SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Fake CPA/AICPA emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/08/01/s...e-exploit-kit/
August 1, 2012 - "Certified public accountants, beware... Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Spamvertised URL: hxxp://thewebloan .com/wp-includes/notice.html
Client-side exploits serving URLs parked on the same IP (221.131.129.200) - hxxp ://jeffknitwear .org/main.php?page=8614d3f3a69b5162;
hxxp ://lefttorightproductservice .org/main.php?page=4bf5d331b53d6f15
Client-side exploits serving domains responding to the same IP:
toeplunge .org; teloexpressions .org; historyalmostany .org
Client-side exploits served:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1885 9.3 (HIGH)
Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 *
... Trojan.Script!IK; JS/Iframe.W!tr
Upon successful client-side exploitation, the campaign drops
MD5: b00af54e5907d57c913c7b3d166e6a5a ** on the affected hosts...
Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv ..."
* https://www.virustotal.com/file/21ac...is/1342738075/
File name: AICPA.html
Detection ratio: 4/42
Analysis date: 2012-07-19
** https://www.virustotal.com/file/6db6...8a20/analysis/
File name: b00af54e5907d57c913c7b3d166e6a5a.exe
Detection ratio: 30/39
Analysis date: 2012-07-27

[AplusWebMaster]

FYI...

Tech Support Phone Scams surge
- https://krebsonsecurity.com/2012/08/...e-scams-surge/
August 2nd, 2012 - "... horror stories from readers who reported being harassed by unsolicited phone calls from people with Indian accents posing as Microsoft employees and pushing dodgy PC security services. These telemarketing scams are nothing new, of course, but they seem to come and go in waves, and right now it’s definitely high tide..."
(More detail at the URL above.)

- http://www.microsoft.com/security/on...one-scams.aspx

[AplusWebMaster]

FYI...

Fake AT&T email installs malware
- http://community.websense.com/blogs/...s-malware.aspx
2 Aug 2012 - "Websense... detected a massive phishing campaign targeting AT&T customers... fake emails are masquerading as billing information... Each message claims that there is a bill of a few hundreds US dollars. In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message...
(Screenshot of phish/fake email):
> http://community.websense.com/cfs-fi...0_campaign.png
... the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal*..."
* https://www.virustotal.com/file/a7e6...fa13/analysis/
File name: readme.exe
Detection ratio: 10/39
Analysis date: 2012-08-03 06:21:20 UTC
___

Fake PayPal emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/08/02/s...e-exploit-kit/
August 2, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign. Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Upon clicking on the link, users are exposed to a bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_01.png
... Client-side exploits served: CVE-2010-0188; CVE-2010-1885
Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23*
Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0** on the affected hosts... cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties. PayPal has information (1) on their website to help users identify legitimate emails..."
* https://www.virustotal.com/file/8f50...is/1343139059/
File name: PayPal.html
Detection ratio: 3/40
Analysis date: 2012-07-24 14:10:59 UTC
** https://www.virustotal.com/file/132d...84be/analysis/
File name: file
Detection ratio: 32/41
Analysis date: 2012-08-03 10:30:40 UTC

1- https://www.paypal.com/us/webapps/mp...cious-activity

[AplusWebMaster]

FYI...

Phishing for Payroll with unpatched Java
- https://isc.sans.edu/diary.html?storyid=13840
Last Updated: 2012-08-05 - "... companies that offer outsourced payroll management services have seen their name being abused for phishing scams. One prominent example is ADP, whose website [1] currently alerts their customers to four different samples of phishing emails that make the rounds and claim to be from ADP. The average recipient of such a phish would have no idea who or what ADP is, and would be highly unlikely to "click". But a HR/Payroll employee of a company that actually uses ADP services would certainly be alarmed to read, for example, that his/her access to ADP is about to be cut off:
> https://isc.sans.edu/diaryimages/sd1.JPG
... the odds are pretty high that someone who clicks on the link in the email is actually a HR/Payroll person. Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that's hard to beat...
>> https://isc.sans.edu/diaryimages/sd2.jpg
... Those who clicked nonetheless, have likely been "had" though. The shown marottamare link redirected via three other web sites, and then ended up on 50.116.36.175, a very temporary home on what looks like a rented Linux VServer. From there, the exploits were delivered, and at least one of them, Java CVE-2012-1723, is currently netting the bad guys a lot of illicit system access. Antivirus detection rate is and stays low, three days later, it is still only at -8/41- on Virustotal*. The main reason for this seems to be that the exploit packs are encoded... which means that the original attack code and payload are split up into five byte blocks, and each of these individual five bytes is encoded by XOR with a different static value... Some of the AV tools are getting better at providing generic detection for encoded CVE-2012-1723, but don't hold your breath... As for defenses:
1. PATCH your Java JRE. CVE-2012-1723** is deadly, and is widely being exploited in the wild at the moment. Even better, uninstall Java JRE completely from your computers if you can get away with it.
2. Make sure your HR and Payroll folks are treated to another round of "DONT CLICK ON THIS LINK" training. They are your first line of defense, and - given Antivirus' ineffectiveness - usually even your ONLY line of defense.
3. If you have an outsourced payroll provider, acquaint yourself with the email logs, so that you know how REAL email coming from this provider looks like. This knowledge is priceless during an incident, and might even help you to automatically -block- some of the more egregious phishes..."
* https://www.virustotal.com/file/342c...is/1344175361/
File name: Rooh.jar
Detection ratio: 8/41
Analysis date: 2012-08-05

[1] http://www.adp.com/about-us/trust-ce...ty-alerts.aspx

** http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-1723 - 10.0 (HIGH)
6/16/2012

[AplusWebMaster]

FYI...

Fake LinkedIn emails serve exploits and malware
- http://blog.webroot.com/2012/08/08/o...s-and-malware/
August 8, 2012 - "... cybercriminals launched the most recent spam campaign impersonating LinkedIn, in an attempt to trick LinkedIn’s users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Spamvertised URL: hxxp ://glqzc .com/linkzane.html
Client-side exploits serving URL: hxxp ://headtoheadblaster .org/main.php?page=f6857febef53e332
Client-side exploits served: http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1885 - 9.3 (HIGH)
Upon successful client-side exploitation, the campaign drops MD5: 6c59e90d9c3931c900cfd2672f64aec3 *
... PWS-Zbot.gen.ajm; W32/Kryptik.BRK..."
* https://www.virustotal.com/file/2780...c800/analysis/
File name: 6c59e90d9c3931c900cfd2672f64aec3
Detection ratio: 24/42
Analysis date: 2012-08-09 02:17:01 UTC

[AplusWebMaster]

FYI...

- https://isc.sans.edu/diary.html?storyid=13861
Last Updated: 2012-08-09 10:20:41 UTC
... Ref (1): http://blog.fox-it.com/2012/08/09/xd...reading-virus/
XDocCrypt/Dorifel – Document encrypting and network spreading virus
August 9, 2012 - "... apparently none of your IT security defenses has removed it, has blocked it and neither has signaled you that there was something wrong on that system. If you were hit, you will likely start asking yourself some questions now… A properly configured IDS would have picked up the attack earlier and you would have been notified of the event. Communication to the following IP addresses might indicate malicious behavior on your system:
184.82.162.163
184.22.103.202

... Ref (2): http://www.damnthoseproblems.com/?p=599&lang=en
Latest reference 09-08-2012 Update 18:05...
... 2x IPs to block: 184.82.162.163... 184.22.103.202

[AplusWebMaster]

FYI...

Fake Groupon email malware coupon
- http://blog.commtouch.com/cafe/email...upon-with-you/
Aug 9, 2012 - "A recent collection of malware emails borrows heavily from authentic mailings sent out by Groupon and LinkedIn. The outbreak is different from the blended attacks that have featured regularly in the last few months since it relies on attached malware as opposed to a link to drive-by malware. Using email templates modeled on Groupon and LinkedIn increases the chances that recipients will consider the attachment genuine and worth opening. The example below shows a Groupon “deal” found by a friend. Recipients are invited to open the attachment to view the gift details and also to forward it on to friends. All the links within the “offer” point to genuine Groupon sites.
> http://blog.commtouch.com/cafe/wp-co...th-malware.jpg
The attached zip file unpacks to a file named “Coupon gift.exe”. Commtouch’s Antivirus identifies the malware as W32/Trojan3.DWY. The malware attempts to download and install files from several remote servers. Only 30% of the 41 engines on VirusTotal detected the malware within a few hours of the attack...
Email text:
Hi there!
You’re going to love it
We are glad to inform you that one of your friends has found a great deal on Groupon.com!
And even shared it with you!
Yeah! Now Groupon.com gives an opportunity to share a discount gift with a friend!
Enjoy your discount gift in the attachement and share it with one of your friend as well.
All the details in the file attached. be in a hurry this weekend special is due in 2 days!"

[AplusWebMaster]

FYI...

Fake AT&T email billing - serves exploits and malware
- http://blog.webroot.com/2012/08/10/c...s-and-malware/
August 10, 2012 - "... yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill. Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
... Client-side exploits serving URL:
hxxp ://advancementwowcom .org/main.php?page=19152be46559e39d
Client-side exploits served: CVE-2010-1885
Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e* on the infected hosts... as Trojan.Generic.KD.687203; W32/Cridex-Q. Once executed, the sample phones back to hxxp :// 87.204.199.100 :8080 /mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign... cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware..."
* https://www.virustotal.com/file/a7e6...fa13/analysis/
File name: C497B4D6DFADD4609918282CF91C6F4E_100-about.exe
Detection ratio: 19/41
Analysis date: 2012-08-05

[AplusWebMaster]

FYI...

Olympic malware spread continues ...
- http://community.websense.com/blogs/...ble-Sites.aspx
10 Aug 2012 - "... Websense... analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th... Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Links:
> http://community.websense.com/cfs-fi...2D00_550x0.jpg
... We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:
> http://community.websense.com/cfs-fi...1057.chart.jpg
..."

[AplusWebMaster]

FYI...

Fake Intuit emails ...
- http://security.intuit.com/alert.php?a=52
8/10/2012 - "People are receiving emails purportedly from Classmates.com with the title "Download your Intuit.com invoice." There is an attachment to the email. Below is the text of the email people are receiving, including the errors in the email:

"Dear Customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-040-6988 ($3.19/min).
ORDER INFORMATION
Please download your complete order id#6269722 from the attachment.(Open with Internet Explorer)"

This is the end of the fake email... Steps to Take Now:
. Do not click on the link in the email...
. Spoofed email address. Don't reply to unsolicited email and don't open email attachments...
. Fake link. When in doubt, never click on a link in an unsolicited or suspicious email..."