Pervasive malware activity - SPAM ...
FYI...
- https://www.net-security.org/malware_news.php?id=2455
4.04.2013 - "Malware activity has become so pervasive that organizations experience a malicious email file attachment or Web link as well as malware communication that evades legacy defenses up to once every three minutes, according to FireEye* ..."
* http://www.fireeye.com/blog/technica...at-report.html
> https://www.net-security.org/images/...e-042013-1.jpg
___
Fake "Bill Me Later" SPAM / PP_BillMeLater_Receipe04032013_4283422.zip
- http://blog.dynamoo.com/2013/04/bill...erreceipe.html
4 Apr 2013 - "This fake "Bill Me Later" spam comes with a malicious attachment:
Date: Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From: Bill Me Later [notification @billmelater .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later� statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.
For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
Here are the details:
Your Bill Me Later Account Number Ending in: 0014
You Paid: $1644.03
Your Payment Date*: 04/03/2013
Your Payment Confirmation Number: 228646660603545001
Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
BillMeLater
*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
PP10NDPP1
Screenshot: https://lh3.ggpht.com/-55gUxujP5q4/U...l-me-later.png
There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46*. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29
Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it."
* https://www.virustotal.com/en/file/a...is/1365065866/
File name: PP_BillMeLater_Receipe_04032013.exe
Detection ratio: 26/46
Analysis date: 2013-04-04
___
Fiserv Money Transfer Spam
- http://threattrack.tumblr.com/post/4...-transfer-spam
4 April 2013 - "Subjects seen:
Outgoing Money Transfer
Typical e-mail details:
An outgoing money transfer request has been received by your financial institution. In order to complete the money transfer please print and sign the attached form.
To avoid delays or additional fees please be sure Beneficiary Information including name, branch name, address, city, state, country, and RTN or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Joy_Farmer
Senior Officer
Cash Management Verification
Phone : [removed]
Email: [removed]
Malicious URLs
3ecompany .com:8080/ponyb/gate.php
23.wellness-health2day .com/ponyb/gate.php
23.ad-specialties .info/ponyb/gate.php
23.advertisingspecialties .biz/ponyb/gate.php
brightpacket .com/coS0GiKE .exe
u16432594.onlinehome-server .com/d8dTEXk.exe
thedryerventdude .com/2FKBSea .exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...rN91qz4rgp.png
___
Bank of America Trusteer Spam
- http://threattrack.tumblr.com/post/4...-trusteer-spam
4 April 2013 - "Subjects seen:
New Critical Update
Typical e-mail details:
Valued Customer:
As part of our continued effort to enhance online banking safety, Bank of America announced late last year that it has partnered with Trusteer Rapport to add an additional layer of security to our eBusiness platform and we recommend that all of our online banking customers install the software.
Malicious URLs
23.proautorepairdenver .com/forum/viewtopic.php
23.onqdenver .net/forum/viewtopic.php
23.onqdenver .com/forum/viewtopic.php
3ecompany .com:8080/forum/viewtopic.php
dev2.americanvisionwindows .com/rthsWe.exe
adr2009 .it/R4eFC.exe
easy .com.gr/2YcB2jL.exe
konyapalyaco .net/F6pKX68j.exe
homepage.osewald .de/ynWx1.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Mm31qz4rgp.png
___
Fake "British Airways" SPAM / igionkialo .ru
- http://blog.dynamoo.com/2013/04/brit...onkialoru.html
4 Apr 2013 - "This fake British Airways spam leads to malware on igionkialo .ru:
Date: Thu, 4 Apr 2013 10:19:48 +0330
From: Marleen Camacho via LinkedIn [member @linkedin .com]
Subject: British Airways E-ticket receipts
Attachments: E-Receipt.htm
e-ticket receipt
Booking reference: UMA7760047
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1805773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
___
Madi/Mahdi/Flashback OS X connected malware spreading through Skype
- http://blog.webroot.com/2013/04/04/m...through-skype/
April 4, 2013 - "Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable...
Sample screenshot of the campaign in action:
> https://webrootblog.files.wordpress....ngineering.png
Sample redirection chain: hxxp ://www.goo .gl/aMrTD?image=IMG0540250-JPG -> hxxp ://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef * ... Gen:Variant.Symmi.17255.
More malware is known to have been rotated on the same IP... Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp ://xlotxdxtorwfmvuzfuvtspel .com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103. What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/3...3b91/analysis/
File name: reznechek.exe
Detection ratio: 27/46
Analysis date: 2013-04-03
___
Legal Case Spam
- http://threattrack.tumblr.com/post/4...egal-case-spam
4 April 2013 - "Re: Our chances to win the case are better than ever.
Typical e-mail details:
We talked to the administration representatives, and if we acknowledge our minor defiance to improve their statistics, the major suit will be closed due to the lack of the government interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it seems unacceptable, let us know.
Speech.doc 332kb
With Best Wishes
Erica Bermudez
Malicious URLs
3ecompany .com:8080/ponyb/gate.php
lanos-info .ru/winadlor.htm
Screenshot: https://gs1.wac.edgecastcdn.net/8019...XcK1qz4rgp.png
___
Pennie stock SPAM
- https://isc.sans.edu/diary.html?storyid=15559
Last Updated: 2013-04-05 00:25:54 UTC - "Most of you will remember the pennie stock SPAM messages from a few years ago. The main aim of the game is to buy a bunch of pennie stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock. They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable. Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. It looks however like it is becoming popular again...
News!!!
Date: Thursday, Apr 4th, 2013
Name: Pac West Equities, Inc.
To buy: P_WEI
Current price: $.19
Long Term Target: $.55
OTC News Subscriber Reminder!!! Releases Breaking News This
Morning!
What is old is new again..."
