SPAM frauds, fakes, and other MALWARE deliveries - archive

Blended attacks in Q2 2012 ...

FYI...

Blended attacks in Q2 2012
- http://www.commtouch.com/threat-report-july-2012/
July 12, 2012 - "Commtouch’s quarterly Internet Threats Trend Report covers Web threats, phishing, malware, and spam. The July 2012 report describes how distributors of malware, spam and phishing attacks are relying more and more on compromised websites. This tactic is designed to outwit email security and Web security systems that consider a site’s reputation before blocking it. Legitimate websites with positive online reputations but with deficient plugins and known vulnerabilities were harvested en masse in the second quarter of 2012 to host redirects, malware, pharmacy sites and phony login pages. The hacked websites were combined with effective social engineering that exploited multiple well-known brands to draw in victims. Similar branding tricks were used to distributed malware via email attachments. The popular file synchronization and sharing site Dropbox was also used as a malware distribution point in an attack promising free movie tickets..."
(More detail in slideshow at the URL above.)

> http://images.slidesharecdn.com/com...port-120712083747-phpapp01/95/slide-5-728.jpg

> http://images.slidesharecdn.com/com...port-120712083747-phpapp01/95/slide-7-728.jpg

> http://images.slidesharecdn.com/com...port-120712083747-phpapp01/95/slide-8-728.jpg

> http://images.slidesharecdn.com/com...ort-120712083747-phpapp01/95/slide-27-728.jpg

> http://images.slidesharecdn.com/com...ort-120712083747-phpapp01/95/slide-28-728.jpg

- http://www.commtouch.com/download/2336
PDF

- http://blog.commtouch.com/cafe/data-and-research/infographic-blended-attacks-in-q2-2012/
July 12, 2012 - Infographic
___

2012 June Symantec Intelligence Report - slideshow:
- http://www.slideshare.net/symantec/2012-june-symantec-intelligence-report
Jul 06, 2012

:fear: :mad:
 
Last edited:
Fake UPS emails - client-side exploits and malware

FYI...

Fake UPS emails - client-side exploits and malware ...
- http://blog.webroot.com/2012/07/18/...e-exploits-and-malware-serving-spam-campaign/
July 18, 2012 - "... cybercriminals systematically abuse popular brands and online services. Next to periodically rotating the brands, they also produce professional looking email templates, in an attempt to successfully brand-jack these companies, and trick their customers into interacting with the malicious emails... currently spamvertised client-side exploits and malware serving campaign impersonating UPS (United Parcel Service). Once users click on the links found in the malicious email, they’re automatically redirected to a Black Hole exploit kit landing page serving client-side exploits, and ultimately dropping malware on the exploited hosts... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. Detection rate: the sample is detected by 29 out of 41 antivirus scanners** as Trojan.Injector.AFR; Worm.Win32.Cridex.fb... This is the -third- UPS-themed malware serving campaign that we’ve intercepted over the past two months. Next to the malware serving campaigns impersonating DHL, we expect that we’re going to see more malicious activity abusing these highly popular courier service brands. UPS has acknowledged this threat and offered its perspective here*..."
* http://www.ups.com/content/us/en/re...ails+Fraudulently+Using+the+UPS+Name+or+Brand

** https://www.virustotal.com/file/dd5...a7ac9d672782d93c6a82400aa3845cfb6b5/analysis/
File name: 20120710_221334_4462C5B3556C5CAB5D90955B3FAA19A8_CAE93.VIR
Detection ratio: 29/41
Analysis date: 2012-07-14
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake SpamCop E-mail Account Alert Notification E-mail Messages - New July 19, 2012
Fake FedEx Shipment Notification E-mail Messages- Updated July 19, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages- Updated July 19, 2012
Fake Product Order Notification E-mail Messages - New July 19, 2012
Fake Contract Notification E-mail Messages - Updated July 19, 2012
Fake DHL Express Tracking Notification E-mail Messages - Updated July 19, 2012
Fake USPS Package Delivery Notification E-mail Messages- Updated July 19, 2012
Fake Airline Ticket Confirmation Attachment E-mail Messages - Updated July 19, 2012 ...

:sad::fear::mad:
 
Last edited:
Fake Facebook email leads to malware

FYI...

Fake Facebook email leads to malware ...
- http://nakedsecurity.sophos.com/2012/07/17/malware-facebook-photo-tag-notification/
July 17, 2012 - "Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph. Because it might be that you're the next potential victim of a malware attack. SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients' computers with malware...
> https://sophosnews.files.wordpress.com/2012/07/facebook-malware-email.jpg
... (Did you notice what was odd about the email? The 'from' address misspells Facebook as "Faceboook" with three "o"s) If you click on the link in the email, you are -not- taken immediately to the real Facebook website. Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit)..."
___

The Rise of the “Blackhole” Exploit Kit:
The Importance of Keeping All Software Up To Date
- https://blogs.technet.com/b/securit...-all-software-up-to-date.aspx?Redirected=true
19 Jul 2012

Top 10 locations with the most detections of Blacole - second half 2011 (2H11)
> https://blogs.technet.com/cfs-files...ponents-weblogfiles/00-00-00-50-43/5127.5.jpg

:mad:
 
Last edited:
Olympic malware on the Web ...

FYI...

Olympic malware on the Web ...
- http://community.websense.com/blogs...y-social-and-ready-for-the-olympic-games.aspx
20 Jul 2012 - "... Websense... researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations... the Polish Computing Emerging Response Team (CERT)... analyzed an interesting sample of data-stealing malware*. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list... it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network... analysis is based on a sample (MD5: 3E50B76C0066C314D224F4FD4CBF14D5 ) of the same malware family reported by the CERT.PL advisory. It is also detected as Pushbot, which is known to be a data-stealing malware variant... the malware looks in memory for these processes: opera.exe, firefox.exe, iexplore.exe, skype.exe, and msnmsgr.exe. When it uses a web browser, the malware changes the starting page to redirect user HTTP sessions to malicious websites. In the case of Skype or Microsoft Live Messenger, the malicious process is able to forge HTTP requests with malicious payloads to users in the victim's contacts list. We have also detected a Facebook URL forger used to build proper HTTP requests and send them to the Facebook server. In this way, if there is an active Facebook session, the malware can send malicious messages to the victim's Facebook friends list... The IP addresses so far are: 46.220.203.212, 89.63.178.149, and 39.54.215.205... The URL hxxp ://lokralbumsgens. com/pictures.php?pic=google is still active, and the domain was registered 20 days ago..."
* http://www.cert.pl/news/5587/langswitch_lang/en

:fear: :mad:
 
Fake Intuit emails lead to BlackHole exploit kit

FYI...

Fake Intuit emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/07/20/spamvertised-intuit-themed-emails-lead-to-black-hole-exploit-kit/
July 20, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they -redirect- users to Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.
Screenshot of the spamvertised Intuit themed malicious email:
> https://webrootblog.files.wordpress.com/2012/07/intuit_spam_email_exploits_malware.png?w=592&h=175
... Upon clicking on the links found in the email, users are exposed to the following -bogus- “Page loading…” page:
> https://webrootblog.files.wordpress.com/2012/07/intuit_spam_email_exploits_malware_01.png
- Spamvertised URLs: hxxp ://sklep.kosmetyki-nel .pl/intpmt.html; hxxp ://kuzeybebe .com/o3whbp0G/index.html; hxxp ://senzor .rs/prolintu.html
- Client-side exploits serving URLs: hxxp ://69.194.194.238/view.php?s=2acc7093df3a2945;
hxxp ://proamd-inc .com/main.php?page=8cb1f95c85bce71b;
hxxp ://thaidescribed .com/main.php?page=8cb1f95c85bce71b
- Client-side exploits served:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8* on the exploited hosts.
* https://www.virustotal.com/file/dd5...a7ac9d672782d93c6a82400aa3845cfb6b5/analysis/
SHA256: dd529f7529692c2ebfe9da9eb7a83a7ac9d672782d93c6a82400aa3845cfb6b5
File name: file
Detection ratio: 33/42
Analysis date: 2012-07-20 10:47:57 UTC
... Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B. Upon execution, the sample phones back to renderingoptimization .info – 87.255.51.229, Email: pauletta_carbonneau2120 @quiklinks .com on port 443. Here is information on Intuit’s Online Security Center about this threat:
> http://security.intuit.com/alert.php?a=49 ..."
___

The Rise of the “Blackhole” Exploit Kit:
... The Importance of Keeping All Software Up To Date
- https://blogs.technet.com/b/securit...-all-software-up-to-date.aspx?Redirected=true
19 Jul 2012

:mad: :fear:
 
Malware targets Facebook users with Children’s Charity SCAM

FYI...

Malware targets Facebook users with Children’s Charity SCAM
- https://www.trusteer.com/blog/malware-targets-facebook-users-children’s-charity-scam
July 24, 2012 - "We recently discovered a configuration of the Citadel malware that targets Facebook users with a fake request for donations to children’s charities in order to steal credit card data. After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid. Then, it asks users to fill in their credit card details. The malware is configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch. In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region... This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective. Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."
(More detail at the URL above.)

:mad:
 
Malware served using bogus ‘Hotel Reservation Confirmation’ emails

FYI...

Malware served using bogus ‘Hotel Reservation Confirmation’ emails...
- http://blog.webroot.com/2012/07/23/...hotel-reservation-confirmation-themed-emails/
July 23, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating Booking.com, in an attempt to trick end and corporate users into downloading and executing the malicious archive attached to the emails...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/hotel_reservation_spam_malware.png
... The malicious Hotel-Reservation-Confirmation_from_Booking.exe (MD5: 7b60d5b4af4b1612cd2be56cfc4c1b92 ) executable is detected... as Backdoor.Win32.Androm.cp; Mal/Katusha-F ..."
* https://www.virustotal.com/file/c57...3d3f28f73c48d621fe5136d4bb9f249be80/analysis/
SHA256: c57f3f74ccc38913e094480aa09593d3f28f73c48d621fe5136d4bb9f249be80
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-24
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Airline Ticket Confirmation Attachment E-mail Message - Updated July 24, 2012
Fake FedEx Shipment Notification E-mail Messages - Updated July 24, 2012
Fake Product Details Attachment E-mail Messages - New July 24, 2012 ...

:mad:
 
Last edited:
Malware-laced traffic ticket SPAM coming to an Inbox near you...

FYI...

Malware-laced traffic ticket SPAM coming to an Inbox near you
- http://blog.webroot.com/2012/07/25/...alware-serving-speeding-ticket-themed-emails/
July 25, 2012 - "Not fearing prosecution, cybercriminals regularly impersonate law enforcement online in an attempt to socially engineer end users and corporate users into interacting with their malicious campaigns. From 419 scams, police ransomware, to law enforcement themed malware-serving email campaigns, cybercriminals continue abusing the international branches of various law enforcement agencies... a currently spamvertised malware-serving campaign, indicating that the user has “violated red light traffic signal” and that he should download the -fake- camera recording of his vehicle attached to the email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/traffic_police_violation_spam_malware.png
... The attached malware*... is detected... as Trojan:W32/Agent.DTYU; Backdoor.Win32.Androm.dc..."
* https://www.virustotal.com/file/bca...3d6885e9f487587e95ee8d69169cb65f549/analysis/
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-25

- http://www.hyphenet.com/blog/2012/0...icket-spam-coming-to-an-email-inbox-near-you/
25 July 2012
___

‘Download your USPS Label’ emails serve malware
- http://blog.webroot.com/2012/07/26/...-your-usps-label-themed-emails-serve-malware/
July 26, 2012

:mad:
 
Last edited:
Twitter targeted to spread exploits/malware serving tweets

FYI...

Twitter targeted to spread exploits/malware serving tweets
- http://blog.webroot.com/2012/07/27/...sands-of-exploits-and-malware-serving-tweets/
July 27, 2012 - "Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the [links], users are exposed to the exploits served by the Black Hole web malware exploitation kit...
Screenshot of a sample automatically registered account spamvertising malicious links to thousands of Twitter users:
> https://webrootblog.files.wordpress.com/2012/07/twitter_exploits_malware_blackhole_exploit_kit.png
... an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim. The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files. For the time being, they’re only relying on two static propagation messages, namely, “It’s about уou?” and “It’s уou оn photo?“... the redirection also takes place through the following domains
hxxp ://traffichouse .ru/?2 – 176.57.209.69
hxxp ://traffichouse .ru/?5 – 176.57.209.69
Responding to the same 176.57.209.69 IP are also the following domains:
forex-shop .com
abolyn.twmail .info
pclive .ru
ecoinstrument .ru
Client-side exploits serving domain: hxxp ://oomatsu.veta .su/main.php?page=afaf1d234c788e63
Upon successful client-side exploitation, the campaign drops MD5: 5d1e7ea86bee432ec1e5b3ad9ac43cfa* on the affected hosts. Upon execution, the sample phones back to the following URLs, where it downloads additional malware on the affected hosts:
hxxp ://112.121.178.189 /api/urls/?ts=1f737428&affid=35000
hxxp ://thanosactpetitioned .cu.cc/f/notepad.exe?ts=1f737428&affid=35000 ..."
* https://www.virustotal.com/file/139...9482fcb07ea0168eac532a83103a62485b5/analysis/
File name: 5d1e7ea86bee432ec1e5b3ad9ac43cfa.exe
Detection ratio: 16/41
Analysis date: 2012-07-27 19:21:48 UTC

- http://nakedsecurity.sophos.com/201...g-on-twitter-using-its-you-on-photo-disguise/
July 27, 2012
Sample-look-alikes...
> https://sophosnews.files.wordpress.com/2012/07/malware-tweets.jpg?w=640
> https://sophosnews.files.wordpress.com/2012/07/its-about-you1.jpg?w=640

Blackhole malware attack spreading on Twitter ...
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
July 27, 2012
Another attack by the BlackHole exploit kit reminds us that patching is most important.
Analysis: If a user clicks on these links posted to various twitter feeds, they will be redirected to a Black Hole exploit kit website that will attempt to exploit vulnerabilities on their system that can be reached through the web browser. Unpatched Java is one of the most popular attack methods these days, however a batch of other issues in technologies such as Adobe Reader, Flash and various browsers are also part of the attack strategy. Robust patching for home and enterprise users will greatly reduce the pain of such exploit kits that are based on "drive-by" exploits. The enticement tactic is always going to change, but the intent is the same - to trick the user into clicking on something and getting infected.
Source: Outbreak: http://nakedsecurity.sophos.com/201...g-on-twitter-using-its-you-on-photo-disguise/
___

> http://status.twitter.com/

> http://blog.twitter.com/

:fear: :mad:
 
Last edited:
More Olympic malware...

FYI...

More Olympic malware ...

Relay Race To Ruin: Cybercrime in the Olympics
- http://blog.trendmicro.com/relay-race-to-ruin-cybercrime-in-the-olympics/
Illegal TV Cards Allowing Free Olympic Viewing Sold Online
- http://blog.trendmicro.com/illegal-tv-cards-allowing-free-olympic-viewing-sold-online/
Bogus London Olympics 2012 Ticket Site Spotted
- http://blog.trendmicro.com/bogus-london-olympics-2012-ticket-site-spotted/
Countdown to the Olympics: Are You Safe?
- http://blog.trendmicro.com/countdown-to-the-olympics-are-you-safe/
Spammed Messages* Attempt to Cash In on London 2012 Olympics
- http://blog.trendmicro.com/spammed-messages-cash-in-on-london-2012-olympics/

* http://blog.trendmicro.com/wp-content/uploads/2012/06/londonolympics_2012_1.jpg

* http://blog.trendmicro.com/wp-content/uploads/2012/06/Londonolympics_2012_2.jpg

* http://blog.trendmicro.com/wp-content/uploads/2012/06/londonolympics_2012_3.jpg

More Olympics-related threats - Blackhat Search Engine Optimization (BHSEO)
> http://blog.trendmicro.com/more-london-olympics-related-threats/
July 29, 2012

- http://research.zscaler.com/2012/07/london-olympics-stay-away-from-scams.html
July 28, 2012
___

> http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Roxy Palace Casino Promotional Code Notification E-mail Messages - Updated July 30, 2012
Fake UPS Payment Document Attachment E-mail Messages - Updated July 30, 2012
Fake Financial Transaction Scanned Document - New July 30, 2012
Fake Bank Transfer Receipt E-mail Messages - New July 30, 2012
Fake Picture Link E-mail Messages - Updated July 30, 2012
Fake Coupon Offer E-mail Messages - Updated July 30, 2012
Fake German E-mail Billing Requests - New July 30, 2012
Fake Blocked Credit Card Notification E-mail Messages - Updated July 30, 2012
Malicious Personal Pictures Attachment E-mail Messages - Updated July 30, 2012 ...

:mad: :mad:
 
Last edited:
Fake CPA/AICPA emails lead to BlackHole exploit kit

FYI...

Fake CPA/AICPA emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/08/01/spamvertised-aicpa-themed-emails-lead-to-black-hole-exploit-kit/
August 1, 2012 - "Certified public accountants, beware... Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/aicpa_spam_exploits_black_hole_exploit_kit.png
... Spamvertised URL: hxxp://thewebloan .com/wp-includes/notice.html
Client-side exploits serving URLs parked on the same IP (221.131.129.200) - hxxp ://jeffknitwear .org/main.php?page=8614d3f3a69b5162;
hxxp ://lefttorightproductservice .org/main.php?page=4bf5d331b53d6f15
Client-side exploits serving domains responding to the same IP:
toeplunge .org; teloexpressions .org; historyalmostany .org
Client-side exploits served:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 9.3 (HIGH)
Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 *
... Trojan.Script!IK; JS/Iframe.W!tr
Upon successful client-side exploitation, the campaign drops
MD5: b00af54e5907d57c913c7b3d166e6a5a ** on the affected hosts...
Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv ..."
* https://www.virustotal.com/file/21a...e6021c302b30671937d6fcde/analysis/1342738075/
File name: AICPA.html
Detection ratio: 4/42
Analysis date: 2012-07-19
** https://www.virustotal.com/file/6db...6e09b2f975a20abe09a92a035ead7328a20/analysis/
File name: b00af54e5907d57c913c7b3d166e6a5a.exe
Detection ratio: 30/39
Analysis date: 2012-07-27

:mad:
 
Tech Support Phone Scams surge

FYI...

Tech Support Phone Scams surge
- https://krebsonsecurity.com/2012/08/tech-support-phone-scams-surge/
August 2nd, 2012 - "... horror stories from readers who reported being harassed by unsolicited phone calls from people with Indian accents posing as Microsoft employees and pushing dodgy PC security services. These telemarketing scams are nothing new, of course, but they seem to come and go in waves, and right now it’s definitely high tide..."
(More detail at the URL above.)

- http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx

:mad:
 
Fake AT&T/Paypal emails lead to BlackHole exploit kit

FYI...

Fake AT&T email installs malware
- http://community.websense.com/blogs...12/08/02/fake-att-email-installs-malware.aspx
2 Aug 2012 - "Websense... detected a massive phishing campaign targeting AT&T customers... fake emails are masquerading as billing information... Each message claims that there is a bill of a few hundreds US dollars. In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message...
(Screenshot of phish/fake email):
> http://community.websense.com/cfs-f...s/5126.AT_2600_T_5F00_email_5F00_campaign.png
... the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal*..."
* https://www.virustotal.com/file/a7e...db58b5d110887e001ab632d7f40159dfa13/analysis/
File name: readme.exe
Detection ratio: 10/39
Analysis date: 2012-08-03 06:21:20 UTC
___

Fake PayPal emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/08/02/...themed-emails-lead-to-black-hole-exploit-kit/
August 2, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign. Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...er_exploits_malware_blackhole_exploit_kit.png
... Upon clicking on the link, users are exposed to a bogus “Page loading…” page:
> https://webrootblog.files.wordpress...exploits_malware_blackhole_exploit_kit_01.png
... Client-side exploits served: CVE-2010-0188; CVE-2010-1885
Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23*
Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0** on the affected hosts... cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties. PayPal has information (1) on their website to help users identify legitimate emails..."
* https://www.virustotal.com/file/8f5...266c2f2f6d63f3af4f71f6c5/analysis/1343139059/
File name: PayPal.html
Detection ratio: 3/40
Analysis date: 2012-07-24 14:10:59 UTC
** https://www.virustotal.com/file/132...d620169c80177f6e739f606ca9c799d84be/analysis/
File name: file
Detection ratio: 32/41
Analysis date: 2012-08-03 10:30:40 UTC

1- https://www.paypal.com/us/webapps/mpp/security/suspicious-activity

:mad:
 
Last edited:
Phishing for Payroll with unpatched Java...

FYI...

Phishing for Payroll with unpatched Java
- https://isc.sans.edu/diary.html?storyid=13840
Last Updated: 2012-08-05 - "... companies that offer outsourced payroll management services have seen their name being abused for phishing scams. One prominent example is ADP, whose website [1] currently alerts their customers to four different samples of phishing emails that make the rounds and claim to be from ADP. The average recipient of such a phish would have no idea who or what ADP is, and would be highly unlikely to "click". But a HR/Payroll employee of a company that actually uses ADP services would certainly be alarmed to read, for example, that his/her access to ADP is about to be cut off:
> https://isc.sans.edu/diaryimages/sd1.JPG
... the odds are pretty high that someone who clicks on the link in the email is actually a HR/Payroll person. Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that's hard to beat...
>> https://isc.sans.edu/diaryimages/sd2.jpg
... Those who clicked nonetheless, have likely been "had" though. The shown marottamare link redirected via three other web sites, and then ended up on 50.116.36.175, a very temporary home on what looks like a rented Linux VServer. From there, the exploits were delivered, and at least one of them, Java CVE-2012-1723, is currently netting the bad guys a lot of illicit system access. Antivirus detection rate is and stays low, three days later, it is still only at -8/41- on Virustotal*. The main reason for this seems to be that the exploit packs are encoded... which means that the original attack code and payload are split up into five byte blocks, and each of these individual five bytes is encoded by XOR with a different static value... Some of the AV tools are getting better at providing generic detection for encoded CVE-2012-1723, but don't hold your breath... As for defenses:
1. PATCH your Java JRE. CVE-2012-1723** is deadly, and is widely being exploited in the wild at the moment. Even better, uninstall Java JRE completely from your computers if you can get away with it.
2. Make sure your HR and Payroll folks are treated to another round of "DONT CLICK ON THIS LINK" training. They are your first line of defense, and - given Antivirus' ineffectiveness - usually even your ONLY line of defense.
3. If you have an outsourced payroll provider, acquaint yourself with the email logs, so that you know how REAL email coming from this provider looks like. This knowledge is priceless during an incident, and might even help you to automatically -block- some of the more egregious phishes..."
* https://www.virustotal.com/file/342...9bd1319ca5258d0d0c84803c/analysis/1344175361/
File name: Rooh.jar
Detection ratio: 8/41
Analysis date: 2012-08-05

[1] http://www.adp.com/about-us/trust-center/security-alerts.aspx

** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)
6/16/2012

:mad:
 
Fake LinkedIn emails serve exploits and malware

FYI...

Fake LinkedIn emails serve exploits and malware
- http://blog.webroot.com/2012/08/08/...sonates-linkedin-serves-exploits-and-malware/
August 8, 2012 - "... cybercriminals launched the most recent spam campaign impersonating LinkedIn, in an attempt to trick LinkedIn’s users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...am_exploits_malware_blackhole_exploit_kit.png
... Spamvertised URL: hxxp ://glqzc .com/linkzane.html
Client-side exploits serving URL: hxxp ://headtoheadblaster .org/main.php?page=f6857febef53e332
Client-side exploits served: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
Upon successful client-side exploitation, the campaign drops MD5: 6c59e90d9c3931c900cfd2672f64aec3 *
... PWS-Zbot.gen.ajm; W32/Kryptik.BRK..."
* https://www.virustotal.com/file/278...0f5d8a4f5ad57b8c57178fb2928c65bc800/analysis/
File name: 6c59e90d9c3931c900cfd2672f64aec3
Detection ratio: 24/42
Analysis date: 2012-08-09 02:17:01 UTC

:fear: :mad:
 
Last edited:
2x IPs to block - Zeus/Citadel variant causing issues ...

FYI...

- https://isc.sans.edu/diary.html?storyid=13861
Last Updated: 2012-08-09 10:20:41 UTC
... Ref (1): http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/
XDocCrypt/Dorifel – Document encrypting and network spreading virus
August 9, 2012 - "... apparently none of your IT security defenses has removed it, has blocked it and neither has signaled you that there was something wrong on that system. If you were hit, you will likely start asking yourself some questions now… A properly configured IDS would have picked up the attack earlier and you would have been notified of the event. Communication to the following IP addresses might indicate malicious behavior on your system:
184.82.162.163
184.22.103.202

... Ref (2): http://www.damnthoseproblems.com/?p=599&lang=en
Latest reference 09-08-2012 Update 18:05...
... 2x IPs to block: 184.82.162.163... 184.22.103.202

:fear: :mad:
 
Fake Groupon email malware coupon

FYI...

Fake Groupon email malware coupon
- http://blog.commtouch.com/cafe/emai...has-shared-a-groupon-malware-coupon-with-you/
Aug 9, 2012 - "A recent collection of malware emails borrows heavily from authentic mailings sent out by Groupon and LinkedIn. The outbreak is different from the blended attacks that have featured regularly in the last few months since it relies on attached malware as opposed to a link to drive-by malware. Using email templates modeled on Groupon and LinkedIn increases the chances that recipients will consider the attachment genuine and worth opening. The example below shows a Groupon “deal” found by a friend. Recipients are invited to open the attachment to view the gift details and also to forward it on to friends. All the links within the “offer” point to genuine Groupon sites.
> http://blog.commtouch.com/cafe/wp-content/uploads/Groupon-newsletter-with-malware.jpg
The attached zip file unpacks to a file named “Coupon gift.exe”. Commtouch’s Antivirus identifies the malware as W32/Trojan3.DWY. The malware attempts to download and install files from several remote servers. Only 30% of the 41 engines on VirusTotal detected the malware within a few hours of the attack...
Email text:
Hi there!
You’re going to love it
We are glad to inform you that one of your friends has found a great deal on Groupon.com!
And even shared it with you!
Yeah! Now Groupon.com gives an opportunity to share a discount gift with a friend!
Enjoy your discount gift in the attachement and share it with one of your friend as well.
All the details in the file attached. be in a hurry this weekend special is due in 2 days!"

:mad:
 
Fake AT&T email billing - serves exploits and malware

FYI...

Fake AT&T email billing - serves exploits and malware
- http://blog.webroot.com/2012/08/10/...s-billing-service-serve-exploits-and-malware/
August 10, 2012 - "... yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill. Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_black_hole_exploit_kit_exploits_malware.png
... Client-side exploits serving URL:
hxxp ://advancementwowcom .org/main.php?page=19152be46559e39d
Client-side exploits served: CVE-2010-1885
Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e* on the infected hosts... as Trojan.Generic.KD.687203; W32/Cridex-Q. Once executed, the sample phones back to hxxp :// 87.204.199.100 :8080 /mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign... cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware..."
* https://www.virustotal.com/file/a7e...db58b5d110887e001ab632d7f40159dfa13/analysis/
File name: C497B4D6DFADD4609918282CF91C6F4E_100-about.exe
Detection ratio: 19/41
Analysis date: 2012-08-05

:mad:
 
Olympic malware spread continues...

FYI...

Olympic malware spread continues ...
- http://community.websense.com/blogs...earches-Resulting-In-Objectionable-Sites.aspx
10 Aug 2012 - "... Websense... analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th... Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Links:
> http://community.websense.com/cfs-f...ritylabs/0310.olympicsblog.jpg_2D00_550x0.jpg
... We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:
> http://community.websense.com/cfs-f...nents.WeblogFiles/securitylabs/1057.chart.jpg
..."

:mad:
 
Fake Intuit emails ...

FYI...

Fake Intuit emails ...
- http://security.intuit.com/alert.php?a=52
8/10/2012 - "People are receiving emails purportedly from Classmates.com with the title "Download your Intuit.com invoice." There is an attachment to the email. Below is the text of the email people are receiving, including the errors in the email:

"Dear Customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-040-6988 ($3.19/min).
ORDER INFORMATION
Please download your complete order id#6269722 from the attachment.(Open with Internet Explorer)"

This is the end of the fake email... Steps to Take Now:
. Do not click on the link in the email...
. Spoofed email address. Don't reply to unsolicited email and don't open email attachments...
. Fake link. When in doubt, never click on a link in an unsolicited or suspicious email..."

:mad:
 
You must log in or register to reply here.
Back
Top