Page 54 of 70 FirstFirst ... 44450515253545556575864 ... LastLast
Results 531 to 540 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #531
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down C|Net malware ...

    FYI...

    C|Net Download.Com is now bundling Nmap with malware...
    - http://seclists.org/nmap-hackers/2011/5
    5 Dec 2011 - "... C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN. The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs..."

    - https://www.virustotal.com/file-scan...8f6-1323239699
    File name: 29d0ca5df3dd63a69630a1bbdbfbcfdad6271702
    Submission date: 2011-12-07 06:34:59 (UTC)
    Result: 7/43 (16.3%)

    - https://isc.sans.edu/diary.html?storyid=12148
    Last Updated: 2011-12-06 06:40:53 UTC

    Caution: downloads can be hazardous to your PC's health...
    - http://h-online.com/-1392501
    8 December 2011 - "... much of the proprietary freeware and trial software on Download .com will retain its Download .com Installer packaging. Initial reactions on the net also noted that a number of popular open source programs still had an installer wrapping them and there appears to have been no apology for specifically bundling GPL, or enhanced GPL in the case of Nmap, software with closed source installers."

    - http://insecure.org/news/download-co...o.html#updates
    Dec 9...
    ___

    - http://www.extremetech.com/computing...ut-motivations
    August 22, 2011

    Last edited by AplusWebMaster; 2011-12-09 at 20:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #532
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Urgent Block: BlackHole Exploit Kit...

    FYI...

    Urgent Block: BlackHole Exploit Kit redret Spam Domains
    - http://www.malwaredomains.com/wordpress/?p=2220
    December 6th, 2011 - "From the Internet Storm Center*... IP addresses to block are also in the article*. Also see this article**. Will be added here but you shouldn’t wait."

    * https://isc.sans.edu/diary.html?storyid=12145
    Last Updated: 2011-12-06 03:04:51 UTC - "... all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...
    czredret .ru, curedret .ru, ctredret .ru, crredret .ru, bzredret .ru, byredret .ru, bxredret .ru, bwredret .ru, bvredret .ru, bsredret .ru, bpredret .ru, boredret .ru, blredret .ru, bkredret .ru, biredret .ru, bhredret .ru, bgredret .ru, bfredret .ru, beredret .ru, bdredret .ru, bcredret .ru, bbredret .ru, aredret .ru, apredret .ru, amredret .ru, alredret .ru, akredret .ru, ajredret .ru, airedret .ru, ahredret .ru, agredret .ru, afredret .ru, aeredret .ru, adredret .ru, acredret .ru, abredret .ru, aaredret .ru
    ... they are resolving to:
    95.163.89.193, 89.208.34.116, 94.199.51.108, 91.220.35.38, 77.79.7.136, 95.163.89.200, 91.228.133.120
    In recent past, the following IPs were also observed hosting them:
    188.190.99.26, 87.120.41.191, 94.199.53.14, 89.208.34.116...
    Comments (12.06.2011, 19:21 UTC): 79.137.237.63 is hosting these domains crredret .ru, ctredret .ru, curedret .ru, czredret .ru"

    - https://blogs.msdn.com/themes/blogs/...006&GroupKeys=
    "... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

    ** http://blog.dynamoo.com/2011/11/bred...-to-block.html
    23 November 2011

    Last edited by AplusWebMaster; 2011-12-09 at 21:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #533
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Affected and abused domains ...

    FYI...

    Affected and abused domains ...
    - https://isc.sans.edu/diary.html?storyid=12178
    Last Updated: 2011-12-10 17:42:46 UTC - "... covered the emergence of hacked DNS zones ("What's In A Name") a couple weeks ago*... domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit. The IP range used changes about every three, four days:
    188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania
    146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia
    ... exploit code politely checks which version of Java is present, and only launches the exploit on Java installations that are not running the very latest update. Unfortunately, this seems to be the case for the majority of Java deployments out there. Today, almost two weeks after this latest wave of exploits started, the exploit code for CVE-2011-3544 is still only detected by roughly half the anti-virus companies on VirusTotal**... by far the most successful for the bad guys at the moment..."
    * http://isc.sans.edu/diary.html?storyid=11770

    ** https://www.virustotal.com/file-scan...bb4-1323534647
    File name: v1.class
    Submission date: 2011-12-10 16:30:47 (UTC)
    Result: 19/43 (44.2%)

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3544
    Last revised: 11/24/2011
    CVSS v2 Base Score: 10.0 (HIGH)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #534
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 100$ or a free iPad! - scam

    FYI...

    100$ or a free iPad! - scam
    - https://isc.sans.edu/diary.html?storyid=12184
    Last Updated: 2011-12-12 23:21:39 UTC ...Version: -3- "... several misspellings of wikipedia are used in this scam, in addition to many other domains. wikipeida-org, wikepedia-org, wictionary-org, wikpedia-com, wikispaces-cm are all domains with a typo that redirect visitors to a "you won a prize" page... to claim the prize lots of personal information must be entered...
    Update: Other prominent typo domains affected include youtrube-com, youotube-com, youzube-com..."
    > https://isc.sans.edu/diaryimages/you-won.jpg

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #535
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb CA incident report...

    FYI...

    CA incident report...
    - https://isc.sans.edu/diary.html?storyid=12205
    Last Updated: 2011-12-14 17:39:34 UTC - "GlobalSign released a press release today to address concerns that they may have had a compromise of their CA infrastructure.
    http://www.globalsign.co.uk/company/...nt-report.html
    They did a good job of stating what they did find and what they didn’t. They also address new measures put in place to improve their overall security posture.
    “We didn't find any evidence of
    * Rogue Certificates issued.
    * Customer data exposed.
    * Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
    * Compromised GlobalSign Certificate Authority (CA) infrastructure.
    * Compromised GlobalSign Issuing Authorities and associated HSMs.
    * Compromised GlobalSign Registration Authority (RA) services.
    What did happen
    * Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached.
    * What could have been exposed? Publicly available HTML pages, publicly available PDFs, the SSL Certificate and key issued to www .globalsign .com.
    * SSL Certificate and key for www .globalsign .com were deemed compromised and revoked. “

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #536
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phish campaign targets users - timed with breach ...

    FYI...

    Phish campaign targets users - timed with breach...
    - http://nakedsecurity.sophos.com/2011...hing-campaign/
    December 14, 2011 - "A phishing campaign targeting customers of Telstra Bigpond, Australia's largest ISP, is urging users to confirm their billing information or risk the suspension of their account... All pretty run-of-the-mill - an access your account now by clicking on a link in this email or else spam - but neatly timed given that Telstra suffered a data breach last Friday. Personal information... was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend. Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information... an unpatched version of WordPress allowed the phishers to "borrow" services from an Aussie blogger... this email was obviously a phish:
    - Bigpond doesn't send out access your account now by clicking on a link emails.
    - The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
    - The link you are asked to click on has no obvious connection with Telstra or Bigpond.
    - Official Bigpond emails to you aren't addressed to someone called "Duchess" with a competitor's webmail account (unless your name is Duchess, of course).
    ... if you run a WordPress blog, make sure you've applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #537
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware impersonates the police

    FYI...

    Ransomware impersonates the police
    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    19 Dec 2011 - "... several samples of a ransomware family localized into different languages... We've so far seen variants localized into four languages: English, Spanish, German, and Dutch... Upon execution, the ransomware locks the computer, displays the localized screen.. and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are -not- involved in any way with the scammers' scheme; instead, they are being used for malicious purposes... In the case of Trojan:Win32/Ransom.DU... that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany... this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved... nowadays Blackhole distributes many widespread malware families... PS: Just today we encountered a sample targeting residents of France..."
    ___

    - http://blog.eset.com/2011/12/04/carb...raud-incidents
    Dec. 4, 2011 - "... Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software... The exploited vulnerabilities aren’t really new: some of them are more than a year old... To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it..."

    Last edited by AplusWebMaster; 2011-12-21 at 16:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #538
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Email Bank Deposit Scam

    FYI...

    Email Bank Deposit Scam
    - https://www.usaa.com/inet/pages/2011...sit_phish_scam
    12/19/2011 - "USAA's Enterprise Security Group has found an aggressive email phishing scam directed at USAA Members. The email has a subject line "Deposit Posted." What makes this particular phishing email different is there is a randomly generated four-digit number placed in the USAA Security Zone section... While this email* does not ask the recipient to click on a link, it does ask the member to open an attached file. When this file is opened it launches a malicious banking virus that if successfully launched could provide access to your personal information and may require a complete reinstall of your computers operating system.
    What Members Should Do:
    USAA Members are encouraged to take the following action if they receive this email:
    Make certain the four digits in the Security Zone section match the last four digits of your USAA member number.
    If the numbers do not match your member information you can delete it..."
    * https://content.usaa.com/mcontent/st...eid=3947825466
    ___

    - https://www.us-cert.gov/current/#usa...am_and_malware
    December 20, 2011

    Last edited by AplusWebMaster; 2011-12-21 at 16:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #539
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Holiday fakes ...

    FYI...

    Holiday fakes...
    ... They might take it, but they won't give it away...
    - http://techblog.avira.com/wp-content...osoft-head.png

    Ref: http://techblog.avira.com/2011/12/21...on-dollars/en/
    December 21, 2011 - "... No matter how realistic it seems..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #540
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake browser addons spread SCAMS

    FYI...

    Fake browser addons spread SCAMS
    - http://www.theregister.co.uk/2011/12...facebook_scam/
    22 December 2011 - "... spreading scams on Facebook. Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim. Once installed, these malign browser ad-ons spread the scam from one user's profile to another... The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense*..."
    * http://community.websense.com/blogs/...e-plugins.aspx
    "... The code checks which browser is installed and serves the compatible malicious plugin..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •