SPAM frauds, fakes, and other MALWARE deliveries - archive

Twitter-Facebook Phishing...

FYI...

Twitter-Facebook Phishing...
- http://isc.sans.org/diary.html?storyid=5623
Last Updated: 2009-01-04 15:45:09 UTC - "Several readers have sent us information about a phishing attempt based on Twitter and possibly Facebook. It looks like the twitter folks have it well under control*, but as always with your Internet experience, vigilance and skepticism are your friends..."
* http://blog.twitter.com/2009/01/gone-phishing.html
January 03, 2009

- http://preview.tinyurl.com/73gm9n
01/05/2009 cgisecurity.net - ""Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone... The Fox tweet was deleted an hour after it was posted, so the password may not have been changed... This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web."
- readwrite web
From Twitter's blog: http://blog.twitter.com/2009/01/monday-morning-madness.html
"...The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure"..."

- http://blog.trendmicro.com/so-is-it-twitter-or-facebook/
Jan. 5, 2009

:fear:
 
Last edited:
HMRC phishing email and website

FYI...

HMRC phishing email and website
- http://securitylabs.websense.com/content/Alerts/3276.aspx
01.06.2009 - "Websense... has discovered a phishing site emulating the Web site belonging to HM Revenue & Customs (HMRC), the UK government's taxation authority. The fake site is hosted in Denmark and uses the same stylesheet and graphics as the real HMRC Web site. Recipients first receive an email advising them that they are due a tax refund. This email contains a link to the phishing Web site. The phishing site aims to collect personal information such as name, address, and credit card information. Upon submitting the data, the user is redirected to the real HMRC site. The sending of the email is very timely with certain HMRC deadlines for online applications of tax returns imminent (31st January 2009). Websense has advised HMRC of this threat..."

(Screenshot of the phishing email available at the Websense URL above.)

:fear:
 
LinkedIn - bogus profiles lead to malware...

FYI...

- http://blog.trendmicro.com/bogus-linkedin-profiles-harbor-malicious-content/
Jan. 5, 2009 - "The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn’s users. The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices... found some bogus LinkedIn profiles which contain links to malware, using the names and images of famous personalities such as:
* Beyoncé Knowles
* Victoria Beckham
* Christina Ricci
* Kirsten Dunst
* Salma Hayek
* Kate Hudson
... and several others. Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware. Note that there are several routes this infection path may take..."

(Screenshot available at the URL above.)

:fear:
 
Last edited:
MLB.com pushing malware...

FYI...

MLB.com pushing malware
- http://sunbeltblog.blogspot.com/2009/01/mlbcom-pushing-malware.html
January 06, 2009 - "... stay away from this site until they get it cleaned up. We are seeing various mlb sites redirecting to fake antivirus scan. These are almost certainly being done by malilcious flash advertisements. Not the first time* it’s happened (courtesy of Innovative Marketing**)."
(Screenshot available at the URL above.)

* http://www.security-forums.com/viewtopic.php?p=272589

** http://sunbeltblog.blogspot.com/2008/12/innovative-marketing-saga-continues.html

- http://www.theregister.co.uk/2009/01/08/major_league_baseball_threat/
8 January 2009 - "... Update: MLB spokesman Matthew Gould said the tainted ads were the result of an individual who claimed to sell ads through a company the website has done business with before. After the scam came to light, MLB officials discovered this individual had no affiliation with the company, which Gould declined to name because he says MLB is pursuing legal action. Gould said MLB officials believe the ads were taken down on Monday, less than 24 hours after going live. "As soon as we were made aware of the problem we removed the ad in all instances across our network," he said..." (Pop-up image for "Antivirus2009" shown at the URL above.)

:fear::fear::mad:
 
Last edited:
Waledac trojans - update...

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090109
9 January 2009 - "...we have a bunch of new and interesting information on the trojan, much of which has come from a number of security researchers out there. However, we are just going to touch on the last item and give you an updated list of domains associated with Waledac. You are bound to see all kinds of great research and interesting findings from others on this soon. In the meantime, please use this information to protect your networks and proactively (and retroactively) block these hosts. The following are a list of domains known to be associated with Waledac. Most of these domains have been seen in the wild and may be posted elsewhere. However, we want to provide our research that we have collected ourselves in a central spot for anyone to see and share.
Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.
Waledac Domain Listing (several new ones since our 12-31 post):
bestchristmascard .com
bestmirabella .com
bestyearcard .com
blackchristmascard .com
cardnewyear .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
eternalgreetingcard .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
greatmirabellasite .com
greetingcardcalendar .com
greetingcardgarb .com
greetingguide .com
greetingsupersite .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
lifegreetingcard .com
livechristmascard .com
livechristmasgift .com
mirabellaclub .com
mirabellamotors .com
mirabellanews .com
mirabellaonline .com
newlifeyearsite .com
newmediayearguide .com
newyearcardcompany .com
newyearcardfree .com
newyearcardonline .com
newyearcardservice .com
smartcardgreeting .com
superchristmasday .com
superchristmaslights .com
superyearcard .com
themirabelladirect .com
themirabellaguide .com
themirabellahome .com
topgreetingsite .com
whitewhitechristmas .com
worldgreetingcard .com
yourchristmaslights .com
yourdecember .com
yourmirabelladirect .com
yourregards .com
youryearcard .com

Related Exploit Domains (no new ones listed):
seocom .name
seocom .mobi
seofon .net
Please feel free to distribute the above list as you see fit..."

:fear::mad::fear:
 
Gaza conflict malicious SPAM e-mails...

FYI...

- http://www.us-cert.gov/current/#malware_circulating_via_email_messages
January 9, 2009 - "US-CERT is aware of public reports of malicious code circulating via spam email messages related to the Israel/Hamas conflict in Gaza. These messages may contain factual information about the conflict and appear to come from CNN. Additionally, the messages indicate that additional news coverage of the conflict can be viewed by following a link provided in the email body. If users click on this link, they are redirected to a bogus CNN website that appears to contain a video. Users who attempt to view this video will be prompted to update to a new version of Adobe Flash Player in order to view the video. This update is -not- a legitimate Adobe Flash Player update; it is malicious code. If users download this executable file, malicious code may be installed on their systems..."

- http://www.rsa.com/blog/blog_entry.aspx?id=1416
(Screenshot at the RSA URL above.)

:fear: :mad:
 
Last edited:
Yandex used in SPAM redirects

FYI...

Yandex used in SPAM redirects
- http://sunbeltblog.blogspot.com/2009/01/yandex-used-in-spam-redirects.html
January 11, 2009 - "We’re seeing a fair number of pages on Narod (a service by that provides free web hosting, from Yandex, the Russian search engine). These are used for both redirects to malware, as well as redirects in spam... Administrators would be well advised to simply block any email or web traffic with narod .ru ."

:fear:
 
Malware directed at Classmates Online...

FYI...

Malware directed at Classmates Online...
- http://securitylabs.websense.com/content/Blogs/3279.aspx
01.14.2009 - "Websense... noticed that a campaign against Classmates Online, Inc had broken out. We observed that thousands of URLs were registered in one day to spread the worm. The newly-registered URLs were unusually long, had several subdomains, and always contained some specific words such as process, multipart and so on... The new campaign was spread by email. The malicious email contained a link to a video invitation to reunite high school classmates and celebrate Classmates Day 2009. When the email recipient viewed the invitation, they downloaded a worm named Adobe_Player10.exe. This could fool a user into thinking they needed the latest version of the Adobe Player, prompting them to run the executable... the main purpose of this worm was to steal user information and send it to a server located in the Ukraine. The address of the server was hardcoded in the worm. The worm did a lot of work, including dropping a driver file to hide itself, injecting itself into every process, downloads and so on. It collected several kinds of information, including details about POP3, IMAP, ICQ, FTP, and certification from the user's MY certificate store, which is used to store trusted sites and personal certificates... The worm injected itself in every process. The injected code would enum a module of the process, and then hook some APIs into the module..."

(Screenshots available at the Websense URL above.)

:fear::fear:
 
Presidential spam, phishing, and malware...

FYI...

Spam, Phishing, and Malware related to Presidential Inauguration
- http://www.us-cert.gov/current/#spam_phishing_and_malware_related
January 15, 2009 - "US-CERT has received reports of an increased number of phishing sites and spam related to the upcoming Presidential Inauguration. US-CERT reminds users that phishing and spamming campaigns often coincide with highly publicized events...
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites..."

- http://blog.trendmicro.com/fake-obama-news-sites-abound/
Jan 18, 2009

- http://www.f-secure.com/weblog/archives/00001585.html
January 17, 2009 - "...All the links point to a file called speech.exe, which is a Waledec malware variant..."

- http://blog.trendmicro.com/dont-be-fooled-by-obama-inauguration-scams/
January 16, 2009

:fear::mad:
 
Last edited:
More Prez SPAM...

FYI...

- http://www.theregister.co.uk/2009/01/19/obama_quitsmlaware_spam_scam/
19 January 2009

- http://preview.tinyurl.com/79ay3a
17 January 09 (PandaLabs blog) - "Today we discovered a botnet controlled, fast-flux operated malware campaign impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real thing and attempts to bait viewers into clicking a story entitled, “Barack Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer... The attack appears to have originated from China as the domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY CORPORATION. Xinnet has a history of abuse problems and we have contacted them to remove the domain names... The file names of the malware are:
• doc.exe , statement.exe , obamaspeech.exe , blog.exe , barack.exe , usa.exe , baracknews.exe , pdf.exe , news.exe , obamasblog.exe , barakblog.exe , statement.exe , president.exe , obamanews.exe ..."

:fear::spider::fear:
 
Waledac e-mails - new tactics & new domains...

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

:fear::spider::mad:
 
Last edited:
CRA phish...

FYI...

Phishing Alert - Canada Revenue Agency
- http://securitylabs.websense.com/content/Alerts/3282.aspx
01.20.2009 - "Websense... has discovered phishing sites spoofing the Web site belonging to Canada Revenue Agency (CRA), the Canadian government’s taxation authority. The fake site is hosted in Germany and uses the same stylesheet and graphics as the real CRA Web site. The phishing site aims to collect personal information such as the victim’s social insurance number, full name, address, date of birth, mother’s maiden name, and credit card information. Upon submitting the data, the user is redirected to the real CRA site. This campaign is timed to coincide with the upcoming CRA deadline for online tax return applications..."

:fear::mad:
 
United Airlines - e-mail scam malware attack...

FYI...

United Airlines - e-mail scam malware attack
- http://www.sophos.com/blogs/gc/g/2009/01/19/united-airlines-malware-attack/
January 19, 2009 - "Last week... spammers were sending out emails posing as messages from Northwest Airlines*. The attached file was not an electronic airline ticket of course, but a Trojan horse designed to infect your computer. As anticipated, the hackers have made a simple switch - changing the bait from a Northwest Airlines email to one claiming to come from United Airlines, and spoofing the email address tickets@united .com ... As before, opening the ZIP file is a very bad idea. Although it’s understandable that you might panic into thinking that your credit card has been debited without your permission, for a flight you don’t want or need, you should be cynical enough to smell this for what it is - a dirty rotten scam designed to infect your personal computer."
* http://www.sophos.com/blogs/gc/g/2009/01/14/northwest-airlines-malware-attack/

(Screenshots available at both URLs above.)

Video: http://www.sophos.com/blogs/gc/g/2008/08/01/video-the-e-ticket-email-malware-campaign

:fear: :mad:
 
Valentine SPAM already!...

FYI...

Valentine SPAM already!...
- http://blog.trendmicro.com/waledac-loves-to-spam-you/
Jan. 26, 2009 - "Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant...
Spammed Valentine’s greetings.
These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR... Beside the social engineering techniques used in email, following are the similar methods applied by this worm family:
Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware ..."

(Screenshots available at the URL above.)

:fear::mad:
 
IEC website compromised

FYI...

IEC website compromised
- http://securitylabs.websense.com/content/Alerts/3289.aspx
01.27.2009 - "Websense... has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies... The infected subdomain belongs to the TC26 group. Unprotected users would be subjected to execution of obfuscated Javascript that -redirects- to an exploit site, hosting exploits for Internet Explorer, QuickTime and AOL SuperBuddy. Successful execution of the exploit code incurs a drive-by download. This installs a backdoor on the compromised machine. Major antivirus vendors are -not- detecting this payload..."

(Screenshots available at the URL above.)

:fear::fear:
 
Fed Reserve Bank phish-about-phish...

FYI...

Fed Reserve Bank phish-about-phish
- http://www.hoax-slayer.com/federal-reserve-bank-scam-emails.shtml
28 January 2009 - "Email purporting to be from the Federal Reserve Bank claims that U.S. Treasury Department has imposed restrictions on federal wire transfers due to a widespread phishing attack... Email is -not- from the Reserve Bank - Links lead to bogus websites... The FDIC published an alert* about the scam..."
* http://www.fdic.gov/news/news/SpecialAlert/2009/sa09020.html
FDIC: SA-20-2009 January 15, 2009

:fear::mad:
 
Transient threats on the Web...

FYI...

- http://www.pcmag.com/article2/0,2817,2339712,00.asp
01.27.09 Larry Seltzer - "...AVG has released research that indicates the number and volatility of web sites serving malicious code is increasing dramatically... Almost 60% of these sites are up for less than one day. The goal of these techniques seems to be to defeat blacklist-based protections. AVG calls them transient threats. What are these web pages? Few are actually put up to serve malware. Some of them are blog comments, some are advertisements, many are legitimate web sites corrupted through HTML/script injection, and many have been corrupted through compromises of SQL servers through SQL injection. These compromised web sites are tricked into redirecting users to the few sites that directly serve the malware. The combination of the Apache web server and PHP scripting engine are a favorite target of attackers. There are large numbers of vulnerabilities for attackers to exploit and no automated patch system to make sure servers are protected... The actual malware being served varies from fake codecs, game password-stealing attacks to fake anti-spyware. The fake codec sites are the most volatile, with 62% active for less than a day. The fake anti-spyware sites are more stable, but 28% are active less than a day and the average is less than 2 weeks..."

:fear::mad:
 
Work-At-Home Scams...

FYI...

Work-At-Home Scams...
- http://www.ic3.gov/media/2009/090203.aspx
February 3, 2009 - "Consumers need to be vigilant when seeking employment on-line. The IC3 continues to receive numerous complaints from individuals who have fallen victim to work-at-home scams. Victims are often hired to "process payments", "transfer funds" or "reship products." These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals. Other victims sign up to be a "mystery shopper", receiving fraudulent checks with instructions to cash the checks and wire the funds to "test" a company's services.

Victims are told they will be compensated with a portion of the merchandise or funds. Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior. Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information to their potential "employer." The criminal/employer can then use the victim's information to open credit cards, post on-line auctions, register Web sites, etc., in the victim's name to commit additional crimes..."

:fear::mad:
 
$9M Hacked at ATMs in 1 day...

FYI...

- http://blog.wired.com/27bstroke6/2009/02/atm.html
February 03, 2009 - "A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay... RBS WorldPay announced on December 23 that they'd been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach. At the time, the company said it identified fraudulent activity on only 100 cards, making it sound like small beans. But it turns out the hacker managed to lift the withdrawal limits on those 100 cards, before dispatching a global army of cashers to drain them with repeated rapid-fire withdrawals. More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8. A class action lawsuit has been filed against RBS WorldPay on behalf of consumers..."
(Video available at the Wired URL above.)

- http://voices.washingtonpost.com/securityfix/2009/02/data_breach_led_to_multi-milli.html
February 5, 2009 - "...some $50 million was lost to ATM fraud in New York City alone over the course of one month last year..."

:mad::sick:
 
Last edited:
You must log in or register to reply here.
Back
Top