Page 9 of 132 FirstFirst ... 56789101112131959109 ... LastLast
Results 81 to 90 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #81
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Changelog SPAM ...

    FYI...

    Fake Changelog SPAM / aseniakrol .ru
    - http://blog.dynamoo.com/2012/12/chan...niakrolru.html
    11 Dec 2012 - "This spam leads to malware on aseniakrol .ru:
    Date: Tue, 11 Dec 2012 10:46:43 -0300
    From: Tarra Comer via LinkedIn [member @linkedin .com]
    Subject: Re: Your Changelog UPDATED
    Hi,
    as promised your changelog - View
    I. Easley


    The malicious payload is at [donotclick]aseniakrol .ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:
    202.180.221.186 (GNet, Mongolia)
    212.162.52.180 (Secure Netz, Germany)
    212.162.56.210 (Secure Netz, Germany)..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #82
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Sendspace/Citibank emails lead to malware

    FYI...

    Fake Sendspace emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/12/12/m...e-exploit-kit/
    Dec 12, 2012 - "Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised -bogus- ‘Sendspace File Delivery Notifications‘. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... Sample client-side exploits served: CVE-2010-0188
    Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E
    Once executed it creates %AppData%\kb00121600.exe on the affected system.
    The sample also creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
    As well as the following Mutexes:
    Local\XMM00000418
    Local\XMI00000418
    Local\XMRFB119394
    Local\XMM000005E4
    Local\XMI000005E4
    Local\XMM0000009C
    Local\XMI0000009C
    Local\XMM000000C8
    Local\XMI000000C8
    It then phones back to hxxp ://210.253.102.95 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp ://123.49.61.59 :8080/AJtw/UCyqrDAA/Ud+asDAA/ ..."
    (More detail at the webroot URL above.
    * https://www.virustotal.com/file/a070...eb2b/analysis/
    File name: contacts.exe.x-msdownload
    Detection ratio: 33/44
    Analysis date: 2012-11-13
    ___

    Fake Citibank SPAM / platinumbristol .net
    - http://blog.dynamoo.com/2012/12/citi...ristolnet.html
    12 Dec 2012 - "This fake Citibank spam leads to malware on platinumbristol .net:
    From: citibankonline @serviceemail1 .citibank .com via pado .com .br
    Date: 12 December 2012 15:38
    Subject: Account Alert
    Mailed-by: pado .com .br
    Citi
    Email Security Zone EMAIL SECURITY AREA
    ATM/Credit card ending in: XXX7
    Alerting System
    Bill Payment
    Ultimate Savings Account (USA) XXXXXXXXX2
    Amount Debited: $2,973.22
    Date: 12/12/12
    Log In to Overview Transaction
    Bill Payment
    Ultimate Savings Account (USA) XXXXXXXXX2
    Amount Credited: $.97
    Date: 12/12/12
    Visit this link to Overview Detailed information
    ABOUT THIS MESSAGE
    Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
    Citibank, N.A. Member FDIC.
    Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
    ========================
    From: citibankonline @serviceemail5 .citibank .com via clickz .com
    Date: 12 December 2012 15:39
    Subject: Account Notify
    Mailed-by: clickz .com
    Citi
    Email Security Zone EMAIL SAFETY AREA
    ATM/Debit card ending in: XXX7
    Alerting System
    Money Transfer Report
    Savings Account XXXXXXXXX8
    Amount Withdrawn: $3,620.11
    Date: 12/12/12
    Visit this link to Cancel Details
    Money Transfer Report
    Savings Account XXXXXXXXX8
    Amount Withdrawn: $.38
    Date: 12/12/12
    Sign In to Overview Details
    ABOUT THIS MESSAGE
    Please Not try to reply to this message. automative notification system unable to accept incoming messages.
    Citibank, N.A. Member FDIC.
    © 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
    ========================
    Date: Wed, 12 Dec 2012 23:16:15 +0700
    From: alets-no-reply @serviceemail6 .citibank .com
    Subject: Account Insufficient funds
    EMAIL SAFETY ZONE
    ATM/Debit card ending in: XXX0
    Notifications System
    Transaction Announcement
    Ultimate Savings Account (USA) XXXXXXXXX4
    Amount Debited: $4,222.19
    Date: 12/12/12
    Login to Abort Detailed information
    Transaction Announcement
    Ultimate Savings Account (USA) XXXXXXXXX4
    Amount Credited: $.41
    Date: 12/12/12
    Go to web site by clicking here to See Operation
    ABOUT THIS MESSAGE
    Please Not try to reply to this message. automative notification system cannot accept incoming mail.
    Citibank, N.A. Member FDIC.
    2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
    ========================
    Date: Wed, 12 Dec 2012 20:07:46 +0400
    From: citibankonline @serviceemail8 .citibank .com
    Subject: Account Operation Alert
    EMAIL SECURITY ZONE
    Credit card ending in: XXX0
    Notifications System
    Bill Payment
    Ultimate Savings Account (USA) XXXXXXXXX3
    Amount Credited: $5,970.51
    Date: 12/12/12
    Click Here to Review Transaction
    Bill Payment
    Ultimate Savings Account (USA) XXXXXXXXX3
    Amount Withdrawn: $.11
    Date: 12/12/12
    Sign In to View Operation
    ABOUT THIS MESSAGE
    Please don't reply to this message. auomatic informational system cannot accept incoming mail.
    Citibank, N.A. Member FDIC.
    2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.


    The malicious payload is at [donotclick]platinumbristol .net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.
    I can see the following evil domains on that same server..."
    (More detail at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2012-12-12 at 19:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #83
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Citi-cards/Citibank/Copies of Policies SPAM ...

    FYI...

    Fake Citi Cards SPAM / 6.bbnface .com and 6.mamaswishes .com
    - http://blog.dynamoo.com/2012/12/citi...cecom-and.html
    13 Dec 2012 - "This fake Citi Cards spam leads to malware on 6.bbnface .com and 6.mamaswishes .com:
    Date: Thu, 13 Dec 2012 11:59:33 +0300
    From: Citi Cards [citicards @info .citibank .com]
    Subject: Your Citi Credit Card Statement
    Add citicards @info .citibank .com to your address book to ensure delivery.
    Your Account: Important Notification
    Your Citi Credit Card statement is ready to view online
    Dear customer,
    Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
    Statement Date: December 13, 2012
    Statement Balance: -$8,803.77
    Minimum Payment Due: $750.00
    Payment Due Date: Tue, January 01, 2013
    Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
    To set up alerts sign on to www .citicards .com and go to Account Profile.
    Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
    View Your Account Pay Your Bill Contact Us
    Privacy | Security
    Email Preferences
    This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
    Should you want to contact us in writing concerning this email, please direct your correspondence to:
    Citibank Customer Service
    P. O. Box 6500
    Sioux Falls, SD 57117
    Help / Contact Us
    If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
    (c) 2012 Citibank, N.A.
    All rights reserved.
    Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
    ============================
    Date: Thu, 13 Dec 2012 10:30:55 +0200
    From: Citi Cards [citicards @info .citibank .com]
    Subject: Your Citi Credit Card Statement
    Add citicards @info .citibank .com to your address book to ensure delivery.
    Your Account: Important Notification
    Your Citi Credit Card statement is ready to view online
    Dear customer,
    Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
    Statement Date: December 13, 2012
    Statement Balance: -$5,319.77
    Minimum Payment Due: $506.00
    Payment Due Date: Tue, January 01, 2013
    Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
    To set up alerts sign on to www .citicards .com and go to Account Profile.
    Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
    View Your Account Pay Your Bill Contact Us
    Privacy | Security
    Email Preferences
    This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
    Should you want to contact us in writing concerning this email, please direct your correspondence to:
    Citibank Customer Service
    P. O. Box 6500
    Sioux Falls, SD 57117
    Help / Contact Us
    If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
    (c) 2012 Citibank, N.A.
    All rights reserved.
    Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.


    The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface .com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes .com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent."
    ___

    More "Copies of Policies" SPAM / awoeionfpop .ru:
    - http://blog.dynamoo.com/2012/12/copi...ionfpopru.html
    13 Dec 2012 - "This spam leads to malware on awoeionfpop .ru:
    Date: Thu, 13 Dec 2012 09:08:32 -0400
    From: "Myspace" [noreply @message .myspace .com]
    Subject: Fwd: Deshaun - Copies of Policies
    Unfortunately, I cannot obtain electronic copies of the SPII policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    Deshaun ZAMORA,


    The malicious payload is at [donotclick]awoeionfpop .ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:
    75.148.242.70 (Comcast Business, US)
    91.142.208.144 (Axarnet, Spain)..."
    (More detail at the dynamoo URL above.)
    ___

    Fake Citibank SPAM / eaglepointecondo .biz
    - http://blog.dynamoo.com/2012/12/citi...econdobiz.html
    13 Dec 2012 - "This fake Citibank spam leads to malware on eaglepointecondo .biz:
    Date: Thu, 13 Dec 2012 16:59:14 +0400
    From: "Citi Alerts" [lubumbashiny63 @bankofdeerfield .com]
    Subject: Account Operation Alert
    EMAIL SAFETY AREA
    ATM/Credit card ending in: XXX8
    Notifications System
    Wire Transaction Issued
    Ultimate Savings Account (USA) XXXXXXXXX5
    Amount Withdrawn: $4,564.61
    Date: 12/12/12
    Sign In to Abort Details
    Wire Transaction Issued
    Ultimate Savings Account (USA) XXXXXXXXX5
    Amount Debited: $.24
    Date: 12/12/12
    Login to Overview Operation
    ABOUT THIS MESSAGE
    Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
    Citibank, N.A. Member FDIC.
    2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
    ====================
    From: Citibank - Alerts [mailto:enormityyf10 @iztzg .hr]
    Sent: 13 December 2012 12:50
    Subject: Account Operation Alert
    Importance: High
    EMAIL SAFETY AREA
    ATM/Credit card ending in: XXX6
    Notifications System
    Bill Payment
    Checking XXXXXXXXX7
    Amount Withdrawn: $5,951.56
    Date: 12/12/12
    Visit this link to Cancel Detailed information
    Bill Payment
    Checking XXXXXXXXX7
    Amount Debited: $.14
    Date: 12/12/12
    Login to Review Operation
    ABOUT THIS MESSAGE
    Please don't reply to this message. auto informer system unable to accept incoming mail.
    Citibank, N.A. Member FDIC.
    2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
    ====================
    From: Citibank - Service [mailto:goaliesj79 @wonderware .com]
    Sent: 13 December 2012 12:59
    Subject: Account Alert
    Importance: High
    EMAIL SAFETY ZONE
    ATM/Debit card ending in: XXX8
    Alerting System
    Withdraw Message
    Savings Account XXXXXXXXX4
    Amount Debited: $1,218.42
    Date: 12/12/12
    Login to Abort Operation
    Withdraw Message
    Savings Account XXXXXXXXX4
    Amount Withdrawn: $.42
    Date: 12/12/12
    Sign In to Overview Operation
    ABOUT THIS MESSAGE
    Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.
    Citibank, N.A. Member FDIC.
    2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.


    The malicious payload is on [donotclick]eaglepointecondo .biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can."

    Last edited by AplusWebMaster; 2012-12-13 at 19:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #84
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 87.229.26.138

    FYI...

    Dexter malware targets POS systems...
    - http://www.theregister.co.uk/2012/12...s_pos_systems/
    14 Dec 2012 - "You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems. First spotted by security firm Seculert*, the malware dubbed "Dexter" is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers. The US, the UK, and Canada top the list of countries where the malicious app has been found... Once the malware is installed on a POS system, it grabs the machine's list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave**..."
    * http://blog.seculert.com/2012/12/dex...-point-of.html

    ** http://blog.spiderlabs.com/2012/12/t...nds-dirty.html
    ___

    Something evil on 87.229.26.138
    - http://blog.dynamoo.com/2012/12/some...722926138.html
    14 Dec 2012 - "This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example*).
    * http://urlquery.net/report.php?id=406222
    There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
    The registration details are probably fake, but for the record the .eu domains are registered to:
    Juha Salonen
    Lukiokatu 23
    13430 Hameenlinna
    Hameenlinna
    Finland
    salonen_juha @yahoo .com
    The .in domains are registered to:
    Puk T Lapkanen
    Puruntie 33
    LAPPEENRANTA
    53200
    FI
    +358.443875638
    puklapkanen @yahoo .com
    If you can block the IP address then it will be the simplest option as there are rather a lot of domains here..."
    (More detail at the dynamoo URL above.)
    ___

    Fake Citibank SPAM / 4.whereintrentinoaltoadige .com
    - http://blog.dynamoo.com/2012/12/citi...altoadige.html
    14 Dec 2012 - "This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige .com:
    Date: Fri, 14 Dec 2012 13:54:14 +0200
    From: Citi Cards [citicards @info .citibank .com]
    Subject: Your Citi Credit Card Statement
    Add citicards @info .citibank .com to your address book to ensure delivery.
    Your Account: Important Notification
    Your Citi Credit Card statement is ready to view online
    Dear customer,
    Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
    Statement Date: December 13, 2012
    Statement Balance: -$4,550.67
    Minimum Payment Due: $764.00
    Payment Due Date: Tue, January 01, 2013
    Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
    To set up alerts sign on to... and go to Account Profile.
    Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
    View Your Account Pay Your Bill Contact Us
    Privacy | Security
    Email Preferences
    This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
    Should you want to contact us in writing concerning this email, please direct your correspondence to:
    Citibank Customer Service
    P. O. Box 6500
    Sioux Falls, SD 57117
    Help / Contact Us
    If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
    (c) 2012 Citibank, N.A.
    All rights reserved.
    Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
    ====================
    Alternative mid-sections:
    Statement Date: December 13, 2012
    Statement Balance: -$8,902.58
    Minimum Payment Due: $211.00
    Payment Due Date: Tue, January 01, 2013
    Statement Date: December 13, 2012
    Statement Balance: -$9,905.95
    Minimum Payment Due: $535.00
    Payment Due Date: Tue, January 01, 2013


    The malicious payload is at [donotclick]4.whereintrentinoaltoadige .com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US)... malicious domains are also on the same server..."
    (More detail at the dynamoo URL above.)
    ___

    More Citibank SPAM / 6.bbnsmsgateway .com
    - http://blog.dynamoo.com/2012/12/citi...atewaycom.html
    14 Dec 2012 - "This fake Citibank spam leads to malware on 6.bbnsmsgateway .com:
    Date: Fri, 14 Dec 2012 19:27:56 +0530
    From: Citi Cards [citicards @info.citibank .com]
    Subject: Your Citi Credit Card Statement
    Add citicards @info.citibank .com to your address book to ensure delivery.
    Your Account: Important Notification
    Your Citi Credit Card statement is ready to view online
    Dear customer,
    Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
    Statement Date: December 13, 2012
    Statement Balance: -$4,873.54
    Minimum Payment Due: $578.00
    Payment Due Date: Tue, January 01, 2013
    Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
    To set up alerts sign on to www.citicards.com and go to Account Profile.
    Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
    View Your Account Pay Your Bill Contact Us
    Privacy | Security
    Email Preferences
    This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
    Should you want to contact us in writing concerning this email, please direct your correspondence to:
    Citibank Customer Service
    P. O. Box 6500
    Sioux Falls, SD 57117
    Help / Contact Us
    If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
    (c) 2012 Citibank, N.A.
    All rights reserved.
    Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.


    The malicious payload is at [donotclick]6.bbnsmsgateway .com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent."
    ___

    Changelog SPAM / aviaonlolsio .ru
    - http://blog.dynamoo.com/2012/12/chan...nlolsioru.html
    14 Dec 2012 - "This fake Changelog spam leads to malware on aviaonlolsio .ru:
    From: messages-noreply @bounce .linkedin .com [mailto :messages-noreply @bounce .linkedin .com] On Behalf Of Earlean Gardner via LinkedIn
    Sent: 13 December 2012 20:22
    Subject: Re: Changelog as promised (upd.)
    Hi,
    as promised - View
    I. SWEET
    ====================
    Date: Fri, 14 Dec 2012 05:22:54 +0700
    From: "Kaiya HIGGINS" [fwGpEzHIGGINS @hotmail .com]
    Subject: Re: Fwd: Changelog as promised(updated)
    Hi,
    as promised chnglog updated - View
    I. HIGGINS


    The malicious payload is at [donotclick]aviaonlolsio .ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:
    75.148.242.70 (Comcast Business, US)
    91.142.208.144 (Axarnet, Spain)..."
    ___

    Fake Chase emails lead to malware
    - http://blog.webroot.com/2012/12/14/f...ad-to-malware/
    Dec 14, 2012 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ing.png?w=1024
    ... the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.
    “C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exe
    Total path and file name length must not exceed 260 characters. The system cannot find the path specified.“

    Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 * ... Trojan-PSW.Win32.Tepfer.cbrv.
    Makes DNS request to 3.soundfactor .org, then it establishes a TCP connection with 184.184.247.60 :14511, as well as UDP connections to the following IPs:
    184.184.247.60 :23089
    99.124.198.193 :13197
    78.93.215.24 :14225
    68.167.50.61 :28650 ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/543a...is/1355442736/
    File name: Statement_ID.pdf.exe
    Detection ratio: 42/46
    Analysis date: 2012-12-13

    Last edited by AplusWebMaster; 2012-12-14 at 23:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #85
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pharma SPAM - pillscarehealthcare .com

    FYI...

    Pharma SPAM - pillscarehealthcare .com
    - http://blog.dynamoo.com/2012/12/pill...ecom-spam.html
    17 Dec 2012 - "There has been a massive amount of pharma spam pointing to pillscarehealthcare .com over the past 48 hours or so. Here are some examples:
    Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
    From: "Account Info Change" [tyjinc @palmerlakearttour .com]
    To: [redacted]
    Subject: Updated information
    Updated information
    Hello,
    The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
    If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
    This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
    Thanks,
    Customer Support
    ==================
    Date: Mon, 17 Dec 2012 01:22:56 -0700
    From: "Angela Snider" [directsales @tyroo .com]
    To: [redacted]
    Subject: Pending ticket status
    Ticketing System
    Hello,
    You have been successfully registered in our Ticketing System
    Please, login and check status of your ticket, or close the ticket here
    Go To Profile
    See All tickets
    This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
    ==================
    Date: Sat, 15 Dec 2012 21:37:47 -0700
    From: "Alexis Houston" [cmassuda @agf .com .br]
    To: [redacted]
    Subject: Pending ticket notification
    Ticketing System
    Hello,
    You have been successfully registered in our Ticketing System
    Please, login and check status of your ticket, or report new ticket here
    Go To Profile
    See All tickets
    This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
    ==================
    Date: Sat, 15 Dec 2012 07:06:30 -0800
    From: "Account Sender Mail" [daresco @excite .com]
    To: [redacted]
    Subject: Account is now available
    Login unavailable due to maintenance ([redacted])
    Hello,
    Your Account is now available.
    Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.
    Access Your Account
    Hope this information helps you.
    Thanks,
    Support team
    ==================
    From: Kennedi Marquez [mailto:cwtroutn @naturalskincarereviews .info]
    Sent: 17 December 2012 11:18
    Subject: Updated information
    Updated information
    Hello,
    The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
    If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
    This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
    Thanks,
    Customer Support


    This appears to be punting fake drugs rather than malware. pillscarehealthcare .com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address..."
    (More detail at the dynamoo URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #86
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake UPS/USPS SPAM - apensiona .ru

    FYI...

    Fake UPS/USPS SPAM / apensiona .ru
    - http://blog.dynamoo.com/2012/12/ups-...ensionaru.html
    18 Dec 2012 - "Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS/USPS/ FilesTube spam leads to malware on apensiona .ru:
    From: FilesTube [mailto: filestube @filestube .com]
    Sent: 17 December 2012 06:01
    Subject: Your Tracking Number H7300014839
    USPS Customer Services for big savings!
    Can't see images? CLICK HERE.
    UPS - UPS TEAM 60 >>
    Already Have an Account?
    Enjoy all UPS has to offer by linking your My UPS profile to your account.
    Link Your Account Now >>
    UPS - UPS .com Customer Services
    Good Evening, [redacted].
    DEAR USER , Recipient's address is wrong
    Track your Shipment now!
    With Respect To You , Your UPS .com Customer Services.
    Shipping | Tracking | Calculate Time & Cost | Open an Account
    @ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
    trademarks of United Parcel Service of America, Inc. All rights reserved.
    This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
    USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
    Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
    Attn: Customer Communications Department


    The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address..."
    (More detail at the dynamoo URL above.)
    ___

    GFI Labs Email Roundup for the Week
    - http://www.gfi.com/blog/gfi-labs-ema...or-the-week-6/
    Dec 18, 2012 - "... noteworthy email threats for the week... covering the dates of December 10 to 14...

    “Mailbox Upgrade” Email is a Phish...
    > http://gfisoftware.tumblr.com/post/3...dentials-phish
    ... Malicious URLs: my3q .com/survey/458/webgrade2052/77717.phtml

    Unsolicited “Adobe CS4 License” Leads to Malware...
    > http://gfisoftware.tumblr.com/post/3...e-spam-returns
    ... Malicious URLs: safeshopper .org.nz/redirecting.htm, happy-school .edu.pl/redirecting.htm, amnaosogo .ru:8080/forum/links/column.php...

    Spammers Target Citibank Clients.
    > http://gfisoftware.tumblr.com/post/3...statement-spam
    ... Malicious URLs... (See the gfisoftware.tumblr URL above.)
    ___

    LinkedIn SPAM / apensiona .ru
    - http://blog.dynamoo.com/2012/12/link...ensionaru.html
    18 Dec 2012 - "This fake LinkedIn spam leads to malware on apensiona .ru:
    From: messages-noreply @bounce .linkedin .com on behalf of LinkedIn Connections
    Sent: Tue 18/12/2012 14:01
    Subject: Join my network on LinkedIn
    LinkedIn
    Hien Lawson has indicated you are a Friend
    I'd like to add you to my professional network on LinkedIn.
    - Hien Lawson
    Accept
    View invitation from Hien Lawson
    WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?
    Hien Lawson's connections could be useful to you
    After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
    2012, LinkedIn Corporation


    The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php (the same payload as here*) although this time the IPs have changed to:
    109.235.71.144 (Serveriai, Lithunia)
    176.31.111.198 (OVH, France)
    217.112.40.69 (Utransit , UK)
    Here's a plain list if you want to block the lot:
    109.235.71.144
    176.31.111.198
    217.112.40.69
    ..."
    * http://blog.dynamoo.com/2012/12/ups-...ensionaru.html

    Last edited by AplusWebMaster; 2012-12-18 at 23:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #87
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AV - Malware sites to block 19/12/12

    FYI...

    Fake AV - Malware sites to block 19/12/12
    - http://blog.dynamoo.com/2012/12/malw...ck-191212.html
    19 Dec 2012 - "This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here*) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).
    * https://www.virustotal.com/file/5c6e...bc70/analysis/
    Detection ratio: 14/45
    This is a screenshot of the fake AV in action:
    > https://lh3.ggpht.com/-D3JYfW2LwH8/U...600/fakeav.png
    From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:
    report.q7ws17sk1ywsk79g .com
    report.7ws17sku7myws931u .com
    report.u79i1qgmywskuo9o .com
    There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent... but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:
    inetnum: 46.105.131.120 - 46.105.131.127
    netname: marysanders1
    descr: marysanders1net
    country: IE
    org: ORG-OH5-RIPE
    admin-c: OTC9-RIPE
    tech-c: OTC9-RIPE
    status: ASSIGNED PA
    mnt-by: OVH-MNT
    source: RIPE # Filtered
    I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go .com registered in China which has been fingered as an attack site before.... I would recommend blocking the entire 46.105.131.120/29 to be on the safe side. The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo .com, ez .lv and zyns .com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches. 79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.
    Recommended blocklist:
    46.105.131.120/29
    82.103.140.100
    79.133.196.97/27
    mooo .com
    ez .lv
    zyns .com

    Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here..."
    (More detail at the dynamoo URL above.)
    ___

    Fake Facebook SPAM / 46.249.58.211 and 84.200.77.218
    - http://blog.dynamoo.com/2012/12/face...420077218.html
    19 Dec 2012 - "There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:
    From: FB.Team
    Sent: 19 December 2012 14:30
    Subject: Re-activate account
    Hi [redacted],
    Your account has been blocked due to spam activity.
    To verify account, please follow this link:
    http ://www.facebook .com/confirmemail.php?e=[redacted]
    You may be asked to enter this confirmation code: [redacted]
    The Facebook Team
    Didn't sign up for Facebook? Please let us know.


    46.249.58.211 (Serverius Holding, Netherlands)...
    84.200.77.218 (Misterhost, Germany)...
    GFI has some more details on this one here*."
    * http://gfisoftware.tumblr.com/post/3...-spam-activity
    Your Facebook Account is Blocked due to Spam Activity
    Dec 19, 2012
    ___

    Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
    - http://blog.webroot.com/2012/12/19/f...me-extensions/
    Dec 19, 2012 - "Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history...
    Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension
    :
    > https://webrootblog.files.wordpress....sion.png?w=702
    The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:
    > https://webrootblog.files.wordpress....ng?w=477&h=289
    Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:
    > https://webrootblog.files.wordpress....ng?w=555&h=355
    ... the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:
    > https://webrootblog.files.wordpress....ng?w=614&h=324
    In case users choose -not- to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning -them- money:
    > https://webrootblog.files.wordpress....ng?w=554&h=310
    ... Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs..."
    ___

    Google Docs SPAM/PHISH...
    - https://isc.sans.edu/diary.html?storyid=14731
    Last Updated: 2012-12-19 - "... Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the -trusted- google .com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform... such scams aren't going away any time soon..."
    > F-secure: http://www.f-secure.com/weblog/archives/00002168.html
    > GFI: http://www.gfi.com/blog/google-docs-phishing/
    > Sophos: http://nakedsecurity.sophos.com/2012...m-google-docs/
    ... Recipients who clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture...
    > https://isc.sans.edu/diaryimages/ima...-service-3.png
    ... The attacker was likely using a -compromised- Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form... Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer..."
    ___

    LinkedIn Spam: The Repeat
    - http://www.gfi.com/blog/linkedin-spam-the-repeat/
    Dec 19, 2012 - "Another slew of spam claiming to originate from LinkedIn has hit the wild Internet in less than 24 hours, according* to the real time recording and tracking of email threats by our researchers in the AV Labs.
    * http://gfisoftware.tumblr.com/post/3...n-spam-returns
    ... Here’s what the email looks like:
    > http://www.gfi.com/blog/wp-content/u...In_1218-wm.png
    From: {bogus email address}
    To: {random}
    Subject: Join my network on LinkedIn
    Message body:
    {redacted} has indicated you are a Friend
    I’d like to add you to my professional network on LinkedIn.
    [Allow button] View invitation from {redacted}
    WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?
    {redacted} connections could be useful to you
    After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

    Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:
    > http://www.gfi.com/blog/wp-content/u...wm-300x105.png
    This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.
    > http://www.gfi.com/blog/wp-content/u...wm-300x131.png
    when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites..."
    ___

    Wire Transfer SPAM / angelaonfl .ru
    - http://blog.dynamoo.com/2012/12/wire...elaonflru.html
    19 Dec 2012 - "This fake Wire Transfer spam leads to malware on angelaonfl .ru:
    Date: Wed, 19 Dec 2012 11:26:24 -0500
    From: "Myspace" [noreply @message .myspace .com]
    Subject: Wire Transfer (3014YZ20)
    Welcome,
    Your Wire Transfer Amount: USD 45,429.29
    Transfer Report: View
    EULALIA Henry,
    The Federal Reserve Wire Network


    The malicious payload is at [donotclick]angelaonfl .ru:8080/forum/links/column.php hosted on the following IPs:
    91.224.135.20 (Proservis UAB, Lithunia)
    210.71.250.131 (Chunghwa Telecom, Taiwan)
    217.112.40.69 (Utransit, UK)
    The following domains and IPs are all related and should be blocked if you can:
    91.224.135.20
    210.71.250.131
    217.112.40.69
    ..."
    (More detail at the dynamoo URL above.)
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Home > Security Intelligence Operations > Latest Threat Information > Threat Outbreak Alerts
    Fake Order Request E-mail Messages - December 19, 2012
    Fake Party Invitation E-mail Messages - December 19, 2012
    Fake Sample Product Quote E-mail Messages - December 19, 2012
    Fake Scanned Image E-mail Messages - December 19, 2012
    Fake Unspecified E-mail Messages - December 18, 2012
    Fake Payment Invoice E-mail Messages - December 18, 2012
    Fake Funds Transfer Notification E-mail Message - December 18, 2012
    Fake Airline Ticket Order Notification E-mail Messages - December 18, 2012
    Fake Product Order Quotation Attachment E-mail Message - December 18, 2012
    Fake Tax Invoice E-mail Messages - December 18, 2012
    Fake Order Invoice Notification E-mail Messages - December 18, 2012
    Fake Sales Request E-mail Messages - December 18, 2012 ...

    Last edited by AplusWebMaster; 2012-12-20 at 05:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #88
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Citi/Sendspace emails ...

    FYI...

    Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/12/20/f...e-exploit-kit/
    Dec 20, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
    Sample screenshot of the first spamvertised template:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Sample screenshot of the second spamvertised template:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    Sample client-side exploits serving URLs:
    hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
    Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
    Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
    hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
    Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
    Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
    Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
    Once executed, the sample performs the following activities:
    Accesses Firefox’s Password Manager local database
    Creates a thread in a remote process
    Installs a program to run automatically at logon
    It creates the following Registry Keys:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
    With the following value:
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    KB00121600.exe = “”%AppData%\KB00121600.exe”"
    It then creates the following Mutexes:
    Local\XMM000003F8
    Local\XMI000003F8
    Local\XMRFB119394
    Local\XMM000005E4
    Local\XMI000005E4
    Local\XMM0000009C
    Local\XMI0000009C
    Local\XMM000000C8
    Local\XMI000000C8
    It also drops the following MD5s:
    MD5: 9e7577dc5d0d95e2511f65734249eba9
    MD5: 61bb88526ff6275f1c820aac4cd0dbe9
    MD5: b360fec7652688dc9215fd366530d40c
    MD5: f6ee1fcaf7b87d23f09748cbcf5b3af5
    MD5: d7a950fefd60dbaa01df2d85fefb3862
    MD5: ed662e73f697c92cd99b3431d5d72091
    It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA. We’ve already seen the same command and control server used in the following previously profiled malicious campaigns..."
    * https://www.virustotal.com/file/2226...fc10/analysis/
    File name: readme.exe
    Detection ratio: 32/45
    Analysis date: 2012-12-20
    ___

    Sendspace "You have been sent a file" SPAM / apendiksator .ru
    - http://blog.dynamoo.com/2012/12/send...file-spam.html
    20 Dec 2012 - "This fake Sendspace spam leads to malware on apendiksator .ru:
    Date: Thu, 20 Dec 2012 09:25:36 -0300
    From: "SHIZUKO Ho"
    Subject: You have been sent a file (Filename: [redacted]-28.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
    sendspace - The best free file sharing service.
    Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
    ===
    Date: Thu, 20 Dec 2012 05:05:02 +0100
    From: "GENNIE Hensley"
    Subject: You have been sent a file (Filename: [redacted]-7123391.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
    sendspace - The best free file sharing service.
    Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.


    The malicious payload is at [donotclick]apendiksator .ru:8080/forum/links/column.php hosted on:
    91.224.135.20 (Proservis UAB, Lithunia)
    187.85.160.106 (Ksys Soluções Web, Brazil)
    210.71.250.131 (Chunghwa Telecom, Taiwan)
    These IPs and domains are all related and should be blocked:
    91.224.135.20
    187.85.160.106
    210.71.250.131
    afjdoospf .ru
    angelaonfl .ru
    akionokao .ru
    apendiksator .ru
    ..."
    ___

    "New message" SPAM, fake dating sites and libertymonings .info
    - http://blog.dynamoo.com/2012/12/new-...sites-and.html
    20 Dec 2012 - "This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012 .asia and libertymonings .info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:
    Date: Thu, 20 Dec 2012 20:50:17 -0200
    From: "SecureMessage System" [2F5DEE622 @hungter .com]
    Subject: New message
    Click here to view the online version.
    New private message from Terra Fisher received.
    Total unread messages: 5
    [ Read now ]
    Copyright 2012 SecureMessage System. All rights reserved.
    If you would like to update your profile or unsubscribe, please click here.
    PLEASE DO NOT REPLY TO THIS MESSAGE.
    If you require Technical Support, please check Support Center for information.
    -------------------------
    Date: Thu, 20 Dec 2012 20:36:14 -0200
    From: "Secure Message" [82E8ACBD @lipidpanel .com]
    Subject: New message
    Click here to view the online version.
    New private message from Josefina Albert received.
    Total unread messages: 3
    [ Read now ]
    Copyright 2012 SecureMessage System. All rights reserved.
    If you would like to update your profile or unsubscribe, please click here.
    PLEASE DO NOT REPLY TO THIS MESSAGE.
    If you require Technical Support, please check Support Center for information.


    In these cases, the targets URLs are [donotclick]site-dating2012c .asia/link.php and [donotclick]site-dating2012 .asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding). These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010 .info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page. The site also contains an apparent Java exploit that loads in from libertymonings .info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings .info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings .info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal*.
    The following IPs and domains are all related and should be blocked if you can:
    46.249.42.161
    46.249.58.211
    84.200.77.218
    ..."
    * https://www.virustotal.com/file/7785...is/1356045558/
    File name: ztsvgnvlmhe-a.qsypes.jar
    Detection ratio: 6/45
    Analysis date: 2012-12-20

    Last edited by AplusWebMaster; 2012-12-21 at 03:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #89
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ProfileSpy / Fake Citi emails...

    FYI...

    Malware sites to block 21/12/12
    - http://blog.dynamoo.com/2012/12/malw...ck-211212.html
    21 Dec 2012 - "There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog .net blogging system (I think specifically [donotclick]zezete2.centerblog .net/i-247-136-1356095651.html)
    The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)
    [donotclick]svwlekwtaign.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
    [break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
    [donotclick]mcruxdufxwnp.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
    [break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
    [break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.
    avigorstats .pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a -huge- iceberg of malicious IPs and domains that are all interconnected.
    Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..
    Recommended blockist (annotated)...
    Recommended blockist (Plain list)..."
    (Too long to post here - see the dynamoo URL above - 'great list to use!)
    ___

    Profile Spy...
    - http://www.gfi.com/blog/profile-spy-...an-apocalypse/
    Dec 21, 2012 - "... Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles. Today, on the eve of the rumored 'EoW', it has decided to rear its ugly head once more... the criminals behind it have used a number of tactics to make users hand over their credentials or give them money — like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store. This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared... Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser... This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it — secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation... [UPDATE: Google has now taken down the Profile Spy page on the Chrome Web Store.] Watch that mouse pointer... careful where you direct and click it."
    (Screenshots and more info available at the gfi URL above.)
    ___

    Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2012/12/21/f...e-exploit-kit/
    Dec 21, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
    Sample screenshot of the first spamvertised template:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Sample screenshot of the second spamvertised template:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    ... Sample client-side exploits serving URLs:
    hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
    Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
    Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
    hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
    Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
    Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
    Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
    Once executed, the sample performs the following activities:
    Accesses Firefox’s Password Manager local database
    Creates a thread in a remote process
    Installs a program to run automatically at logon ...
    Responding to 59.57.247.185 are also the following malicious domains..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/file/2226...fc10/analysis/
    File name: readme.exe
    Detection ratio: 32/45
    Analysis date: 2012-12-20
    ___

    ‘Work at Home” scams impersonating CNBC spotted in the wild
    - http://blog.webroot.com/2012/12/21/s...d-in-the-wild/
    Dec 21, 2012 - "... a currently circulating “Work At Home” scam that’s successfully and professionally impersonating CNBC in an attempt to add more legitimacy to its market proposition – the Home Business System...
    Sample screenshot of the spamvertised email impersonating CNBC:
    > https://webrootblog.files.wordpress....me_scam_01.png
    Sample screenshot of the fake CNBC news article detailing the success of the Home Business System:
    > https://webrootblog.files.wordpress...._home_scam.png
    No matter where you click, you’ll always be redirected to the Home Business System.
    Sample bogus statistics sent by customers of the system:
    > https://webrootblog.files.wordpress....me_scam_02.png
    What’s particularly interesting about this campaign is the way the scammers process credit card details. They do it internally, not through a payment processing intermediary, using basic SSL encryption, featuring fake “Site Secured” logos, including one that’s mimicking the “VeriSign Secured” service. Although the SSL certificate is valid, the fact that they even require your CVV/CVV2 code, without providing adequate information on how they store and actually process the credit card numbers in their possession, is enough to make you extremely suspicious.
    Sample spamvertised URLs:
    hxxp ://5186d4d1.livefreetimenews .com/
    hxxp ://5f4a8abae0.get-more-news .com/
    Domains participating in the campaign:
    worldnewsyesterday .com – Email: johnjbrannigan @teleworm .us
    worldnewsimportant .com – Email: johnjbrannigan @teleworm .us
    hbs-system .com – Email: cinthiaheimbignerupbg @hotmail .com
    Historically, the following domains were also used in a similar fashion:
    homeworkhere .com – Email: zoilaprni4d @yahoo .com
    lastnewsworld .com – Email: shirleysmith57 @yahoo .com
    homecompanysystem .com – Email: deloristrevertonef53 @yahoo .com
    > https://webrootblog.files.wordpress....me_scam_04.png
    Users are advised -not- to click on links found in spam emails, and to never entrust their credit card details to someone who’s spamvertising you using the services of some of the most prolific botnets currently online."

    Last edited by AplusWebMaster; 2012-12-22 at 04:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #90
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down "New msg rc'vd" SPAM - 22 Dec 2012

    FYI...

    "New message received" SPAM / siteswillsrockf .com and undering .asia
    - http://blog.dynamoo.com/2012/12/new-...ived-spam.html
    22 Dec 2012 - "This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday ( http://blog.dynamoo.com/2012/12/malw...ck-211212.html ).
    Date: Sat, 22 Dec 2012 16:55:38 +0300
    From: "Secure.Message" [FAA55EEEE @valencianadeparketts .es]
    Subject: New message received
    Click here to view the online version.
    Hello [redacted],
    You have 5 new messages.
    Read now
    Copyright 2012 SecurePrivateMessage. All rights reserved.
    If you would like to update your profile or unsubscribe, please click here.
    PLEASE DO NOT REPLY TO THIS MESSAGE.
    If you require Technical Support, please check Support Center for information.


    Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering .asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering .asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf .com/?a=YWZmaWQ9MDAxMTA=
    undering .asia is hosted on 46.249.42.161, and siteswillsrockf .com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:
    inetnum: 46.249.42.0 - 46.249.42.255 ...
    The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius* who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.
    There are lots of other suspect domains on these two IPs as well:
    46.249.42.161 ...
    46.249.42.168 ..."
    (Too many to post here - see the dynamoo URL above for more detail.)
    * https://www.google.com/safebrowsing/...?site=AS:50673

    Last edited by AplusWebMaster; 2012-12-23 at 00:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •