SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Phishing emails from "Nationwide" in circulation
- http://www.gfi.com/blog/nationwide-p...n-circulation/
August 13, 2012 - "There’s some Emails floating around right now claiming to be from Nationwide*. The first wants customers to “validate your internet banking profile”, with the aid of the following missive:
> http://www.gfi.com/blog/wp-content/u...ationphish.jpg
The second tries a different approach, claiming that they have “identified an unusual conflict between the customer number and profile details associated with your account”.
> http://www.gfi.com/blog/wp-content/u...tionphish2.jpg
The emails lead to various URLs which appear to have been compromised (including a Belarus human rights website and what appears to be an Indonesian news portal) playing host to pages asking for security information. Of the two, the human rights site appears to have been fixed but the dubious pages are still live on the Indonesian portal at time of writing.
http://www.gfi.com/blog/wp-content/u...tionphish3.jpg
Customers of Nationwide should treat -any- Emails asking to validate and/or confirm security information with the utmost suspicion and make a safety deposit in their spam folder."
* https://en.wikipedia.org/wiki/Nation...ilding_Society
"Nationwide Building Society is a British mutual financial institution..."

[AplusWebMaster]

FYI...

Insecure WordPress blogs... host Blackhole malware attack
- http://nakedsecurity.sophos.com/2012...alware-attack/
August 10, 2012 - "... a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here's what a typical email looks like:
> https://sophosnews.files.wordpress.c...ail1.jpg?w=640
Subject: Verify your order
Message body:
Dear [name],
please verify your order #[random number] at [LINK]
We hope to see you again soon!
The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins* that it might use)."

"WordPress Plugin" search results ...
* https://secunia.com/advisories/searc...rdPress+Plugin
Found: 407 Secunia Security Advisories ...
Aug 13, 2012

[AplusWebMaster]

FYI...

IRS SPAM campaign leads to BlackHole exploit kit
- http://blog.webroot.com/2012/08/13/i...e-exploit-kit/
August 13, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a BlackHole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit...
Screenshot of the spamvertised IRS themed email:
> https://webrootblog.files.wordpress....xploit_kit.png
Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_01.png
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
... as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victim, hence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim..."

- https://www.virustotal.com/file/83e2...is/1343319131/
File name: IRS.html
Detection ratio: 2/41
Analysis date: 2012-07-26
- https://www.virustotal.com/file/af31...4557/analysis/
File name: 6d7b7d2409626f2c8c166373e5ef76a5.exe
Detection ratio: 30/41
Analysis date: 2012-08-04

[AplusWebMaster]

FYI...

Another Fake Intuit email: "Your order was shipped today"
> http://security.intuit.com/alert.php?a=53
[Last updated 8/14/2012 - "Fake email: "Your order was shipped today"
People are receiving emails with the title "Your order was shipped today." There are numerous messages in the email, including an offer to talk to a QuickBooks expert, the request to add a fake Intuit email to the user's address book, and the possibility to win a $30,000 small business grant. DO NOT click on any of these links. Below is the text portion of the email people are receiving. We have not included the graphic portion of the email which includes the fake links.

Dear Customer,
Great News! Your order, SBL46150408, was shipped today (see details below) and will arrive shortly. We hope that you will find that it exceeds your expectations. If you ordered multiple products, we may ship them in separate boxes (at no extra cost to you) to ensure the fastest possible delivery. We will Also provide you with the ability to track your shipments via the directions below.
Thank you for your order and we look forward to serving you again in the near future.

This is the end of the fake email. We have not included the graphics with the fake links in the information above. Steps to Take Now: Do not click..."]
___

JUST DELETE THE EMAIL if you get one, or 2 or 3... The only reason the hacks keep doing this is:
It works.

[AplusWebMaster]

FYI...

PDF reader exploits-in-the-wild ...
- http://blog.fireeye.com/research/201...n-myagent.html
2012.08.15 - "At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation... We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment... we have seen the malware get delivered as different files via email. The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits... We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware."

[AplusWebMaster]

FYI...


- http://www.ironport.com/toc/
August 21, 2012

- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - August 21, 2012
Fake Payment Notification E-mail Messages - August 21, 2012
Fake DHL Express Tracking Notification E-mail Messages - August 21, 2012
Fake Tax Refund Statement E-mail Messages - August 20, 2012
Malicious Personal Pictures Attachment E-mail Messages - August 20, 2012
Fake Criminal Complaint E-mail Messages - August 20, 2012
Fake Product Photo Attachment E-mail Message - August 20, 2012
Fake Money Transfer Notification E-mail Messages - August 20, 2012
Fake Private Photo Disclosure E-mail Messages - August 20, 2012 ...
Fake Microsoft Security Update E-mail Messages- August 17, 2012 ...

[AplusWebMaster]

FYI...

F-secure Threat Report H1 2012
- https://www.f-secure.com/weblog/archives/00002411.html
August 21, 2012 - "... criminals were still as busy as ever. Our report includes the following case studies:
• ZeuS & Spyeye
• Flashback
• Blackhole
• Mobile Threats
• Ransomware
• Rogueware
You can download the report from:
- http://www.f-secure.com/static/doc/l...rt_H1_2012.pdf
"One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code."

[AplusWebMaster]

FYI...

Fake Flash Player App is an SMS Trojan ...
- http://www.gfi.com/blog/fake-flash-p...an-and-adware/
August 22, 2012 - "Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn’t have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers. Of course, it’s possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites. It’s no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices... As of this writing, we’ve seen -eight- sites using Adobe’s logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they’re the same malicious variant... You may come across other websites claiming to host the latest version of Flash Player. In that case, better to steer clear from them and download only from Google Play*."
* https://play.google.com/store/apps/d...shplayer&hl=en
___

- http://blog.webroot.com/2012/08/23/b...be-flash-apps/
August 23, 2012

[AplusWebMaster]

FYI...

Fake BlackBerry ID emails...
- http://community.websense.com/blogs/...d-malware.aspx
22 Aug 2012 - "Websense... intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.
> http://community.websense.com/cfs-fi...2D00_550x0.png
... The malicious email itself is a copy and paste of a legitimate email from Blackberry. And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it. 17/36 AV engines identify the malware in VirusTotal*..."
* https://www.virustotal.com/file/7f47...b082/analysis/
File name: Hotel-Booking_Confirmation.exe
Detection ratio: 27/42
Analysis date: 2012-08-23 10:54:21 UTC
> http://community.websense.com/cfs-fi...hreatscope.PNG
___

Bogus greeting cards serve exploits and malware
- http://blog.webroot.com/2012/08/21/c...s-and-malware/
August 21, 2012 - "Think you’ve received an online greeting card from 123greetings.com? Think twice! Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Upon clicking on -any- of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_01.png
... Client-side exploits served: CVE-2010-1885
Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 *...
Upon successful execution, the sample phones back to 87.120.41.155 :8080/mx5/B/in
More MD5s are known to have phoned back to the same command and control server... 87.120.41.155 is actually a name server offering DNS resolving services to related malicious and command and control servers... The second sample phones back to 87.204.199.100 :8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns..."
* https://www.virustotal.com/file/5296...365f/analysis/
File name: 42307705ad637c615a6ed5fbf1e755d1
Detection ratio: 34/42
Analysis date: 2012-08-23 01:27:36 UTC

[AplusWebMaster]

FYI...

Java 0-Day exploit-in-the-wild
- https://secunia.com/advisories/50133/
Last Update: 2012-08-28
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
Solution Status: Unpatched
Software: Oracle Java JRE 1.7.x / 7.x
CVE Reference: http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4681 - 6.8
... vulnerability is confirmed in version 7 update 6 build 1.7.0_06-b24. Other versions may also be affected.
Solution: No official solution is currently available...
Reported as a 0-day.
Original Advisory:
http://blog.fireeye.com/research/201...-over-yet.html

- https://isc.sans.edu/diary.html?storyid=13984
Last Updated: 2012-08-27 20:29:15 UTC - "... targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework..."
- https://krebsonsecurity.com/2012/08/...-java-exploit/
August 27, 2012
- http://www.deependresearch.org/2012/...formation.html
August 27, 2012 - "... currently being used in targeted attacks..."

- http://labs.alienvault.com/labs/inde...d-in-the-wild/
August 27, 2012 - "... On the analyzed sample the payload is downloaded from ok.aa24 .net/meeting /hi.exe... The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service. The malware connects to hello.icon .pk port 80. It seems to be a Poison Ivy variant. hello.icon .pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd ..."
> https://www.virustotal.com/file/09d1...200f/analysis/
File name: hi.exe
Detection ratio: 32/42
Analysis date: 2012-08-28 12:59:25 UTC

- https://www.virustotal.com/file/09d1...200f/analysis/
File name: hi.exe
Detection ratio: 36/42
Analysis date: 2012-08-29 10:55:45 UTC
___

- http://www.kb.cert.org/vuls/id/636312
Last revised: 28 Aug 2012 - "... Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability..."

- http://www.symantec.com/connect/blog...-cve-2012-4681
8.28.2012 - "... attackers have been using this zero-day vulnerability for at least five days, since August 22... we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6*..."

* http://forums.spybot.info/showpost.p...08&postcount=5