Page 2 of 70 FirstFirst 1234561252 ... LastLast
Results 11 to 20 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus CNN custom alerts...

    FYI...

    Bogus CNN Custom Alerts
    - http://securitylabs.websense.com/con...erts/3154.aspx
    08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Yahoo! Messenger fraud...

    FYI...

    IM: Instant Malware... Yahoo! Messenger fraud
    - http://blog.trendmicro.com/instant-malware/
    08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
    * mirc.ini - detected by Trend Micro as Mal_Zap
    * csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
    * sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
    For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."

    (Screenshot available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Bogus CNN/MSNBC news...

    FYI...

    Bogus CNN/MSNBC news...
    - http://securitylabs.websense.com/con...erts/3159.aspx
    08.13.2008 - "Websense.... has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec... Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. (The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.)
    Here are a few examples of the varied subjects we have seen in this campaign:
    msnbc.com - BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history
    msnbc.com - BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics
    msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
    msnbc.com - BREAKING NEWS: How to save money on gas
    msnbc.com - BREAKING NEWS: Preliminary polls for the election
    msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
    msnbc.com - BREAKING NEWS: Jury duties for you
    msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
    msnbc.com - BREAKING NEWS: Abortion outlawed in California
    msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
    msnbc.com - BREAKING NEWS: Anthrax case solved
    msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
    msnbc.com - BREAKING NEWS: Too much freedom will destroy America
    msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
    msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
    msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
    msnbc.com - BREAKING NEWS: Americans loves to sue people
    msnbc.com - BREAKING NEWS: Please give your opinions for change
    msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak ..."
    (Screenshots available at the Websense URL above.)


    - http://www.f-secure.com/weblog/archives/00001485.html
    August 13, 2008 - "...Apparently people stopped clicking on -fake- CNN links as today the attackers switched the mails to look like they are now coming from MSNBC..."

    CNN and MSNBC Olympic spoof emails - 5 million spam messages per hour
    - http://securitylabs.websense.com/con...logs/3160.aspx
    08.14.2008

    Last edited by AplusWebMaster; 2008-08-15 at 12:07. Reason: Added F-secure amd 2nd Websense link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Trojan CME-711 - new -drive-by- wave on the web...

    FYI...

    - http://preview.tinyurl.com/5wqxqt
    08-14-2008 (Symantec Security Response Blog) - "...With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits. The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently -redirects- the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo*, ANI Header Size**, and MDAC***..."

    * http://www.securityfocus.com/bid/27641/solution

    ** http://www.securityfocus.com/bid/23194/info - MS07-017

    *** http://www.securityfocus.com/bid/17462 - MS06-014

    > AKA CME-711 - http://cme.mitre.org/data/list.html#711

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry More "Breaking News..." SPAM and MALWARE...

    FYI...

    - http://isc.sans.org/diary.html?storyid=4913
    Last Updated: 2008-08-17 21:43:58 UTC - "The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach. The subject of the message is still: BREAKING NEWS. Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html .
    Like the others, this first stage is a downloader, still reaching out to 66.199.240.138* to get the rest of the goodies. Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe..."

    * http://centralops.net/co/DomainDossier.aspx
    canonical name: 66-199-240-138.reverse.ezzi.net.
    Registrant: EZZI.net
    A Service of AccessIT
    75 Broad Street
    Suite 1902
    New York, NY 10004 US
    Domain Name: EZZI.NET

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake FedEx emails

    FYI...

    Fake FedEx emails
    - http://securitylabs.websense.com/con...erts/3161.aspx
    08.18.2008 - "...The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader. This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector..."

    (Screenshot available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Facebook - Viral SPAM...

    FYI...

    Facebook - Viral SPAM
    - http://securitylabs.websense.com/con...logs/3162.aspx
    08.18.2008 - "... We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission... attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now... A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high. The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam... this particular attack has been going on for over six months. The phishing URL... was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world. As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
    References:
    http://pi3141.wordpress.com/2008/08/...shing-warning/
    http://www.matthewbigelow.com/2008/0...ebook-forgery/
    http://thenextweb.org/2008/08/10/fac...ck-from-china/ "

    (Screenshots available at the Websense URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Photobucket phish...

    FYI... (Screenshot available at the URL below.)

    - http://blog.trendmicro.com/photobucket-gets-phished/
    August 19, 2008 - "Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos. Lots of people may like to keep their albums private, allowing password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers... The login page above looks exactly like the original site that lures the users to enter their user name and password. Once victims enter their credentials, phishers can use them to obtain full access to their Photobucket account, and may use their albums to insert malicious code... popular image hosting sites have become the targets of several different attacks:

    Turkish Hackers Relive Memories in Photobucket
    - http://blog.trendmicro.com/turkish-h...in-photobucket
    06.25.2008

    Two New Yahoo Phish Sites
    - http://blog.trendmicro.com/two-new-yahoo-phish-sites ..."
    07.31.2008

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware SPAM - Russia-Georgia conflict...

    FYI...

    Russia-Georgia conflict - malware SPAM
    - http://www.us-cert.gov/current/#malw...russia_georgia
    August 21, 2008 - " US-CERT is aware of public reports* of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system..."

    * http://preview.tinyurl.com/58u83x
    08-21-2008 (Symantec Security Response Blog)
    Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
    "...The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment... One subject line that has been seen reads:
    “Subject: Journalists Shot in Georgia”... The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin... We have observed several -million- instances of this particular spam attack delivering malicious code..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Angelina Jolie... again.

    FYI...

    - http://sunbeltblog.blogspot.com/2008...in-trojan.html
    August 21, 2008 - "We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam. Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program."

    (Screenshot available at the URL above.)


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •