SPAM frauds, fakes, and other MALWARE deliveries - archive

Virus outbreak in Progress - 2011.11.16

FYI...

Virus outbreak in Progress
- http://www.ironport.com/toc/
November 16, 2011

... times are GMT and in 24 hour format
Troj/Agent-UBA 11/15/2011 15:25
Troj/DwnLdr-JME 11/15/2011 13:59
Mal/EncPk-ABA 11/15/2011 10:52 - http://www.threatexpert.com/reports.aspx?page=2&find=zbot *
Troj/FakeAV-ETK 11/15/2011 10:15
W32/Gamarue-C 11/15/2011 06:52
W32/Gamarue-D 11/15/2011 01:09

* http://www.threatexpert.com/reports.aspx?find=zbot&tf=2
11/16/2011 Results 1 - 20 of 38
___

- http://techblog.avira.com/risk-level/en/
2011.11.16 - Malware risk - HIGH

Atlas - summary reports (Past 24 hours)
- http://atlas.arbor.net/summary/attacks
... Sources
- http://atlas.arbor.net/summary/attacks#sources

- http://atlas.arbor.net/summary/botnets
...C&C Servers
- http://atlas.arbor.net/summary/botnets#servers

- http://atlas.arbor.net/summary/fastflux
...Servers
- http://atlas.arbor.net/summary/fastflux#servers
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Fake Electronic Payment Cancellation E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23517
Fake Order Document E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23854
Fake UPS Shipment Error E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=19743
Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24212
Fake Missing Tax Document Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24064
Fake Royal Mail Service Delivery Failure E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24264
Fake DHL Shipment E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=19661
Malicious UPS Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24586
Fake Facebook Profile Image E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24574

:mad::fear:
 
Last edited:
Virus Outbreak In Progress - 2011.11.21

FYI...

(Yet another) Virus Outbreak In Progress
- http://www.ironport.com/toc/
November 21, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24212
"... sample of the e-mail message that is associated with this threat outbreak:
Subject: USPS service. Get your parcel ID92082..."
___

5 Top malicious spam subjects
- http://community.websense.com/blogs...7/Ultimate-5-TOP-Malicious-Spam-subjects.aspx
17 Nov 2011 - "... campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails. Below are the top 5 campaigns that we've seen over the last several days.
1. ORDERS:
Order N21560 (numbers vary)...
2. TICKETS:
FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE: )
Fwd: Your Flight Order N125-9487755 (numbers vary)...
3. DELIVERY COMPANIES:
USPS Invoice copy ID46298 (numbers vary)
FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
DHL Express Notification for shipment 90176712199 (numbers vary)...
4. Test
... Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked, and also spammers use such techniques to validate an email address.
5. Payment/TAX systems:
FRAUD ALERT for ACH, Your Wire Transfer, Wire transfer rejected, IRS requires new EIN, IRS Tax report..."
(Screenshots and more detail available at the websense URL above.)

:mad:
 
Last edited:
Fake FBI email threatens recipients with jail

FYI...

Fake FBI email threatens recipients with jail
- https://www.net-security.org/secworld.php?id=11995
23 November 2011 - "An e-mail purportedly coming from the FBI Anti-Terrorist and Monetary Crimes Division has been hitting inboxes and threatening recipients with jail time if they don't respond, reports Cyberwarzone*.
"We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested and today if you fail to respond back to us with the payment then we would first send a letter to the mayor of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the fbi," says in the email. "We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not suppose to be working for the government or any private organization."
The crooks continue with the threats, accusing the recipient of being an "internet fraudster"... there is no way that the email is legitimate..."
* http://www.cyberwarzone.com/cyberwarfare/fbi-scam-email-lose-fbi-official-notice

:spider: :blink:
 
Java attack rolled into Exploit Kits

FYI...

Java attack rolled into Exploit Kits
- https://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/
November 28, 2011 - "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools. The exploit attacks a vulnerability* that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update... a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized... the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing "license" holders..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544
CVSS v2 Base Score: 10.0 (HIGH)
"... Java SE JDK and JRE 7 and 6 Update 27 and earlier..."

Check your version here: https://www.java.com/en/download/installed.jsp

- https://blogs.technet.com/themes/bl...of-keeping-all-software-up-to-date&GroupKeys=
28 Nov 2011 - "... the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits..."
Charted: * https://blogs.technet.com/cfs-files...api/3252.clip_5F00_image004_5F00_5E607283.png

- http://www.darkreading.com/taxonomy/index/printarticle/id/232200604
Dec 01, 2011 - "... Metasploit... added a new module for the latest Java attack that abuses a recently patched vulnerability... then was quickly "productized" into a crimeware kit in the underground... the attack also was getting rolled into the BlackHole crimeware kit..."

:mad::fear:
 
Last edited:
It's 'Black Monday' ...

... and of course, we have the obligatory Monday:

Virus Outbreak In Progress
- http://www.ironport.com/toc/
Nov. 28, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Fake Invoice Document E-mail Msgs... updated November 23, 2011
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24591
Fake United Parcel Service Invoice Notification E-mail Msgs... updated November 23
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24615
Fake Electronic Payment Cancellation E-mail Msgs... updated November 23
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23517
Fake iTunes Gift Certificate E-mail Msgs... updated November 23, 2011
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24604
___

- http://nakedsecurity.sophos.com/2011/11/28/cyber-monday-spam-hits-email-inboxes/
November 28, 2011

- https://www.examiner.com/homeland-s...-monday-a-little-common-sense-goes-a-long-way
November 27, 2011

:mad: :fear:
 
Last edited:
Fake -Intuit- online payroll E-mail...

FYI...

Fake -Intuit- online payroll E-mail...
- http://security.intuit.com/alert.php?a=31
Last updated 11/28/2011 - "Customers have reported receiving a fake Intuit Online Payroll Free Trial email... copy of the fake email:
"Dear,
Thank you for choosing the Intuit Online Payroll Free Trial.
Please refer to attached file for detailed information.
During your free trial, you'll discover just how quick and easy it is to run payroll online:
Easy to set up and use
Run payroll anywhere, anytime - 24 hours a day, 7 days a week.
Includes everything from instant paycheck calculations and free direct deposit to electronic tax filing and payments and W-2 forms
Free support by phone or online
Let's set up your account.
Setting up your Intuit Online Payroll account is easy. All you need is your User ID and password to sign in and get started. To make signing in easier in the future, be sure to bookmark this page.
If you have your current payroll information handy, you can even run your payroll today. We're here to help...":

HELP steal your "User ID and password", that is.

:fear::mad:
 
Facebook worm in the Wild...

FYI...

Facebook worm in the Wild...
- http://sunbeltblog.blogspot.com/2011/11/new-facebook-worm-in-wild.html
November 29, 2011 - "... the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot* of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare. Please keep in mind that securing your information, including your social network credentials, is a must..."
* https://www.csis.dk/images/sn-worm.png

:mad:
 
Last edited:
Cybercrime svcs ramp up - demand from fraudsters ...

FYI...

Cybercrime svcs ramp up - demand from fraudsters ...
- https://www.trusteer.com/blog/cybercrime-services-ramp-provide-one-stop-shop-meet-demand-fraudsters
November 30, 2011 - "... recent Trusteer Research has indicated changes in service scope and price due to service convergence and demanding buyers... One-stop-shop - Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers... For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service... final paid price depends on percentage of infections... Some malware services like AV checking and Encryption are becoming a commodity, driving cybercriminals to consolidate services to stay competitive and introduce new offerings like the Phone Service... advise banks and their online banking users to maintain constant vigilance, apply software updates, maintain an awareness of new threats... complement desktop hygiene solutions like Anti Virus with security controls specifically designed to protect against Financial Malware... Some fraudster groups specialize in infecting hosts with malware, either by creating a botnet of hosts that could be infected at will, or by inserting exploit code to sites and routing victims to these sites to infect them using drive-by-downloads."

- http://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameover-for-banks-victims-in-cyber-heists/
November 30, 2011 - "The FBI* is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to detract attention away from simultaneous high-dollar cyber heists. The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves..."
* http://www.fbi.gov/denver/press-rel...tizens-to-be-aware-of-a-new-phishing-campaign

:fear: :mad: :mad:
 
Cutwail SPAM campaigns lure users to Blackhole Exploit Kit

FYI...

Cutwail SPAM campaigns lure users to Blackhole Exploit Kit
- http://labs.m86security.com/2011/12/cutwail-spam-campaigns-lure-users-to-blackhole-exploit-kit/
December 1st, 2011 - "Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do -not- have malware attachments, instead the payload is delivered via links to malicious code hosted on the web... The message body may look like a legitimate Facebook notification*. However, further inspection reveals the underlying link redirecting to a malicious webpage...
* http://labs.m86security.com/wp-content/uploads/2011/11/CutwailSpam.png
Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image**...
** http://labs.m86security.com/wp-content/uploads/2011/11/flightOrder-copy.png
... example of the message***
*** http://labs.m86security.com/wp-content/uploads/2011/11/FlightOrderScreensho.png
... There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.
> Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”[1]...
[1] http://labs.m86security.com/wp-content/uploads/2011/11/ACH_HP.gif
... The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications... If you are a system administrator, you may want to block the following exploit kit landing pages.
crredret[dot]ru/main.php
www[dot]btredret[dot]ru/main.php
bqredret[dot]ru/main.php
At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts."

:mad::fear::mad:
 
SSH password brute forcing... on the rise

FYI...

SSH password brute forcing... on the rise
- https://isc.sans.edu/diary.html?storyid=12133
Last Updated: 2011-12-04 23:26:51 UTC
"... received a report of ongoing SSH account brute forcing against root. This activity has been ongoing for about a week now from various IPs... A review of the DShield data*, shows a spike can easily be observed starting 15 Nov and has been up/down ever since...
* https://isc.sans.edu/diaryimages/SSH_4Dec2011.png
Some Defensive Tips...
- Never allow root to log in, no matter what: always login in as a regular user and then use su/sudo as needed.
- Change port number: why go stand in the line of fire ?
- Disallow password authentication (use keys)
In addition to the above, you should also consider using TCP Wrappers with the SSH service to limit access to only those addresses that need access..."
(More at the first isc URL above.)

Atlas:
- http://atlas.arbor.net/service/tcp/22#attacks

- http://atlas.arbor.net/service/tcp/22#sources

:fear::fear::spider:
 
Last edited:
C|Net malware ...

FYI...

C|Net Download.Com is now bundling Nmap with malware...
- http://seclists.org/nmap-hackers/2011/5
5 Dec 2011 - "... C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN. The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs..."

- https://www.virustotal.com/file-sca...d504705c00526ded2fd5edebdcc32d48f6-1323239699
File name: 29d0ca5df3dd63a69630a1bbdbfbcfdad6271702
Submission date: 2011-12-07 06:34:59 (UTC)
Result: 7/43 (16.3%)

- https://isc.sans.edu/diary.html?storyid=12148
Last Updated: 2011-12-06 06:40:53 UTC

Caution: downloads can be hazardous to your PC's health...
- http://h-online.com/-1392501
8 December 2011 - "... much of the proprietary freeware and trial software on Download .com will retain its Download .com Installer packaging. Initial reactions on the net also noted that a number of popular open source programs still had an installer wrapping them and there appears to have been no apology for specifically bundling GPL, or enhanced GPL in the case of Nmap, software with closed source installers."

- http://insecure.org/news/download-com-fiasco.html#updates
Dec 9...
___

- http://www.extremetech.com/computin...downloads-in-bloatware-lies-about-motivations
August 22, 2011

:mad::fear::mad:
 
Last edited:
Urgent Block: BlackHole Exploit Kit...

FYI...

Urgent Block: BlackHole Exploit Kit redret Spam Domains
- http://www.malwaredomains.com/wordpress/?p=2220
December 6th, 2011 - "From the Internet Storm Center*... IP addresses to block are also in the article*. Also see this article**. Will be added here but you shouldn’t wait."

* https://isc.sans.edu/diary.html?storyid=12145
Last Updated: 2011-12-06 03:04:51 UTC - "... all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...
czredret .ru, curedret .ru, ctredret .ru, crredret .ru, bzredret .ru, byredret .ru, bxredret .ru, bwredret .ru, bvredret .ru, bsredret .ru, bpredret .ru, boredret .ru, blredret .ru, bkredret .ru, biredret .ru, bhredret .ru, bgredret .ru, bfredret .ru, beredret .ru, bdredret .ru, bcredret .ru, bbredret .ru, aredret .ru, apredret .ru, amredret .ru, alredret .ru, akredret .ru, ajredret .ru, airedret .ru, ahredret .ru, agredret .ru, afredret .ru, aeredret .ru, adredret .ru, acredret .ru, abredret .ru, aaredret .ru
... they are resolving to:
95.163.89.193, 89.208.34.116, 94.199.51.108, 91.220.35.38, 77.79.7.136, 95.163.89.200, 91.228.133.120
In recent past, the following IPs were also observed hosting them:
188.190.99.26, 87.120.41.191, 94.199.53.14, 89.208.34.116...
Comments (12.06.2011, 19:21 UTC): 79.137.237.63 is hosting these domains crredret .ru, ctredret .ru, curedret .ru, czredret .ru"

- https://blogs.msdn.com/themes/blogs...ocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

** http://blog.dynamoo.com/2011/11/bredretru-domains-to-block.html
23 November 2011

:mad:
 
Last edited:
Affected and abused domains ...

FYI...

Affected and abused domains ...
- https://isc.sans.edu/diary.html?storyid=12178
Last Updated: 2011-12-10 17:42:46 UTC - "... covered the emergence of hacked DNS zones ("What's In A Name") a couple weeks ago*... domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit. The IP range used changes about every three, four days:
188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania
146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia
... exploit code politely checks which version of Java is present, and only launches the exploit on Java installations that are not running the very latest update. Unfortunately, this seems to be the case for the majority of Java deployments out there. Today, almost two weeks after this latest wave of exploits started, the exploit code for CVE-2011-3544 is still only detected by roughly half the anti-virus companies on VirusTotal**... by far the most successful for the bad guys at the moment..."
* http://isc.sans.edu/diary.html?storyid=11770

** https://www.virustotal.com/file-sca...01556e8afa3c5dd57a09c3429e7db60bb4-1323534647
File name: v1.class
Submission date: 2011-12-10 16:30:47 (UTC)
Result: 19/43 (44.2%)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544
Last revised: 11/24/2011
CVSS v2 Base Score: 10.0 (HIGH)

:fear::mad:
 
100$ or a free iPad! - scam

FYI...

100$ or a free iPad! - scam
- https://isc.sans.edu/diary.html?storyid=12184
Last Updated: 2011-12-12 23:21:39 UTC ...Version: -3- "... several misspellings of wikipedia are used in this scam, in addition to many other domains. wikipeida-org, wikepedia-org, wictionary-org, wikpedia-com, wikispaces-cm are all domains with a typo that redirect visitors to a "you won a prize" page... to claim the prize lots of personal information must be entered...
Update: Other prominent typo domains affected include youtrube-com, youotube-com, youzube-com..."
> https://isc.sans.edu/diaryimages/you-won.jpg

:mad:
 
CA incident report...

FYI...

CA incident report...
- https://isc.sans.edu/diary.html?storyid=12205
Last Updated: 2011-12-14 17:39:34 UTC - "GlobalSign released a press release today to address concerns that they may have had a compromise of their CA infrastructure.
http://www.globalsign.co.uk/company/press/121411-security-incident-report.html
They did a good job of stating what they did find and what they didn’t. They also address new measures put in place to improve their overall security posture.
“We didn't find any evidence of
* Rogue Certificates issued.
* Customer data exposed.
* Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
* Compromised GlobalSign Certificate Authority (CA) infrastructure.
* Compromised GlobalSign Issuing Authorities and associated HSMs.
* Compromised GlobalSign Registration Authority (RA) services.
What did happen
* Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached.
* What could have been exposed? Publicly available HTML pages, publicly available PDFs, the SSL Certificate and key issued to www .globalsign .com.
* SSL Certificate and key for www .globalsign .com were deemed compromised and revoked. “

:fear::fear:
 
Phish campaign targets users - timed with breach ...

FYI...

Phish campaign targets users - timed with breach...
- http://nakedsecurity.sophos.com/201...rgeted-in-post-data-breach-phishing-campaign/
December 14, 2011 - "A phishing campaign targeting customers of Telstra Bigpond, Australia's largest ISP, is urging users to confirm their billing information or risk the suspension of their account... All pretty run-of-the-mill - an access your account now by clicking on a link in this email or else spam - but neatly timed given that Telstra suffered a data breach last Friday. Personal information... was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend. Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information... an unpatched version of WordPress allowed the phishers to "borrow" services from an Aussie blogger... this email was obviously a phish:
- Bigpond doesn't send out access your account now by clicking on a link emails.
- The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
- The link you are asked to click on has no obvious connection with Telstra or Bigpond.
- Official Bigpond emails to you aren't addressed to someone called "Duchess" with a competitor's webmail account (unless your name is Duchess, of course).
... if you run a WordPress blog, make sure you've applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks."

:fear::fear:
 
Ransomware impersonates the police

FYI...

Ransomware impersonates the police
- https://blogs.technet.com/b/mmpc/ar...-impersonates-the-police.aspx?Redirected=true
19 Dec 2011 - "... several samples of a ransomware family localized into different languages... We've so far seen variants localized into four languages: English, Spanish, German, and Dutch... Upon execution, the ransomware locks the computer, displays the localized screen.. and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are -not- involved in any way with the scammers' scheme; instead, they are being used for malicious purposes... In the case of Trojan:Win32/Ransom.DU... that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany... this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved... nowadays Blackhole distributes many widespread malware families... PS: Just today we encountered a sample targeting residents of France..."
___

- http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents
Dec. 4, 2011 - "... Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software... The exploited vulnerabilities aren’t really new: some of them are more than a year old... To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it..."

:mad::fear:
 
Last edited:
Email Bank Deposit Scam

FYI...

Email Bank Deposit Scam
- https://www.usaa.com/inet/pages/2011_19_12_deposit_phish_scam
12/19/2011 - "USAA's Enterprise Security Group has found an aggressive email phishing scam directed at USAA Members. The email has a subject line "Deposit Posted." What makes this particular phishing email different is there is a randomly generated four-digit number placed in the USAA Security Zone section... While this email* does not ask the recipient to click on a link, it does ask the member to open an attached file. When this file is opened it launches a malicious banking virus that if successfully launched could provide access to your personal information and may require a complete reinstall of your computers operating system.
What Members Should Do:
USAA Members are encouraged to take the following action if they receive this email:
Make certain the four digits in the Security Zone section match the last four digits of your USAA member number.
If the numbers do not match your member information you can delete it..."
* https://content.usaa.com/mcontent/static_assets/Media/121911_phishing_scam.gif?cacheid=3947825466
___

- https://www.us-cert.gov/current/#usaa_phishing_scam_and_malware
December 20, 2011

:fear::fear::mad:
 
Last edited:
Fake browser addons spread SCAMS

FYI...

Fake browser addons spread SCAMS
- http://www.theregister.co.uk/2011/12/22/browser_plug_in_facebook_scam/
22 December 2011 - "... spreading scams on Facebook. Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim. Once installed, these malign browser ad-ons spread the scam from one user's profile to another... The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense*..."
* http://community.websense.com/blogs...t-up-a-notch-with-firefox-chrome-plugins.aspx
"... The code checks which browser is installed and serves the compatible malicious plugin..."

:fear::mad:
 
You must log in or register to reply here.
Back
Top