Vicki Harvey
Accountant ...

The name of the sender and references will vary. There seem to be -several- different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524<f...0">.xls</font> ... Analysis of the attachments is pending... attempted downloads from:
109.234.35.37 /californication/ninite.php
5.189.216.105 /californication/ninite.php
This binary has a -zero- detection rate at VirusTotal*. That VirusTotal report and this Malwr report** indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you -block- traffic to that IP. This will be some variant of the Dridex banking trojan."
* https://www.virustotal.com/en/file/b...is/1453913182/
ninite.exe

** https://malwr.com/analysis/NjQwOTNhZ...ZkYzc0NGRkM2E/
109.234.35.37
103.224.83.130
8.254.249.78

- http://myonlinesecurity.co.uk/enterp...sheet-malware/
27 Jan 2016 - "... garbled mishmash with an email with no subject coming from random senders with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... All the attachments start with the name of a scanner or multifunctional printer/scanner device, then have the -alleged- senders email domain and then random numbers so this one is called twist-scanA56CC@ fotosdeguarras .com_2782255.xls . The email looks like:
From: Maggie Nolan <NolanMaggie95043@ fotosdeguarras .com>
Date: Wed 27/01/2016 16:25
Subject: Enterprise Invoices No.84984 ( random numbers)
Attachment: twist-scanA56CC@ fotosdeguarras .com_2782255.xls
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Maggie Nolan
Accountant ...

27 January 2016: twist-scanA56CC@ fotosdeguarras .com_2782255.xls - Current Virus total detections 0/52*
MALWR** shows a download from http ://109.234.35.37 /californication/ninite.php which gave me FCGVJHads.exe
(VirusTotal 0/55***) the file looks wrong for Dridex, so I will be guided by antivirus responses as to what it actually is... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1453912101/

** https://malwr.com/analysis/NTMxMmU2M...AxYmNjODY0NmU/
109.234.35.37
103.224.83.130
13.107.4.50

*** https://www.virustotal.com/en/file/b...is/1453912539/
TCP connections
103.224.83.130: https://www.virustotal.com/en/ip-add...0/information/
8.254.218.46: https://www.virustotal.com/en/ip-add...6/information/
___

'WorldRemit Transaction' phish
- http://myonlinesecurity.co.uk/your-w...tion-phishing/
27 Jan 2016 - "A high proportion of phishing attempts involve PayPal, your Bank, Credit Card or another money transfer service. This one is a money transfer service that I have never previously heard of: 'WorldRemit'...

Screenshot: http://myonlinesecurity.co.uk/wp-con...2-1024x455.png

The Second one pretends to be a request to review your service on Trust Pilot:

Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x550.png

-All- the links in -both- emails go to http ://www.simplyyankeecosmetics .com/wellsfargo.com/cgi-bin/direct.php which -redirects- to either http ://syscross .com/fb/inc/index.html or http ://www.cinit .com.mx/cli/httpswww .worldremit.comsend/LoginPage.htm
[I am sure that as the actual phish sites get blocked or taken down, these phishers will set up, yet another redirect from the first site]... Where you end up on a webpage looking like this, where some of the links are part of the phish, but some go to the genuine https ://www.worldremit .com/ web site:
> http://myonlinesecurity.co.uk/wp-con...h-1024x546.png
If you fill in the email-address and password you get -bounced- on to the genuine site..."

simplyyankeecosmetics .com: 192.185.78.193: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/67...9560/analysis/

**AplusWebMaster** · 2016-01-28, 14:31

FYI...

Fake 'Purchase Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/ikea-p...alware-dridex/
28 Jan 2016 - "An email with the subject of 'IKEA Purchase Order [2001800526]' with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: order@ ibxplatform .com
Date: Thu 28/01/2016 10:24
Subject: IKEA Purchase Order [2001800526]
Attachment: Purchase_Order_Number__2001800526.doc
This message contains a Purchase Order from IKEA. If you have any questions regarding this Purchase Order and its contents, we kindly ask you to contact your customer directly.
If this message is incomplete or not readable, feel free to refer to our contact details below.
Please do not reply to this message! ...

28 January 2016: Purchase_Order_Number__2001800526.doc - Current Virus total detections 2/54*
MALWR shows a download of Dridex Banking malware from
http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 5/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1453980691/

** https://www.virustotal.com/en/file/9...is/1453981023/
TCP connections
198.50.234.210
5.178.43.10: https://www.virustotal.com/en/ip-add...0/information/
119.160.223.115: https://www.virustotal.com/en/ip-add...5/information/

astigarragakomusikaeskola .com: 82.98.134.155: https://www.virustotal.com/en/ip-add...5/information/

ponpes-alhijrah .sch.id: 119.235.255.242: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoic...d-doc-malware/
28 Jan 2016 - "An email with the subject of 'Invoice' pretending to come from Hayley Stoakes <hayley@ whirlowdale .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Hayley Stoakes <hayley@ whirlowdale .com>
Date: Thu 28/01/2016 11:44
Subject: Invoice
Attachment: 96413.DOC
Thank you for your order. Your Invoice – 96413 – is attached.

26 January 2016: 96413.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads the -same- Dridex banking Trojan from the -same- locations
http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe ..."
* https://www.virustotal.com/en/file/f...is/1453986418/

** http://myonlinesecurity.co.uk/ikea-p...alware-dridex/
___

Fake 'PAYMENT CONFIRMATION' SPAM - doc malware
- http://myonlinesecurity.co.uk/paymen...d-doc-malware/
28 Jan 2016 - "An email with the subject of 'PAYMENT CONFIRMATION' pretending to come from Lesley Mawson <LMawson@ agrin .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Lesley Mawson <LMawson@ agrin .co.uk>
Date: Thu 28/01/2016 13:11
Subject: PAYMENT CONFIRMATION
For the attention of the accounts department.
Please find attached a copy of our payment to you.
Kind regards
Lesley
Lesley Mawson
A.I.P. Ltd
9 Wassage Way, Hampton Lovett Ind Estate, Droitwich. WR9 0NX

28 January 2016: PAYMENT VOUCHER.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads an
-updated- Dridex banking Trojan from the -same- locations
http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 2/53***) which despite comments on VT shows none of the typical characteristics of common ransomware and looks much more like a Dridex banking Trojan..."
* https://www.virustotal.com/en/file/f...is/1453986418/

** http://myonlinesecurity.co.uk/ikea-p...alware-dridex/

*** https://www.virustotal.com/en/file/d...is/1453986791/
___

iCloud Phish - used to activate Stolen iPhones
- https://blog.malwarebytes.org/phishi...len-iphones-2/
Jan 28, 2016 - "... Losing a device or getting it stolen can be disastrous, way beyond the monetary loss. Apple has a nifty feature which allows to remotely erase-and-lock your phone if you ever faced that problem and wanted to make sure your personal information would not fall into the wrong hands. At the same time, this renders the device -useless- for those not in possession of your ID and password:
> https://blog.malwarebytes.org/wp-con...1/activate.png
'Find My iPhone Activation Lock'
> https://support.apple.com/en-ca/HT201365
This is an -inconvenience- for thieves who may want to resell those stolen phones on the black market, but crooks never lack imagination and seem to have found a way to circumvent this protection... a user claimed that -after- her iPhone was stolen, she proceeded to wipe-it and put it in 'Lost Mode', to prevent anyone from using it. Shortly after, she received a message letting her know the phone had been found -but- that she needed to go to a website and verify her Apple ID first. The site was an almost exact -replica- of Apple’s official iCloud.com and loaded fine in Safari (-no- security/phishing warning):
>> https://blog.malwarebytes.org/wp-con.../01/safari.png
... not many people would suspect this is a -fraudulent- website. Add to this the euphoria of knowing your precious phone was allegedly found, and proceeding to enter your Apple ID and password seems like a no brainer - Sadly, the website is a -fake- and the information entered in it is directly relayed to the crooks who stole your phone... There were several other domains residing on the same server (104.149.141.56):
find.apple-service .me
www .my-icloud .help
your.icloud-service .help
We have reported this phishing scam to Apple since Safari did -not- flag the website as -dangerous- at the time of writing... Users should be particularly careful of schemes that leverage the emotions involved with the theft or loss of their devices. Online crooks have no shame in abusing their victims twice to get what they want."

104.149.141.56: https://www.virustotal.com/en/ip-add...6/information/
___

Business Email Compromise - Fraud ...
- http://blog.trendmicro.com/trendlabs...-do-you-start/
Jan 26, 2016 - "What will you do if an executive in your company gives you instructions to wire money for a business expense? On email? In a world where cybercriminals devise devious social engineering and computer intrusion schemes to fool employees into wiring money, enterprises run a very serious -risk- of getting -scammed- via email. This emerging global threat is known as the 'business email compromise (BEC)' and it has already victimized 8,179 companies in 79 countries between October 2013 and August 2015 alone*:
* https://www.ic3.gov/media/2015/150827-1.aspx#ref2
... Multiple warnings were issued by the FBI as to these types of emails in the past year alone. The FBI notes the targets to be companies working with foreign suppliers and/or those that regularly perform wire transfer payments. By February last year, the total number of reported victims had reached 2,126 and the money lost amounted to roughly US $215 million. Come August, the victim numbers have ballooned to 8,179, the money lost added to nearly US $800 million. How can you protect your company from becoming a part of this statistic?
- Know the Basics...
- Familiarize with Past Scams...
- Gear Up Against BEC Threats...
... install email security solutions to block known BEC-related malware before they come in..."
(More detail at the trendmicro URL above.).

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'Invoice January', 'Statements' SPAM, LastPass - Phish

Fake 'Insurance', 'Payment overdue', 'Remittance Advice' SPAM, Cisco Security Report

Fake 'Tax Invoice', 'Letter-response', 'Order Confirmation' SPAM, Malvertising

Fake '201552 ebill', 'Telephone Bill', 'Replacement Keys', 'Healthcare' SPAM

Fake 'scanner', 'mathforum', 'tracking info' SPAM

Fake 'E-mail-Account Update' PHISH

Fake 'Direct Debit', 'Order PO' SPAM

Payment data security, Fake 'Refund', 'Bill', 'Heating Invoice' SPAM, TurboTax Phish

Fake 'New Order', 'Invoice', 'Enterprise Invoices' SPAM, 'WorldRemit' phish

Fake 'Purchase Order', 'Invoice', 'PAYMENT' SPAM, iCloud Phish, Business Email...

Posting Permissions