FYI...
Fake "New fax" SPAM - using goo .gl shortening service
- http://blog.dynamoo.com/2014/07/new-...hortening.html
31 July 2014 - "Here are a couple of variations of a fax -spam- using the goo .gl shortening service:
From: Fax [fax@ victimdomain]
Date: 31 July 2014 11:23
Subject: You've received a new fax
New fax at SCAN5735232 from EPSON by https ://victimdomain
Scan date: Thu, 31 Jul 2014 19:23:11 +0900
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at:
https ://goo.gl /1rBYjl
(Google Disk Drive is a file hosting service operated by Google, Inc.)
------------------------------
From: FAX [fax@ qcom .co.uk]
Reply-to: FAX [fax@ qcom .co.uk]
fax@ localhost
Date: 31 July 2014 10:53
Subject: You have received a new fax message
You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI
Download file at google disk drive service - dropbox.
https ://goo .gl/t8jteI ...
There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware... I've seen three different URLs... Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54*. The CAMAS report** shows that the malware reaches out to the following locations to download further components:
andribus .com/images/images.rar
owenscrandall .com/images/images.rar
Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:
> https://1.bp.blogspot.com/-XGnNezE_8...600/goo-gl.png
164 clicks isn't a lot, but there are multiple URLs in use.
Recommended blocklist:
andribus .com
owenscrandall .com
esys-comm .ro
autoescuelajoaquin .com
pinkfeatherproductions .com "
* https://www.virustotal.com/en-gb/fil...is/1406804074/
** http://camas.comodo.com/cgi-bin/subm...61c27883e995cc
___
Fake Evernote "File has been sent" SPAM
- http://blog.dynamoo.com/2014/07/ever...sent-spam.html
31 July 2014 - "I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..
Date: Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
From: EVERNOTE [lcresknpwz@ business .telecomitalia .it]
Subject: File has been sent [redacted]
DSC_9426679.jpg attached to the letter
Copyright 2014 Evernote Corporation. All rights reserved
The file attached is actually DSC_9426679.zip and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53*. The CAMAS report** shows that the malware attempts to download an additional component... These download locations are the same as yesterday's Amazon spam run***. The downloaded file has a VT detection rate of 3/53****. The recommended blocklist is the same as yesterday."
* https://www.virustotal.com/en-gb/fil...is/1406813029/
** http://camas.comodo.com/cgi-bin/subm...fb5316d1a785dd
*** http://blog.dynamoo.com/2014/07/amaz...r-spam_30.html
**** https://www.virustotal.com/en-gb/fil...is/1406813571/
___
ADP Payroll Spam
- http://threattrack.tumblr.com/post/9...p-payroll-spam
Juky 31, 2014 - "Subjects Seen:
ACH Notification
Typical e-mail details:
Attached is a summary of Origination activity for 07/31/2014
Download it from Google Disk Drive Inc.:
goo .gl/mp4Vh3
If you need assistance please contact us via e-mail during regular business hours.
Thank you for your cooperation.
Malicious URLs:
espressomachinesinfo .com/wp-includes/images/Document-83265.zip
Malicious File Name and MD5:
Document-83265.scr (3603D5B08D83130414B264FAF3EE41E1)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...PvX1r6pupn.png
Tagged: ADP, Upatre
72.29.66.41: https://www.virustotal.com/en-gb/ip-...1/information/
___
Fake Xerox WorkCentre SPAM
- http://blog.dynamoo.com/2014/07/scan...ntre-spam.html
31 July 2014 - "This is a thoroughly old school spam with a malicious attachment.
Date: Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From: Local Scan [scan.614@ victimdomain]
Subject: Scanned Image from a Xerox WorkCentre
You have a received a new image from Xerox WorkCentre.
Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: victimdomain
Attached file is scanned image in PDF format...
Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54* at VirusTotal. The Comodo CAMAS report** shows that the malware downloads components... There are some further clues in the VirusTotal comments* as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before***.
Recommended blocklist:
94.23.247.202
globe-runners .com
lucantaru .it
mediamaster-2000 .de
ig-engenharia .com
upscalebeauty .com
lagrimas.tuars .com "
* https://www.virustotal.com/en-gb/fil...is/1406832159/
** http://camas.comodo.com/cgi-bin/subm...dc468affa02a7a
*** http://www.sophos.com/en-us/threat-c...-analysis.aspx
94.23.247.202: https://www.virustotal.com/en-gb/ip-...2/information/