Page 12 of 70 FirstFirst ... 289101112131415162262 ... LastLast
Results 111 to 120 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #111
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down "Swine Flu" SPAM now at 4% of all SPAM

    FYI...

    - http://sunbeltblog.blogspot.com/2009...gines-and.html
    April 30, 2009 - "... Spammers saw this coming on Monday. Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïve enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam. Spam that preys on public fears generated by big news stories is now a genre... See Information week’s coverage here*."
    * http://www.informationweek.com/share...leID=217200528

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #112
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Swine-Mexican-H1N1 related domains / SPAM - Fed Reserve fake

    FYI...

    More Swine/Mexican/H1N1 related domains
    - http://isc.sans.org/diary.html?storyid=6325
    Last Updated: 2009-05-02 14:21:58 UTC - "... be ever vigilant in your browsing for Swine/Mexican/H1N1 flu information. We show over 1000 new domains containing those keywords registered in the last 24 hours."

    Fed Reserve Spam/Malware Attack is After Your Data
    - http://www.shadowserver.org/wiki/pmw...endar/20090429
    29 April 2009 - "... spam campaigns that are designed to appear as if they are coming from the Federal Reserve. These attacks are not attempting to phish you and trick you into giving them banking or other personal information... They are actually looking to install an info-stealing/banking trojan on your system via drive-by exploits... it is designed to look like a message coming from the Federal Reserve with a message designed to get you to click the link from the e-mail... The bad guys behind the Federal Reserve malware use the LuckySploit exploit pack. LuckySploit has a variety of exploits... Successful exploitation tends to drop a file named wQJs.exe onto the system in the user's Temp folder. It may also drop a file named svchost.exe (same name as a legitimate Windows file) onto the system as well. This "svchost.exe" and "wQJs.exe" are the same file. They both create shell32.dll and 123.info in the user's Temp directory as well. Note that 123.info is just a text file that contains the path to the malware.
    Malware Details:
    File Name: wJQs.exe | svchost.exe
    File Size: 9216 bytes
    MD5 hash: 175ef7faf41ecbe757bcd3021311f315
    File Name: shell32.dll
    File Size: 6144 bytes
    MD5 hash: 3182da0a9c6946e226ee6589447af170
    VirusTotal Results for these files can be viewed below:
    .exe: http://www.virustotal.com/analisis/a...d7f86ceb6181f1
    .dll: http://www.virustotal.com/analisis/d...6215bf41a64f7c ..."

    (Screenshot and more detail available at the Shadowserver URL above.)

    Last edited by AplusWebMaster; 2009-05-02 at 23:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #113
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation IFrame redirects lead to MBR rootkit

    FYI...

    IFrame redirects lead to MBR rootkit
    - http://blog.trendmicro.com/porn-site...o-mbr-rootkit/
    May 3, 2009 - "Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A) onto the affected system... malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit..."

    (Screenshot and more detail available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #114
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook phishing malware

    FYI...

    Facebook phishing malware
    - http://isc.sans.org/diary.html?storyid=6328
    Last Updated: 2009-05-04 14:47:00 UTC - "Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials. The phishing site is currently on "junglemix .in," so you may want to block that site. More details as we figure this thing out..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #115
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Question H1N1 Domain list - 1,344

    FYI...

    H1N1 Domains
    - http://www.f-secure.com/weblog/archives/00001674.html
    May 4, 2009 - "... here is a list of domains* registered over the weekend using the words swine flu. There are 1,344 on the list. Again, so far, none of the domains we've checked are hosting any malicious files. In fact, the only malicious file we've seen is something that Symantec posted** about last week. It's a PDF "Swine Flu FAQ" exploit which drops a password stealer and then opens a clean PDF file as a decoy. One interesting thing about the exploit that hasn't been mentioned yet is the file name, The Association of Tibetan journalists Press Release.pdf. Tibet themed exploits are very popular with targeted attacks***."
    * http://www.f-secure.com/weblog/archi...y_4th_2009.txt

    ** https://forums2.symantec.com/t5/blog...article-id/268

    *** http://www.f-secure.com/weblog/archives/00001672.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #116
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down

    FYI...

    Waledac Turns to Cash and Vaccines w/SPAM
    - http://blog.trendmicro.com/waledac-t...-and-vaccines/
    May 5, 2009 - "Riding on the ongoing global economic recession, Waledac updates its SPAM messages with email subjects related to earning a fortune through Google cash. Other spam email subjects we’ve seen so far:
    * Be your own boss with Google
    * Earn cash using Google today
    * Google System that really works
    * Make a fortune online
    * Make thousands a month from home
    * Start your home business today
    * Use Google to earn extra cash

    As of this writing, the hyperlink found in the email body redirects to an advertising link which currently returns a redirect loop error in Firefox web browser. Another current event seen leveraged on by this wave of Waledac spam runs is the swine flu outbreak, as spammed messages bear subjects that seem related to a vaccine for swine flu. Other spam email subjects seen so far:
    * Anti-swine flu drugs are available here
    * Anti-viral treatment for swine flu
    * Are you worried about swine flu?
    * Are you worried about swine flu? buy medicine!
    * Be quick! anti-swine flu drugs are almost sold out
    * Buy medicine that prevent you from getting swine flu
    * Buy medicine to prevent swine flu
    * Buy new effective medicine against swine flu
    * Buy the most effective treatment for combating the new swine flu
    * Do you want to prevent yourself from swine flu?
    * Do you want to protect yorself against swine flu?
    * Dont stand in line for swine flu medicine
    * Get swine flu medicine here
    * Get the swine flu medicine right here
    * Hurry up! swine flu drugs are almost sold out
    * Keep your family from getting swine flu
    * New medicine to prevent swine flu
    * New vaccine helps to prevent swine flu
    * New vaccine to prevent swine flu
    * Order anti-swine flu medicine today
    * Order new medicine against swine flu
    * Order now vaccine against swine flu
    * Prevent infections with swine flu viruses
    * Prevent yourself from cathcing swine flu
    * Protect your family against swine flu!
    * Protect yourself from swine flu
    * Stop risk of being killed by swine flu!
    * The vaccine protecting against swine flu
    * You can buy swine flu drugs here
    * You can order anti-flu drugs treaing swine flu here
    * You can order anti-swine flu drugs on-line
    * You can protect yourself against swine flu!

    The given link however only leads to the all too familiar Canadian pharmacy site..."

    (Screenshots available at the TrendMicro URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #117
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down eBay phishing Scam...

    FYI...

    eBay phishing Scam...
    - http://www.sophos.com/blogs/sophoslabs/v/post/4452
    May 20, 2009 - "... eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple... At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a -fake- eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information...
    SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #118
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious iFrame on Gadgetadvisor.com

    FYI...

    Malicious iFrame on Gadgetadvisor.com
    - http://www.f-secure.com/weblog/archives/00001687.html
    May 22, 2009 - "Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase? Our Web Security Analyst discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website... If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability ( http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-2992 ). The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan... This attacks is targeted against older, unpatched version of Adobe programs, as the latest Adobe updates have already fixed this problem. More information and the updates can be found at Abobe at:
    http://www.adobe.com/support/securit...apsb08-19.html. Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding."

    (Screenshot available at the F-secure URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #119
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook phishing/spam/"worm" ...

    FYI...

    Facebook phishing/spam/"worm" ...
    - http://isc.sans.org/diary.html?storyid=6451
    Last Updated: 2009-05-25 07:16:47 UTC ... (Version: 5) - "... new Facebook phising/spam/"worm" campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.
    UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse them...
    UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET)...:
    • redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
    • picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
    • There are other "more than suspicious" .be domains associated to the same IP address.
    The ones active do resolve to IP address 211.95.78.98. From APNIC...
    country: CN ..."

    - http://www.f-secure.com/weblog/archives/00001689.html
    May 25, 2009

    Last edited by AplusWebMaster; 2009-05-25 at 20:36. Reason: Added F-secure link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #120
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook phish (cont'd)

    FYI...

    Facebook phishing using Belgium (.be) domains (cont'd)
    - http://isc.sans.org/diary.html?storyid=6451
    Last Updated: 2009-05-25 20:01:20 UTC ...(Version: 6)
    "UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links... For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be".
    > Remember you can enable/disable the tinyurl preview feature through
    " http://tinyurl.com/preview.php ". You just need to enable cookies on your browser.
    Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved)..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •