Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools
Display
- Switch to Linear Mode
- Switch to Hybrid Mode
- Threaded Mode

Threaded View

Previous Post

Next Post

2017-02-21, 13:40 #34
AplusWebMaster

View Profile

View Forum Posts

Visit Homepage
Adviser Team

Join Date

Oct 2005

Location

USA

Posts

6,881
Rogue Chrome extension, Fake 'Western Union' SPAM, 'BoA', 'TurboTax' phish

FYI...

Rogue Chrome extension - tech support scam
- https://blog.malwarebytes.com/threat...-support-scam/
Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
> https://blog.malwarebytes.com/wp-con...17/02/TSS1.png
... We detect and remove this one as Rogue.ForcedExtension.
IOCs:
Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-add...7/information/
104.27.184.37: https://www.virustotal.com/en/ip-add...7/information/
lfbmleejnobidmafhlihokngmlpbjfgo
Backend server (ad fraud/malvertising):
amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-add...8/information/
104.31.71.128: https://www.virustotal.com/en/ip-add...8/information/
qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-add...3/information/
Tech support scam:
microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-...r-java-adwind/
21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
1] https://myonlinesecurity.co.uk/?s=java+adwind
The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
2] https://myonlinesecurity.co.uk/spoof...s-java-adwind/

Screenshot: https://myonlinesecurity.co.uk/wp-co...rtra-rules.png

DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58*
Payload Security**

WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1487577130/

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/6...is/1487577144/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
83.243.41.200
___

BoA 'Access Locked' - phish
- https://myonlinesecurity.co.uk/bank-...phishing-scam/
21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ily-Locked.png

The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
where you see a site looking like:
> https://myonlinesecurity.co.uk/wp-co...FTP_signon.png "

121.170.178.35: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/31...2497/analysis/
___

'TurboTax' - phish
- https://myonlinesecurity.co.uk/turbo...date-phishing/
21 Feb 2017 - "Another phishing scam, this time TurboTax:

Screenshot: https://myonlinesecurity.co.uk/wp-co...unt-Update.png

The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
> https://myonlinesecurity.co.uk/wp-co...shing-page.png "

whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/29...26d6/analysis/

Last edited by AplusWebMaster; 2017-02-21 at 22:56.

The machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Quick Navigation Archives-Security Alerts Top

Site Areas
Settings
Private Messages
Subscriptions
Who's Online
Search Forums
Forums Home
Forums
General Safer Networking
1. Announcements
2. Tavern
  1. Word Games
Software
1. Spybot
2. RootAlyzer
  1. RootAlyzer download
General Malware

« Previous Thread | Next Thread »

Posting Permissions

You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off

All times are GMT +2. The time now is 11:26.

Copyright © 2000-2022 Safer-Networking Limited. All rights reserved.