SPAM frauds, fakes, and other MALWARE deliveries - archive

64-bit banker rootkit ...

FYI...

64-bit banker rootkit spies on online customers
- http://www.h-online.com/security/ne...pies-on-online-banking-customers-1247881.html
23 May 2011 - "... Kaspersky has discovered* another rootkit with 64-bit Windows support: a variant of the Banker rootkit is targeting the access credentials of online banking customers in Brazil. The malware is injected into systems via a hole in an obsolete version of Java and first disables the Windows User Account Control (UAC) feature so that it can go about its business without being interrupted. It then installs bogus root certificates and modifies the HOSTS file in such a way that victims trying to access the banking web site are redirected to a phishing site operated by the criminals. The injected certificate prevents the browser from issuing an alert when establishing an encrypted connection to the phishing site, and the victim is left unaware. Kaspersky says that the malware also deletes a security plug-in used by various Brazilian banks. Unusually, the malware installs a custom system driver to uninstall the security plug-in and modify the HOSTS file. On 64-bit Windows systems, this requires some effort because Microsoft's Kernel Patch Protection (PatchGuard) prevents unsigned drivers from being installed. As 64-bit Windows installations still have a relatively small market share, rootkits with 64-bit support are currently still quite rare; a 64-bit version of the Alureon/TDL rootkit was discovered last November..."
* http://www.securelist.com/en/blog/11266/Rootkit_Banker_now_also_to_64_bit

:mad:
 
Pharmacy SPAM sucks ...

FYI...

Pharmacy SPAM sucks...
- http://www.theregister.co.uk/2011/05/23/spam_economics/
23 May 2011 - "Computer scientists are advocating the targeting of card-processing middlemen as a way of clamping down on spam... the vast majority (95 per cent) of the credit card payments to unlicensed pharmaceutical sites are handled by just three payment processing firms – based in Azerbaijan, Denmark and Nevis, in the West Indies, respectively. By putting the squeeze on these firms it might be possible to choke the flow of money to spammers, making spam less profitable and, hopefully, less prevalent.
Pharmacy spam levels fluctuate but the class of junk mail has long been the biggest single category of spam. The findings came after three months of analysing spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. The study* discovered that payment-processing for replica and software products advertised through spam was also monetised using merchant services from just a handful of banks. Spam makes up 74.8 per cent of all email messages, compared to 90 per cent last year, according to the latest statistics from Symantec, published last week. The net security efforts credits botnet takedown efforts, most notably against the infamous Rustock botnet, for the decrease..."
* http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
(16-page pdf/2.3MB)

:fear: :mad:
 
Web-based attacks use JavaScript tricks...

FYI...

Web-based attacks use JavaScript tricks...
- http://krebsonsecurity.com/2011/05/blocking-javascript-in-the-browser/
May 25, 2011 - "... Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time... Noscript*... lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session... Firefox.. offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit."
* https://addons.mozilla.org/en-US/firefox/addon/noscript/
Downloads: 85,892,086...

:fear: :spider:
 
Fake VirusTotal site serves malware

FYI...

Fake VirusTotal site serves malware
- http://www.net-security.org/malware_news.php?id=1730
24.05.2011 - "VirusTotal - the popular free file checking website - has been spoofed by malware peddlers, warns Kaspersky Lab*. A simple -visit- to the site triggers the download of a worm via a java applet embedded in the code... It's aim is to recruit the computer it infected into a botnet that would ultimately be used to perform DDoS attacks, and to communicate to the C&C information about the system (hostname, type and version of the OS, etc.)... malware peddlers have lately begun combining the use of malicious JavaScript code and social engineering techniques, since it allows them to infect computers regardless of the browser or operating system used."
* http://www.securelist.com/en/blog/208188086/Fake_virustotal_website_propagated_java_worm
"... the website looks the same way as the original**. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware..."
** http://www.securelist.com/en/images/pictures/klblog/208188087.png
(Screenshot at the URL above.)

(Hat tip to cnm @ spywareinfoforum.com)

:fear: :mad: :mad:
 
Last edited:
Fake Epsilon phish - Breach Warning ...

FYI...

Fake Epsilon phish - Breach Warning...
- http://isc.sans.edu/diary.html?storyid=10930
Last Updated: 2011-05-26 14:53:19 UTC - "... website that attempts to scare people into purchasing a credit report. The website... reminds the visitor of the relatively recent Epsilon data breach. The goal is to persuade the person into proceeding to another site that is being promoted. This looks like a technique to make money through affiliate marketing..."
(Screenshot and more detail at the URL above.)

:fear: :mad:
 
SPAMbot stats for May 2011

FYI...

SPAMbot stats for May 2011
- http://www.m86security.com/labs/bot_statistics.asp
Week ending May 29, 2011

- http://labs.m86security.com/2011/05/donbots-money-maker-gambling-scheme/
May 26, 2011 - "... the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign... Upon downloading the Casino-Online.exe binary and scanning it through VirusTotal.com, 4 of 42 antivirus packages detected it, with the following results: “RealTimeGaming, CasOnline, Artemis!B7E6F50C181D, and W32/Malware.SWHU” ..."

- http://labs.m86security.com/2011/05/new-bots-old-bots-xarvester-returns/
May 24, 2011 - "... big rise in spam from two botnets well known to us from the past – Donbot and Xarvester. Six months ago, spam from these botnets hardly got our attention... someone has breathed new life into these spamming machines..."

:mad:
 
Money mule recruiters ...

FYI...

Money mule recruiters ...
- http://ddanchev.blogspot.com/2011/05/keeping-money-mule-recruiters-on-short_30.html
May 30, 2011 - "... currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds... Currently active sites residing within AS42708, PORTLANE Network www .portlane .com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online... Monitoring of money mule recruitment campaigns is ongoing."
(Screenshot and more detail available at the ddanchev URL above.)

- http://www.google.com/safebrowsing/diagnostic?site=AS:42708
- http://www.google.com/safebrowsing/diagnostic?site=AS:29713
- http://www.google.com/safebrowsing/diagnostic?site=AS:38913
- http://www.google.com/safebrowsing/diagnostic?site=AS:24940

:mad:
 
Bulk SPAM msgs... Bulker .biz

FYI...

Bulk SPAM msgs... Bulker .biz...
- http://blogs.technet.com/b/mmpc/archive/2011/06/01/fake-canadian-pharma-site-causing-headaches.aspx
1 Jun 2011 - "... Yahoo email account was hacked... his email account was used to send over 20 emails with links to domains like “Canadian Neighbor Pharmacy” to his contact lists at 2:59 AM in the morning, while he was asleep... spam messages sent in bulk by a spammer... the “Canadian Neighbor Pharmacy” site is part of a list of sites promoted by an underground organization called “Bulker .biz”. This organization encourages spammers and hackers to target email recipients from domains like Yahoo.com, Aol.com, Hotmail.com, etc. The site itself functions as a front for credit card fraud and identity theft by targeting unwitting users that register an account on the site and order promoted pharmaceuticals that may never arrive... Be alert to email messages with typos or bad form and a single hyperlink with little or no explanation about the link itself..."
(Screenshots and more detail at the technet URL above.)

:mad:
 
LinkedIn SPAM emails download malware

FYI...

LinkedIn SPAM emails download malware
- http://www.trusteer.com/blog/linkedin-spam-emails-download-malware
June 02, 2011 - "LinkedIn has more than 90 million members, many of which are business users... In the last couple of days, we've witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim's mailbox... If you click the "Confirm that you know" link on the genuine email, it takes you to LinkedIn's website. However if the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer. The fraudulent website is hxxp: //salesforceappi .com/ loginapi.php?tp=1da14085e243eaf9 ...The domain salesforceappi .com was registered two days ago and the IP address of the server is in Russia. The domain was designed to look like it's associated with Salesforce.com but in fact it has nothing to do with Salesforce .com. The malicious server uses the BlackHole exploit kit to download malware to the victim's computer... recently made available for free... It is based on PHP and has a MySQL database. Thousands of websites have been infected with BlackHole which is used to exploit vulnerabilities on visitors’ computers in order to place malware on them... drive by download... we've recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorized access to sensitive systems... Only two anti-malware solutions out of 42 detect this variant at the moment*..."
(Screenshots and more detail available at the trusteer URL above.)
* http://www.virustotal.com/file-scan...0b149ee250c58e3c21845f1ee2514c5d37-1306969338
File name: file-2324493_swat
Submission date: 2011-06-01 23:02:18 (UTC)
Result: 2/42 (4.8%)

- http://labs.m86security.com/2011/06/malicious-linkedin-campaign/
June 3, 2011 - "... The messages look realistic, but the giveaway is the bogus link exposed when you hover over the confirm button... Remember, just because it looks legit, doesn’t mean it is."

:fear::mad::fear:
 
Last edited:
Phoenix exploit kit updated...

FYI...

Phoenix exploit kit updated...
- http://labs.m86security.com/2011/06/phoenix-exploit-kit-2-7-continues-to-be-updated/
June 4th, 2011 - "... As expected, the author of the exploit kit released a new version of the tool, version 2.7... The new pack 2.7 contains the following updates:
• JAVA exploit added – Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
Old exploits were removed, the exploit kit currently contains the following exploits:
• Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
• Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869,
• Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
• IEPeers Remote Code Execution – CVE-2009-0806
• Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
• PDF Exploit – collab. collectEmailInfo – CVE-2007-5659
• PDF Exploit – util.printf – CVE-2008-2992
• PDF Exploit – collab.geticon – CVE-2009-0927
• PDF Exploit – doc.media.newPlayer – CVE-2009-4324
• PDF Exploit – LibTIFF Integer Overflow – CVE-2010-0188
... cybercriminals use JAVA and PDF exploits, as they have become the most efficient and reliable attack vector."

:mad:
 
Spam from Hotmail compromised accounts

FYI...

Spam from Hotmail compromised accounts
- http://isc.sans.org/diary.html?storyid=11026
Last Updated: 2011-06-08 13:47:30 UTC - "We keep getting ongoing reports from readers about SPAM being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. If an e-mail is received from a friend or relative, you are much more likely to open and read it. These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, they allow you to narrow down the chances of the account being compromised. You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender... Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, -all- sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup."

Hotmail and Windows Live Hotmail
To see the full, unmangled headers in Hotmail: http://spamcop.net/fom-serve/cache/22.html

:fear:
 
PPI svcs - badness on the Web ...

FYI...

PPI svcs - badness on the Web ...
- https://krebsonsecurity.com/2011/06/pay-per-install-a-major-source-of-badness/
June 9, 2011 - "... Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims. The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install..."
> Continued here: http://www.technologyreview.com/computing/37705/page1/

:mad::mad:
 
SPAM Fake UPS e-mails - spread fake anti-virus

FYI...

SPAM Fake UPS e-mails - spread fake anti-virus
- http://nakedsecurity.sophos.com/201...rvice-malware-attack-spreads-fake-anti-virus/
June 9, 2011 - "Email inboxes around the world are being spammed today with a malicious attack designed to infect Windows computers with a fake anti-virus attack. The emails claim to be notification from United Parcel Service (UPS) that a package is winging its way to your address. The cybercriminals behind the scheme hope that recipients will be intrigued enough to open the attached file, which can infect their computer with malware..."
(Screenshots available at the URL above.)

:mad:
 
SpyEye targets airline - Bank Debit Cards...

FYI...

SpyEye targets airline - Bank Debit Cards...
- http://www.trusteer.com/blog/spyeye-trojan-targets-airline-website-accepts-bank-debit-card-payments
June 16, 2011 - "... a SpyEye configuration that targets users of two leading European airline travel Web sites: Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud. The attack subjects are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users... criminals targeting an Air Berlin traveller from these countries stand a good chance of obtaining the personal details of the user - including their date of birth, which is mandatory on the airline's site – as well as their bank account details... SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated... SpyEye injects code into the users' Web browser that claims to be an anti-fraud enhancement... In reality, of course, this is a cleverly-disguised attempt to -phish- user credentials from the unsuspecting customer of the AirPlus Web portal... traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with SpyEye as it uses targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside computers..."
(More detail available at the trusteer URL above.)

:fear::mad::fear:
 
Exploit kit use on the rise ...

FYI...

Exploit kit use on the rise
- http://research.zscaler.com/2011/06/incognito-exploit-kit.html
June 14, 2011 - "Exploit kits are becoming an increasingly popular means of spreading attacks... usage of the Blackhole exploit kit... targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls... noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito*... multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge."
(More detail at the zscaler URL above.)

Incognito exploit kit
* http://www.malwaredomainlist.com/mdl.php?search=Incognito+exploit+kit&colsearch=All&quantity=50

Blackhole exploit kit
- http://www.malwaredomainlist.com/mdl.php?search=Blackhole+exploit+kit&colsearch=All&quantity=50

Phoenix exploit kit
- http://www.malwaredomainlist.com/mdl.php?search=Phoenix+exploit+kit&colsearch=All&quantity=50

:mad:
 
Last edited:
Fake job site SCAMS

FYI...

Fake job site SCAMS...
- http://blog.dynamoo.com/2011/06/fake-jobs-totaljob-eucom.html
17 June 2011 - "... fake job domain used for contacting potential money laundering mules, this time totaljob-eu .com which is a part of this long-running scam*..."
* http://blog.dynamoo.com/search/label/Lapatasker

- http://blog.dynamoo.com/2011/06/fake-jobs-cosulting-eucom-and-espana.html
17 June 2011 - "... more fake domains in the long-running "Lapatasker" series... The registration details have changed... but otherwise this is the same old attempt to recruit people for money laundering. Avoid..."

:mad:
 
Outlook phishing SPAM...

FYI...

Outlook phishing SPAM...
- http://nakedsecurity.sophos.com/2011/06/20/outlook-phishing-form-spam/
June 20, 2011 - "... Have you received a message telling you that your account needs to be reconfigured, and requesting that you enter your username and password?... If you do make the mistake of opening the attached file, you will be presented with a form which asks you for all the information a remote hacker would need to access your email account... Don't make it easy for the phishers, the spammers, the identity thieves and hackers to break into your online accounts..."

:fear::mad:
 
11 new exploit modules "for your pwning pleasure"

FYI...

11 new exploit modules "for your pwning pleasure"
- http://h-online.com/-1265361
22 June 2011 - "The Metasploit Project has released version 3.7.2 of its exploit framework. According to the developers, the latest release of the open source penetration testing tool includes "eleven new exploit modules and fifteen post modules for your pwning pleasure"... Metasploit's hashdump capabilities now allow users to easily steal password hashes... developers note that they should also be "considerably easier to crack". A new cachedump module that allows users to steal Windows cached password hashes has also been added. Other changes include remote registry commands for Meterpreter and updates to the egghunter payload to help it bypass data execution prevention (DEP)..."

... of course, the "whitehats" won't be the only ones using it.

:fear::fear:
 
Facebook likejacking SCAMS

FYI...

Facebook likejacking SCAMS
- http://techblog.avira.com/2011/06/27/facebook-likejacking-scams/en/
June 27, 2011 - "A new series of likejacking scam are making large waves on Facebook. “Dad walks on Daughter… Embarrassing” is being sent in large numbers on Facebook... As soon as you click on the link, you must “LIKE” it and then you are -redirected- to a page where you have to repeat the experience. As unbelievable as it seems, I have seen people clicking more than once on the Like button with the hope that they will get to see the video... Another scam being sent is about an Italian TV star who seems to have problems with her dress... So, you clicked, now how to get rid of this embarrassing episode? You have to remove from your Wall the post, by clicking on the top right corner... nothing is free in the Internet, even if it seems so. Please think twice before clicking on some “interesting” pictures or videos."

:sad: :fear:
 
XSS Attack on Sina MicroBlog

FYI...

XSS Attack on Sina MicroBlog
- http://community.websense.com/blogs.../2011/06/29/xss-attack-on-sina-microblog.aspx
29 Jun 2011 - "... Sina Weibo is the most popular microblog service in China, with more than 100 million registered customers. Just yesterday (28 June), Sina Weibo was attacked through an XSS exploit: more than 30,000 high profile customers were affected and sent out messages containing a malicious link... Followers who click the malicious link are redirected to a page hosted on "weibo .com/pub/star", which contains an XSS exploit to allow the execution of malicious JavaScript from www .2kt .cn... Although no malicious software was installed in this campaign, Websense reminds customers to do a simple check before you click on any suspicious URL, even it comes from your best friends."

- http://nakedsecurity.sophos.com/2011/06/30/weibo-chinas-twitter-like-service-hit-by-worm/
June 30, 2011

- https://www.computerworld.com/s/article/9218052/Worm_hits_popular_Chinese_Twitter_like_service
June 30, 2011 - "... Affected posts displayed a malicious link with enticing messages like "Move a woman's heart with 100 lines of poetry" or "Software to listen to other people's phones." When the link was clicked, the user's own account would re-post and send out private messages circulating the malicious link again..."

:sad::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top