SPAM frauds, fakes, and other MALWARE deliveries - archive

iTunes store - SPAM campaign...

FYI...

iTunes store - SPAM campaign
- http://pandalabs.pandasecurity.com/itunes-store-spam-campaign/
10.01.10 - "Right after LinkedIn Spam Campaign, we saw a brand new Spam Campaign impersonating iTunes Store. The e-mail appears to arrive from on behalf of iTunes Store and is an exact copy of the official iTunes Store Receipt e-mail... The whole purpose of the email is not to show what you have purchase from iTune Store, is to let you to click “Report a Problem” and lead you to a fake Adobe Flash installer... The exe file is actually connecting to some .ru web site to download some other files..."
(Screenshots available at the URL above.)

- http://www.esecurityplanet.com/feat...hishing-Campaign-Targets-iTunes-Customers.htm
October 5, 2010 - "... the new scam discovered this week starts with an unsolicited email with the subject, "Your receipt #" followed by a random number. The sender's address claims to be "iTunes Store" and spoofs the address donotreply@itunes[dot]com. Within the email is a bogus iTunes receipt complete with formatting and syntax that makes it pretty clear that it's not from Apple's popular online music store, including the alleged "unit price" and "order total." In the example provided on the AppRiver security blog*, the math didn't add up and the charges for the bogus purchases were several hundred dollars, a figure that would likely raise suspicion among even the most naïve Internet users. The problem, however, is that when users click on any of the links contained within the email, they're redirected to one of 100 or more domains ending in .info where the malicious Zeus Trojan malware is then installed on their PCs or mobile devices..."
* http://blogs.appriver.com/blog/appriver/0/0/no-thanks-for-your-purchase

:fear::mad:
 
Last edited:
Browser exploits delivered as HTML attachments

FYI...

Browser exploits delivered as HTML attachments
- http://blog.urlvoid.com/browsers-exploits-delivered-as-html-attachment/
October 6, 2010 - "We have logged more than 300 email messages with attached various HTML files containing obfuscated javascript code that is used to redirect the users to download malicious executable files that install the ZBot banking trojan. We also noticed that some HTML files have redirected us to external urls containing web browsers exploit kits with the intent to exploit few IE, FF, PDF and Java vulnerabilities, in order to install (the) TDSS rootkit..."
(Screenshots and email/SPAM subjects at the URL above.)

:fear::mad:
 
Last edited:
3.5B malicious URLs... 1H-2010 Threat Report

FYI...

3.5B malicious URLs... 1H-2010 Threat Report
- http://blog.trendmicro.com/emea-spam-growth-apac-infections-in-global-1h-2010-threat-report/
Oct 6, 2010 - "... Threat Report for the first half of the year. The report focuses on the global trends in online threats that we have seen.
• Threat Trends: Europe became the largest source of spam globally in the first half of the year... Commercial, scam-based, and pharmaceutical/medical SPAM accounted for 65 percent of the total number of SPAM worldwide. HTML SPAM was the most common kind of SPAM.
• We saw significant growth in the number of malicious URLs, which increased from 1.5 billion at the start of the year to over 3.5 billion by June...
• Trojans accounted for about 60 percent of the new patterns... The majority of Trojans lead to data-stealing malware...
• India and Brazil were identified as the countries with the greatest number of computers that became part of botnets. These bots are used to distribute malware, to perpetrate criminal attacks, and to send out SPAM.
• The education sector was the most targeted industry... Nearly half of all malware infections occurred within schools and universities...
• The ZeuS and KOOBFACE malware families were among the most prolific... Hundreds of new ZeuS variants are seen... every day and this is not likely to change in the near future... the KOOBFACE botnet has become the largest social networking threat to date...
• In the first half of 2010, a total of 2,552 vulnerabilities were reported... These vulnerabilities facilitated “drive-by” threats wherein all that is necessary to become infected is to -visit- a compromised website..."

- http://blog.urlvoid.com/1000-hacked-websites-used-for-blackhat-seo/
July 15, 2010

:fear::mad:
 
Last edited:
DOWNAD/Conficker II ? ...

FYI...

DOWNAD/Conficker II ?...

- http://blog.trendmicro.com/file-infector-uses-domain-generation-technique-like-downadconficker/
Oct 7, 2010 - "... This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet. Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute... whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place..."
- http://blog.trendmicro.com/links-between-pe_licat-and-zeus-confirmed/
Oct 8, 2010 - "... We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O... It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory resident. Secondly, any file executed afterwards becomes infected with malicious code and is detected as PE_LICAT.A. We have looked into the pseudorandom domains that LICAT uses to download files from. Every time PE_LICAT.A is executed it attempts to download files from these domains, trying to do so a maximum of 800 times... Our monitoring indicates that most of these domains have not been registered. A small number have been registered, and although some of the sites these actually lead to are currently inaccessible, some are still alive and active... These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September are confirmed to be known ZeuS domains in that period... Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past, and is a known haven for cybercrime... The downloader file shows certain behavior often associated with ZeuS..."

- http://blog.trendmicro.com/zeuss-response-to-automated-analysis/
Updated... Oct. 14, 2010

:fear::mad::fear:
 
Last edited:
LinkedIn attack also spread Bugat trojan...

FYI...

LinkedIn attack also spread Bugat trojan...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=227701191
Oct. 12, 2010 - "... while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground. The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack - not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says. The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers. Bugat was initially discovered in February by SecureWorks* and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus. Then there's Carberp**, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP..."
* http://www.secureworks.com/research...ing-ach-and-wire-payment-sites-is-discovered/

** http://www.trustdefender.com/blog/2010/10/06/carberp-–-a-new-trojan-in-the-making/
Oct. 6, 2010

- http://blog.trendmicro.com/carberp-trojan-steals-information/
Oct. 14, 2010

:fear::mad:
 
Last edited:
Hijacked MS network push Canadian pharmacy

FYI...

Hijacked MS network pushes Canadian pharmacy
- http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/
12 October 2010 - "For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates. The 1,025 unique websites — which include seizemed .com, yourrulers .com, and crashcoursecomputing .com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22... The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites. The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware... A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed..."

- http://krebsonsecurity.com/2010/10/pill-gang-used-microsofts-network-to-attack-krebsonsecurity-com/
October 13, 2010

:mad::fear:
 
Last edited:
MS network used by Pill gang in attack...

FYI...

MS network used by Pill gang in attack...
- http://krebsonsecurity.com/2010/10/pill-gang-used-microsofts-network-to-attack-krebsonsecurity-com/
October 13, 2010 / Update, 7:34 p.m. ET - "Christopher Budd, Microsoft’s response manager for trustworthy computing, sent this statement via email: “Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.”
- http://www.theregister.co.uk/2010/10/14/microsoft_confirms_ip_hijack/
14 October 2010

:fear::fear:
 
More malicious SPAM emails...

FYI...

More malicious SPAM emails...

Fake UPS shipment error e-mail messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=19743
Last Published: October 19, 2010... the attachment actually contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code...

Fake Photograph sharing e-mail messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21608
... significant activity on October 18, 2010... informs the recipient to follow URLs to view the photos. However, the URLs could redirect to a malicious .exe file that, upon execution, attempts to infect the recipient's system with malicious code...

Fake Chat invitation e-mail messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21588
Last Published: October 18, 2010... text in the e-mail message instructs the recipient to open the attachment to view the photograph. However, the attachment is a malicious .exe file...

Fake UPS ZIP Attachments Spreads Oficla Trojan
- http://blog.urlvoid.com/fake-ups-zip-attachments-spreads-oficla-trojan/
October 20, 2010

Fake Video Link E-Mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21648
Last Published: October 27, 2010

:fear::mad:
 
Last edited:
Kaspersky site hit by hacks - again...

FYI...

Kaspersky site hit by hacks - again...
- http://news.techworld.com/security/3244883/kaspersky-website-hit-by-hackers/
20 October 10 - "Scammers who try to trick victims into downloading fake antivirus software can strike almost anywhere. On Sunday they hit the website of Kaspersky Lab, a well-known antivirus vendor. Someone took advantage of a bug in a Web program used by the Kasperskyusa.com website and reprogrammed it to try and trick visitors into downloading a fake product, Kaspersky confirmed Tuesday. Kaspersky didn't identify the flaw, but said it was in a "third-party application" used by the website. "As a result of the attack, users trying to download Kaspersky Lab's consumer products were redirected to a malicious website," the antivirus vendor said. The website caused a pop-up window to appear that simulated a virus scan of the user's PC, and offered to install an antivirus program that was in fact bogus... According to Kaspersky, its website was redirecting users to the rogue antivirus site for about three-and-a-half hours Sunday... This isn't the first time Kaspersky has had to audit its websites after an incident. In February 2009 a hacker was able to break into the company's US support site after discovering a Web programming flaw..."

:mad:
 
Employees circumvent security controls via Webmail, file sharing...

FYI...

Employees circumvent security controls via Webmail, file sharing...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=227900492
Oct. 21, 2010 - "... According to Palo Alto Networks*, personal Webmail (such as Gmail, Hotmail, and Yahoo Mail), instant messaging, and peer-to-peer and browser-based file-sharing apps were used in 96 percent of the enterprises, and those apps made up nearly one-fourth of all bandwidth. The bad news is that most of these apps are unmonitored and not controlled by the enterprise, which leaves the organization open to attack or data leakage, the report says. Workers' Facebook activity is more voyeuristic, with 69 percent of Facebook traffic on these organizations being used for viewing Facebook pages, while Facebook apps make up about 4 percent of traffic and posts, only about 1 percent of traffic... There were 114,000 log instances of Conficker infections** among Palo Alto customers... Web- or browser-based file-sharing now constitutes 96 percent of file sharing, according to the data, with apps including Skydrive, USendIt, RapidShare, and DocsStock. BitTorrent remains the most popular peer-to-peer file-sharing program in use in companies..."
* http://www.paloaltonetworks.com/news/press_releases/2010-1021-aur-report.html

** http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

:fear::fear:
 
Last edited:
SPAM still prolific ...

FYI...

SPAM still prolific ...

All Tricks & No Treat for Anti-Spam Engines
- http://community.websense.com/blogs...-amp-no-treat-for-anti_2D00_spam-engines.aspx
29 Oct 2010 - "... always be cautious in opening emails from unknown users."

“Pump & Dump” Spam turns to Indian Stocks
- http://www.symantec.com/connect/blogs/pump-dump-spam-turns-indian-stocks
Oct. 28, 2010

Dating and Malware Spam dominates the Top Spam Subject Lines
- http://www.symantec.com/connect/blogs/dating-and-malware-spam-dominates-top-spam-subject-lines
Oct. 28, 2010

... MORE examples of spam subject lines:
Subject: DIWALI OFFER FROM <removed> UK.
Subject: Celebrate this Diwali with <removed> T-Shirts - Redeem voucher included
Subject: <removed>: Diwali offer
- http://www.symantec.com/connect/blogs/don-t-let-spammers-darken-your-light-festival
Oct. 28, 2010

:mad:
 
Last edited:
Don’t click that “pic.exe” file ...

FYI...

Don’t click that “pic.exe” file
- http://labs.m86security.com/2010/11/hi-my-love-please-dont-click-that-pic-exe-file/
November 3, 2010 - "Nowadays, spammers usually craft elaborate and enticing scams to lure a lot of people into taking action. However, a spam campaign we observed recently is one of the more cruder forms of social engineering. Attached to the spam message is simply an executable file named “pic.exe” that claims be naked pictures. This spam has been circulating with the subject line, “hi my love“... spammers probably don’t care if a spam campaign is unsophisticated. They can send millions of messages, and a few people will inevitably get sucked in anyway. Secondly, these days getting infected usually means multiple pieces of malware doing different things on your computer. Some malware may be obvious like Fake AV, but most will be hidden."

:fear::mad:
 
More fake msg SPAM ...

FYI...

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Threat Outbreak Alert: Fake Attached Resume E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Unicaja Bank Security Update E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Security Update For Microsoft Windows E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Self-View Video Link E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Scanned Document E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Chat Invitation E-mail Messages...
November 08, 2010

- http://blogs.cisco.com/security/out-of-control-user-frenetic-it/
November 8, 2010 - "When you access your email each day, do you do so at a distance of 15 paces because you’re just not sure what might jump out of that inbox? You can just about anticipate an email detailing how another user has caused a “blip” that will stretch your capabilities to protect both the user during their online engagements and the assets of the company..."

- http://www.ironport.com/toc/
Virus Outbreak In Progress - (Last Updated: November 10, 2010)
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

:fear::fear:
 
Last edited:
Facebook malicious Java applet...

FYI...

Facebook app links to malware...
- http://www.trustedsource.org/blog/512/Facebook-App-Links-to-Malware
November 11, 2010 - "... a malicious Java applet was being linked through a Facebook application. Users don’t have to install the Facebook app on their profiles to be be exposed to this threat. On browsing to a specific Facebook application page displayed in an Eastern European language, the page connects to a malicious site that hosts a signed Java applet that claims to be “Sun_Microsystems_Java_Security_Update_6" and is published by “Sun Java MicroSystems”... The only indication of suspicious activity is the fact that the digital signature cannot be verified by a trusted source. The warning also requests permission from the user to run the applet... In this case, when the user clicks Run, the Java applet downloads an arbitrary executable from a URL passed as a parameter on the website... The downloaded trojan payload is a password stealer which search for passwords stored on the user’s machine..."

> http://forums.spybot.info/showpost.php?p=388366&postcount=7

:fear::mad:
 
Last edited:
Last edited:
Worms in IM chats...

FYI...

Worms in IM chats...
- http://www.theinquirer.net/inquirer/news/1897876/microsoft-disables-live-messenger-links
Nov 15 2010 - "... Microsoft has shut down links to some websites in the 2009 builds of Windows Live Messenger. According to the Vole's blog*, disabling the feature was designed to prevent the spread of a malicious worm. The worm requires users to click a link within a message, upon which it will load a webpage that downloads the worm to your PC and then it sends the same message to people in your contact list. It only affected those who had not upgraded to the newest version of Messenger that uses Microsoft's Smartscreen, which shows up when you click on any link shared via Messenger. A spokesperson said that the malicious worm was trying to spread itself through many of the world's largest instant messaging and social networks, including Windows Live Messenger 2009. The worm spreads by inserting a link into an IM conversation with a person whose computer is already infected. Normally, when Messenger sees a web address in a conversation it is turned into a hyperlink which, when clicked, automatically opens in a web browser. This feature made it a doddle for the worm to be unknowingly installed on your computer by clicking on the link and being sent to a website containing the malicious software. Some customers might also see a notification in the main Messenger window warning them that some features might not be available, the spokesperson said."
* http://windowsteamblog.com/windows_...y-turned-off-to-prevent-a-malicious-worm.aspx

:fear::fear:
 
Asprox spams more Sasfis

FYI...

Asprox spamming more Sasfis
- http://labs.m86security.com/2010/11/asprox-spamming-more-sasfis/
November 17, 2010 - "Ever since the recent take down attempts of the Pushdo and Bredolab botnets, the volume of malicious spam has dropped substantially. But there is still one major player spamming out malicious executables, namely the Asprox spambot. Malicious spam campaigns purporting to be from DHL, Fedex, UPS or USPS have been spammed by the Asprox botnet ever since it resurrected in the mid 2010. These messages contain zip file attachments containing executable files which are almost exclusively the Trojan Sasfis, a downloader bot... The extracted Sasfis executable file usually has a Microsoft Excel icon. The payload varies depending on the task sent by the control server. Recently, we have seen it download Fake AV installers... Currently, the Sasfis trojan is requesting commands from the domain name showtimeru .ru... In our previous blogs* about Asprox, we highlighted three of the domains that the bot connects to. In the newer samples however, Asprox is connecting to the inglo-kotor .ru domain name. Interestingly, the previous and the newer domains points to the same server in Sweden**... In summary, it is the same old well-worn theme that Asprox has been using for six months. Don’t get too excited if you see this in your inbox, especially if you are an avid online buyer expecting a package."
* http://labs.m86security.com/2010/06/another-round-of-asprox-sql-injection-attacks/

(Screenshots available at both m86 URLs above.)

** http://labs.m86security.com/wp-content/uploads/2010/11/IP-sweden.png

:mad:
 
New Asprox Facebook SPAM campaign

FYI...

New Asprox Facebook SPAM campaign
- http://labs.m86security.com/2010/11/new-asprox-facebook-spam-campaign/
November 19, 2010 - "... new Asprox template purporting to be an email from Facebook support. This spam campaign claims the user’s Facebook password has been changed or access to their account has been blocked... As before, the attachment is the Sasfis trojan, the same breed of downloader Trojan we discussed yesterday. This sample however connects to a different domain; pupmypzed .ru... Just this week, there was outrage when many Facebook users, many of whom were female, found their accounts disabled following an automated Facebook system ‘cleanup’ of dubious accounts. Spammers may have taken advantage of this publicity..."
(Screenshots available at the m86 URL above.)

:fear::mad:
 
Facebook SCAMS multiply ...

FYI...

- http://labs.m86security.com/2010/12/mcafee-secure-short-url-service-or-is-it/
December 6, 2010 - "... Users should carefully check the links coming from emails, Facebook or any other social network, when the sender is unknown and the link is shortened, because there is no guarantee the URL is safe ..."

Facebook SCAMS multiply...
- http://nakedsecurity.sophos.com/2010/11/21/beware-the-justin-bieber-erection-facebook-scam/
November 21, 2010 - "... Surveys like this generate revenue for the scammers who are behind the application - they earn commission for every survey that is completed. In the background meanwhile, the rogue application has abused your social networking account spreading the spam virally via your wall to your Facebook friends and family... scams like this will continue for as long as users continue to fall for silly tricks like this, and the scammers continue to find it financially rewarding. If you've been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites. Don't forget - if you know young people who use Facebook, you should warn them about scams like this and teach them not to trust every link that is placed in front of them..."

- http://nakedsecurity.sophos.com/2010/11/03/justin-bieber-hit-girl-facebook-survey-scam/

- http://nakedsecurity.sophos.com/201...k-after-man-starts-headbutting-facebook-scam/

- http://nakedsecurity.sophos.com/2010/07/23/viewed-facebook-profile-care/

- http://nakedsecurity.sophos.com/201...ter-on-her-webcam-its-a-facebook-survey-scam/
___

20 percent of Facebook users exposed to malware
- http://news.cnet.com/8301-13577_3-20023626-36.html
November 22, 2010

Security apps for Facebook ...
- http://www.facebook.com/bitdefender.safego?v=info
BitDefender safego
- http://www.facebook.com/apps/application.php?id=177000755670
Defensio - Websense

- http://www.theregister.co.uk/2010/11/24/facebook_malware_survey/
24 November 2010 - "... one in five items on the news feeds of Facebook users lead to malicious content. More than three in five (60 per cent) of these attacks come from notifications generated by malicious third-party applications on Facebook's developer platform - BitDefender's stats comes from users of safego... similar to figures from users of BitDefender's tool... Websense's Defensio tool... about 10 per cent are spam or malicious..."
___

Facebook accounts disabled
- http://sophosnews.files.wordpress.com/2010/11/facebook-trend.jpg?w=640

- http://nakedsecurity.sophos.com/2010/11/16/bug-causes-havoc-facebook-as-accounts-disabled/
November 16, 2010

:fear::mad:
 
Last edited:
You must log in or register to reply here.
Back
Top