SPAM frauds, fakes, and other MALWARE deliveries - archive

GoDaddy Scam/Phish/Spam

FYI...

GoDaddy Scam/Phish/Spam
- http://isc.sans.edu/diary.html?storyid=9043
Last Updated: 2010-06-21 23:20:29 UTC - "A number of readers (and myself included) have received an email claiming to be from GoDaddy. The email is grammatically correct, and appears quite genuine. The subject is "GoDaddy.com Order Confirmation" and interestingly the images within the HTML are pulled from imagesak.godaddy.com, excepting one which came from "hxxp ://img.securepaynet.net/bbimage.aspx?pl=somecodeandmyemailaddress". The links in the emails I have seen point to "hxxp ://dextersss-com-ua.1gb.ua/zzx.htm" among others. The phishing site and IP address and domain registration are in the Ukraine."

:mad::fear:
 
Lenovo site - malicious IFrame-Trojan

FYI...

Lenovo Support website loads malicious IFrame, infects visitors with Trojan
- http://cyberinsecure.com/lenovo-support-website-loads-malicious-iframe-infects-visitors-with-trojan/
June 22, 2010 - "The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers. According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday. The IFrame points to an exploit kit hosted on a domain called volgo-marun .cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player... At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo .com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it... Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place."

:mad:
 
"Acct Verification" SPAM ...

FYI...

"Account Verification" - Malicious SPAM
- http://community.websense.com/blogs...icious-spam-campign-account-verification.aspx
22 Jun 2010 - "Websense... has detected a malicious spam outbreak with the Subject line "Account Verification". As of June 22, we have counted more than 100,000 of these messages. The attack message is disguised as coming from Digg.com. It asks the recipient to verify their Digg.com account. Clicking the "Password change" link in the email body redirects the user to malicious websites... There are two malicious links in the payload. The first link redirects the user to a site that prompts the user to download a Trojan file (29% detection)*. The second link (in an iframe) redirects the user to a site laden with exploits..."
* http://www.virustotal.com/analisis/...bb80bdff09d982ff936b5af79d55e0c061-1277203516
File D38C95FD009D21A46235010C3C9F0A00DCC1E9F6.exe received on 2010.06.22 10:45:16 (UTC)
Result: 12/41 (29.27%)

(Screenshot available at the Websense URL above.)

:mad::fear:
 
Targeted attacks - Excel files

FYI...

Targeted attacks with Excel files
- http://www.f-secure.com/weblog/archives/00001975.html
June 24, 2010 - "... fresh set of attacks done with XLS files... This is some sort of personnel list. Like the other examples here, it drops and runs a backdoor when viewed... An apparent agenda... a list of organizations... A budget file... FIFA World Cup 2010 match schedule... The exploit in these files targets Excel Pointer Offset Memory Corruption Vulnerability CVE-2009-3129*. As you can see, such attack files can look like perfectly normal and credible document files..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3129
CVSS v2 Base Score: 9.3 (HIGH)
MS09-067

(Screenshots available at the F-secure URL above.)

:mad::fear:
 
Last edited:
DEP & ASLR ignored...

FYI...

DEP & ASLR ignored...
- http://krebsonsecurity.com/2010/07/top-apps-largely-forgo-windows-security-protections/
July 1st, 2010 - "... Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP SP2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run... Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors..."

- http://www.theregister.co.uk/2010/07/02/win_app_security_defences/
2 July 2010

- http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf
June 29, 2010

:fear::fear::hair:
 
Last edited:
Malware SPAM... Paypal fraud

FYI...

Malware SPAM... Paypal fraud
- http://techblog.avira.com/2010/07/03/malware-outbreak-paypal-security-warning/en/
July 3, 2010 - "There is a new wave of emails pretending to come from Paypal having a ZIP archive attached. The email claims that your Paypal account has been accessed by a third party and, in order to protect your account, the Paypal account has been locked. The user is invited to review the report attached to the email, a ZIP archive, containing a single executable file a naming scheme like account-<number>-report.exe. There is no link inside the email, so everything is “easy to use”: the recipient of the mail needs just to extract the file and execute it... DON'T DO THAT as the ZIP archive contains a malware detected by all Avira products as dropper DR/Delphi.Gen."

- http://isc.sans.edu/diary.html?storyid=9118
Last Updated: 2010-07-03 22:35:44 UTC - "... 'Delivery Status Notification Failure'... Trojan.bredo... now using NDR and Failure reports to attempt to further their malicious activity."

:mad::fear:
 
Last edited:
SPAM with malware increases - botnet recruiting...

FYI...

SPAM with malware increases - botnet recruiting...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=225702834
July 9, 2010 - "... According to Symantec*, spammers appear to be "trying to make up for the loss of several zombie networks, due to legal actions." In other words, they're pumping out spam with malware in an attempt to build their botnets back up to full strength, adding as many compromised - aka zombie - PCs as they can... attackers have also been creating more phishing websites that spoof Google's social networking site Orkut, especially in Brazilian Portuguese, since Orkut's biggest traction is in Brazil, said Symantec... This attention to detail may result from the need to trick the maximum number of people during the short window that a phishing site remains active - just 54 hours, according to Symantec - before it gets shut down."
* http://www.symantec.com/connect/blogs/spam-and-phishing-landscape-july-2010

:mad::fear:
 
DynDNS - malware sites

FYI...

DynDNS - malware sites
- http://sunbeltblog.blogspot.com/2010/07/dyndns-hosts-malware-sites.html
July 12, 2010 - "Over the past month or so we've seen quite a lot of malware coming from sub-domains of DynDNS .com, which is a dynamic DNS provider... The sub-domains are changing every (few) hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:
80.91.176.172
The files coming down are typically detected as Trojan.Win32.Alureon, Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file...
Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services."

(More detail available at the Sunbelt URL above.)

:mad:
 
More malicious ZBot SPAM ...

FYI...

More malicious ZBot SPAM...
- http://www.sophos.com/blogs/gc/g/20...nt-request-from-email-attack-strikes-inboxes/
July 13, 2010 - "... Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer - this time disguising their emails as though they were payment requests from eBay. The emails have a blank message body, but have a file called form.html attached... Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about... And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q... Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers... Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack... the emails don't have to pretend to be from eBay to be malicious. Recently we've seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others."

:mad:
 
Cyber fraud and banks ...

FYI...

Cyber fraud and banks ...
- http://krebsonsecurity.com/2010/07/the-case-for-cybersecurity-insurance-part-ii/
July 14, 2010 - "... When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible... the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction..."

Further reading: The Case for Cybersecurity Insurance, Part I
- http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/

:fear::mad::fear:
 
SPAM via DHA on the increase...

FYI...

SPAM via DHA on the increase...
- http://www.symantec.com/connect/blogs/spammers-harvesting-high-gear
July 15, 2010 - "... observed a dramatic increase in the directory harvest attack (DHA*) method. There was a staggering 15 times increase in DHA attacks during the first week of July 2010 when compared to the same period in June 2010. The spike was observed in the second week of June and is still rife. *So what exactly is a directory harvest attack? It is one of the methods spammers use to gather valid email addresses. One of the ways to generate email addresses to carry out this attack is by creating all possible alphanumeric combinations that could be used for the username part of an email address (up to a maximum length) and appending it to a domain. Alternatively, the dictionary attack method is used to generate email addresses, which is the preferred tactic of spammers... The list of valid email addresses collected by this attack method potentially improves the spammers’ deliverability and conversion rate by targeting a set of only valid email addresses. In addition, these valid email addresses can also be sold as email lists in the underground economy..."

- http://isc.sans.edu/diary.html?storyid=9175
Last Updated: 2010-07-15 15:18:33 UTC

It -will- take some time for SPAM blockers and AV to catch up with this...

:fear::fear:
 
Last edited:
Fake MS Advisory SPAM...

FYI...

Fake MS Advisory SPAM...
- http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory... the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW. When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited. SALITY file infectors are now using this vulnerability as well... malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it."

:mad::fear:
 
Fake jobs, fake checks...

FYI...

Fake jobs, fake checks...
- http://www.secureworks.com/research/threats/big-boss/
July 28, 2010 - "... In April 2010, during the course of an unrelated investigation, SecureWorks' Counter Threat Unit (CTU) discovered a unique variant of the well-known ZeuS trojan... Analysis of the sample revealed that in addition to the ordinary ZeuS functionality of stealing credentials, two new functions had been added:
1. The infected system listens on a random TCP port in order to serve as a SOCKS proxy
2. The infected system establishes a VPN (Virtual Private Network) connection to a remote server using the PPTP (Point-to-Point Tunneling Protocol) functionality built-in to Windows.
Although it is very common for trojans (especially ones designed to aid in financial fraud) to employ proxy server capability, this is the first time that the CTU has seen the use of VPN technology in such software... by employing the very simple VPN functionality built right in to Windows, the criminal bypasses the need to develop complex systems, and can simply route his/her malicious traffic over the VPN... some of the activity CTU observed traversing the proxy botnet at different times.
Money mule job offer spam through multiple webmail services
• Scraping of job websites to obtain new email addresses to spam...
Essentially, the hackers are logging into online job sites and pulling email addresses of those looking for jobs... criminals have developed sophisticated malware that can intercept and alter transactions in progress, even when two-factor authentication is in play. Antivirus engines are unlikely to catch these malicious programs until it is too late... it would be extremely beneficial if those signing up for a job site are required to read and understand about the different kinds of fraudulent job offers they might receive, what kinds of red flags they might see in a fraudulent offer, along with guidelines for checking out a prospective hirer's legitimacy. If all of these parties were able to block these kinds of abuses, the criminals would find it much more difficult to carry out an operation of this scale."

(More detail and screenshots at the Secureworks URL above.)

- http://www.theregister.co.uk/2010/07/28/automated_check_counterfeiting/
28 July 2010

:mad::fear:
 
Last edited:
Malware movies...

FYI...

Malware movies...
- http://blog.trendmicro.com/quicktime-player-allows-movie-files-to-trigger-malware-download/
July 30, 2010 - "... encountered two .MOV files (001 Dvdrip Salt.mov and salt dvdrpi [btjunkie][xtrancex].mov) that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files. When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation... According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is -not- related to the vulnerability reported by Secunia*..."
* http://secunia.com/advisories/40729
Release Date: 2010-07-26
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is confirmed in version 7.6.6 (1671) for Windows..."

More "Salt":
- http://sunbeltblog.blogspot.com/2010/08/not-enough-salt-in-your-clickpotato.html
August 02, 2010

:mad:
 
Last edited:
Web 2.0 undermines Enterprise Security...

FYI...

Web 2.0 undermines Enterprise Security...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=226500076
Aug. 2, 2010 - "More than 80% of security administrators think that Web 2.0 applications - social networking tools, widgets, instant messaging programs, and their ilk - are undermining enterprise security. Furthermore, one in five think that employees rarely or never consider the consequences to corporate security of engaging in such activities as downloading applications from the Internet, streaming video, or using peer-to-peer file-sharing sites. Those results come from a new survey of more than 2,100 IT security administrators in the United States, United Kingdom, France, Japan, and Australia. The survey was conducted by the Ponemon Institute and sponsored by Check Point Software Technologies... The survey also found that nearly half of security managers think that minimizing Web 2.0 risks is an urgent priority. According to respondents, the top threats posed by Web 2.0 applications are, in order, poor workplace productivity, malware, data loss, and viruses..."

:fear::mad::fear:
 
2010 tax-themed malicious emails

FYI...

(More) tax-themed malicious emails
- http://community.websense.com/blogs...04/2010-Tax_2D00_Themed-Malicious-Emails.aspx
4 Aug 2010 - "Websense... has detected a wave of tax-themed malicious email. While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns. We have seen reports last June about email with the subject "Notice of Underreported Income". Today, we have seen a couple of email having the same subject but with different attack strategies. The first sample below uses a malicious link just like those distributed earlier. Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site... The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email. It is recognized by 1/42 AV engines via VirusTotal*... In addition to these, we are seeing malicious email with the subject “You are in a higher tax bracket”. It also has a malicious zip [MD5: 3b9c60c761734fcd4ac7a753c93ec5d1] attached to it and is recognized by 1/42 AV engines via VirusTotal*..."
* http://www.virustotal.com/analisis/...e4d362246950bf33861cf6a2d44a937d85-1280939399
File tax_statement.zip received on 2010.08.04 16:29:59 (UTC)
Result: 1/42 (2.38%)

:mad:
 
100+ sites compromised - Media Temple host svrs...

FYI...

100+ sites compromised - Media Temple host svrs...
- http://community.websense.com/blogs...e-injections-lead-to-Phoenix-Exploit-Kit.aspx
05 Aug 2010 - "Websense... has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection, but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner* reveals that they do have multiple vulnerabilities... According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri... The Phoenix Exploit Kit** is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code..."
* http://sucuri.net/?page=scan

** http://community.websense.com/resiz...nts.WeblogFiles/securitylabs/7367.Capture.PNG
___

- http://weblog.mediatemple.net/weblog/2010/08/06/security-facts/#more-2365
updated 8/6/10 5:10 pm - Recent Attacks...

- http://www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp
m86security (Last Reviewed: August 3, 2010)

:sad::mad::fear:
 
Last edited:
Rogue AV SPAM

FYI...

Rogue AV SPAM...
- http://community.websense.com/blogs/securitylabs/archive/2010/08/06/You-have-Rogue-Mail.aspx
06 Aug 2010 - "Websense... has detected thousands of malicious emails purporting to be from big-brand companies like Target, Macy’s, Best Buy, and Evite... All the malicious URLs associated in the emails above redirect to the same fake AV web site. Users are then prompted to run a malicious executable called "antivirus_24.exe" [MD5: 5be4b708a68687cb5490fe2caea49c82], currently detected by 11/42 AV engines*..."
* http://www.virustotal.com/analisis/...15a2ec2fe57559ddc9747aeceb19db98d6-1281107011
File antivirus_24.exe received on 2010.08.06 15:03:31 (UTC)
Result: 11/41 (26.83%)

- http://ddanchev.blogspot.com/2010/08/spamvertised-best-buy-macys-evite-and.html
August 09, 2010

:mad:
 
Last edited:
Red Cross site(s) hacked...

FYI...

Red Cross site(s) hacked...
- http://www.esecurityplanet.com/features/print.php/3898516
August 13, 2010 - "Zscaler this week uncovered a new malware scam targeting the Red Cross of Serbia, the second time in five months that hackers have zeroed in on one of the international humanitarian organization's public websites. Hackers managed to inject a malicious JavaScript file, "hxxp ://obsurewax.ru/Kbps .js" into several pages on the Red Cross of Serbia's homepage. Most antivirus software programs now prevent Internet users from accessing the site, but before being caught, the malware could have infected users' machines to capture personal information and spread even more malware and spam... Back in March, the American Red Cross East Shoreline Chapter's website* was hit by a malware campaign that used iframe injections to infect several pages with malicious code and links. Zscaler said it has already notified the Red Cross of Serbia of this latest cyber attack. The assault marks only the latest victory for cyber criminals as they launch ever more numerous efforts to penetrate users' systems and steal critical data..."
* http://research.zscaler.com/2010/03/redcross-site-hacked.html

:mad:
 
Obfuscated links in emails using JavaScript

FYI...

Obfuscated links in emails using JavaScript
- http://techblog.avira.com/2010/08/27/obfuscated-links-in-emails-using-javascript/en/
August 27, 2010 - "Our spam traps started to receive a bunch of Phishing emails... having no link inside. We know many tricks how to hide the URL (JavaScript, form, etc.) but this one was new: Pretending to be an invoice in HTML format, the attached HTML document displays the same content as in the mail body and immediately redirects to the fake website... The email looks quite usual for spam or Phishing on first sight, but the interesting part comes after analysing the attached HTML document. The document contains, inside the row of a table, a piece of obfuscated JavaScript code. In simple terms, the JavaScript code uses the property of each document called “location” to redirect the web browser to the fake website. The first idea coming to mind is that almost no modern email client executes JavaScript when rendering an HTML document. However, even if the email client (Outlook, Windows Mail, Thunderbird, etc.) doesn’t execute the script, the web browsers does. As soon as the user opens the attachment with a double click, the web browser opens it an gets immediately redirected to the fake website. The website wasn’t available anymore when we started to analyze the emails."

(Screenshots available at the URL above.)

:fear::mad:
 
You must log in or register to reply here.
Back
Top