FYI...
Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo.com/2014/08/moru...ware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
From: Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date: 27 August 2014 10:43
Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
Hello ,
Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
Thank you
Regards
Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine ...
Screenshot: http://1.bp.blogspot.com/-1wXuSVrxkn...0/moropule.png
Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustotal.com/en-gb/fil...is/1409133512/
___
Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.com/2014/08/27/ma...is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
Java .com
Deviantart .com
TMZ .com
Photobucket .com
IBTimes .com
eBay .ie
Kapaza .be
TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
198.27.88.157: https://www.virustotal.com/en/ip-add...7/information/
94.23.252.38: https://www.virustotal.com/en/ip-add...8/information/
178.32.21.248: https://www.virustotal.com/en/ip-add...8/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___
"Customer Statements" - malware SPAM
- http://blog.dynamoo.com/2014/08/cust...ware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
Fom: Accounts [hiqfrancistown910@ gmail .com]
Date: 27 August 2014 09:51
Subject: Customer Statements
Good morning,attached is your statement.
My regards.
W ELIAS
Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustotal.com/en-gb/fil...is/1409135030/
___
Royal Bank of Canada Payment Spam
- http://threattrack.tumblr.com/post/9...a-payment-spam
Aug 27, 2014 - "Subjects Seen:
The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
The transfer is now complete.
Message recipient: The rating was not provided.
See details in the attached report.
Thank you for using the Service INTERAC Bank RBC Royal Bank.
Malicious File Name and MD5:
INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Uqn1r6pupn.png
Tagged: RBC, Upatre
___
AT&T DocuSign Spam
- http://threattrack.tumblr.com/post/9...-docusign-spam
Aug 27, 2014 - "Subjects Seen:
Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
Hello,
AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.
Malicious URLs:
79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...IWp1r6pupn.png
79.172.51.73: https://www.virustotal.com/en-gb/ip-...3/information/
Tagged: ATT, DocuSigin, Upatre
- http://myonlinesecurity.co.uk/please...e-pdf-malware/
27 Aug 2014
___
ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/9...e-invoice-spam
Aug 27, 2014 - "Subjects Seen:
ADP Past Due Invoice
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here...
Malicious URLs:
81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...D3h1r6pupn.png
81.80.82.27: https://www.virustotal.com/en-gb/ip-...7/information/
Tagged: ADP, Upatre
___
Fake Payment Advice SPAM - PDF malware
- http://myonlinesecurity.co.uk/paymen...e-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Disclaimer:
This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
Cell 270 547-9194
27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)
Extracts to Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1409154303/