SPAM frauds, fakes, and other MALWARE deliveries - archive

Social network SPAM growth...

FYI...

SPAM to avoid...
- http://sunbeltblog.blogspot.com/2011/06/some-spam-to-avoid.html
June 29, 2011 - "...
1) "Facebook Survey Gift Invite"...
2) Paypal phish...
3) World of Warcraft phish mails..."

Social network SPAM growth...
- http://www.symantec.com/connect/blogs/social-network-attacks-surge
June 29, 2011 - "... Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites — Facebook, Twitter, and YouTube... Most of the spam originates from botnets... Most of these IP addresses were blacklisted by reputation-based technology because of their spam involvement. Along with bot activity, some spam samples are seen to be sent through hijacked user accounts and fake social network accounts created by the spammers... Social network spam uses legitimate email notification templates from the social networking sites. The message alleges that the user has some unread messages or pending invites and a fake link is provided. The bogus link will direct users to a website that forces the download of malicious binaries, purports to be selling cheap enhancement drugs and replica products, pushes fake gambling casino sites, or advertises online adult dating sites, etc... The most common subject lines used in this case are as follows:
Subject: Hi, you have notifications pending
Subject: Oops.. You have notifications pending
Subject: Hi, You have 1 new direct message
Subject: You have 2 direct message on Twitter!
Subject: YouTube Administration sent you a message: Your video has been approved
Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube
Subject: Direct message from [removed]
Subject: Warning: Your inbox is full, message not accepted
Subject: [removed] sent you a message on Facebook..."
(Screenshots available at the Symantec URL above.)
___

SPAM volume - charted July 2010 - June 2011
- http://krebsonsecurity.com/wp-content/uploads/2011/07/symspam11.jpg

:fear::mad:
 
Last edited:
Hiloti trojan downloader infection rates triple in UK

FYI...

Hiloti trojan downloader infection rates triple in UK
- http://www.trusteer.com/blog/hiloti-trojan-downloader-infection-rates-triple-uk
June 30, 2011 - "Hiloti generic downloader is a trojan first seen in December 2008 has shown a dramatic increase in infection rates of PCs during June 2011. Hiloti is a generic malware downloader, meaning it typically downloads other malware, e.g. Zeus and SpyEye. Hiloti creates a malicious DLL in the Windows directory, and hacks the Windows registry to maintain its presence on an infected machine across a normal boot cycle. We suspect that a Hiloti-infecting campaign - which is quite likely to be a drive-by download infection - is now taking place, having started on June 20th... the Hiloti malware is surging to two to three times it previously level of infections*... the infection does not appear to be affecting the US and other international territories, suggesting that it is a carefully targeted attack on one of more UK banking portals..."
* http://www.trusteer.com/sites/default/files/hiloti.jpg

:fear::mad:
 
Google+ SPAM campaign ...

FYI...

Google+ SPAM campaign...
- http://sunbeltblog.blogspot.com/2011/07/spammers-hone-in-on-google.html
July 02, 2011 - "... Sophos has found what we consider as, probably, the first crime ever targeting Google+: fake pharma spam... spammers didn't take long before they push a campaign to take advantage of Internet users badly wanting to be put in circles. It's the current "it" thing, after all. Not to mention the current perfect target of any threat attack, and spamming was the first..."
* http://nakedsecurity.sophos.com/2011/07/01/google-plus-spam/
"... clicking on the links will not take you to the new social network, but instead take you to a pharmacy website set up to sell the likes of Viagra, Cialis and Levitra to the unwary..."
(Screenshots available at the Sophos URL above.)
___

- https://plus.google.com/107117483540235115863/posts/PhJFJqLyRnm
Jun 29, 2011 - "We've shut down invite mechanism for the night. Insane demand... For any who wish to leave, please remember you can always exit and take your data with you by using Google Takeout. It's your data, your relationships, your identity."

Google Plus Fuss
- http://sunbeltblog.blogspot.com/2011/07/google-plus-fuss.html
July 05, 2011
___

- http://www.f-secure.com/weblog/archives/00002198.html
July 6, 2011 - "... Google will be deleting all private profiles after July 31*. This is related to Google+ migration..."
* http://www.google.com/support/profiles/bin/answer.py?hl=en&answer=1192471&p=public_profile

:mad:
 
Last edited:
Fake Google software emails

FYI...

Fake Google software emails
- http://msmvps.com/blogs/spywaresucks/archive/2011/07/02/1795605.aspx
Jul 2 2011 18:51 by sandi - Filed under: Malvertizing - "These almost fooled a family member. They’re fake. The spammers do the most basic of tracking – first by including remotely hosted pictures in the email, and by embedding the victim’s email address into URLs. If you click on the link, even if you are well aware it’s fake and don’t intend to buy anything and have your internet security set to super-ultra-paranoid, they’re still going to know who clicked on that link and you’ll get even more junk..."
(Screenshots available st the URL above.)

:fear::mad:
 
Resurrection of MS10-087/CVE-2010-3333 In-The-Wild

FYI...

Resurrection of MS10-087/CVE-2010-3333 In-The-Wild
- http://labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/
July 5, 2011 - "During the last few weeks we’ve seen massive use of the CVE-2010-3333 vulnerability for Microsoft Office. This eight months old vulnerability is used in popular documents such as a document that pretends to be “President Obama’s Speech”. Microsoft Office vulnerabilities have become very popular over the last few years and here are several samples that can be found In-The-Wild that use MS10-087 / CVE-2010-3333... The samples use different shellcodes, but as we can see, the exploit is In-The-Wild and is being used by malicious hackers..."

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333
Last revised: 12/21/2010
CVSS v2 Base Score: 9.3 (HIGH)
___

- http://www.symantec.com/business/security_response/vulnerability.jsp?bid=44652

- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880

:mad:
 
Last edited:
Google dumps 11+ million .co.cc sites from search results

FYI...

Google dumps 11+ million .co.cc sites from search results...
- http://www.theregister.co.uk/2011/07/06/google_cans_11m_dot_co_dot_cc_sites/
6 July 2011 - "Google has removed over 11 million .co.cc websites from its search engine results pages on the basis that most of them are far too "spammy"... Google classes the firm as a "freehost", and has exercised its right to block the whole domain "if we see a very large fraction of sites on a specific freehost are spammy or low-quality", according to Matt Cutts, head of Google's web spam team... According to a recent report from the Anti-Phishing Working Group, the .cc top-level domain hosted 4,963 phishing attacks in the second half of 2010, almost twice the number found under any other extension. That was due to a large number of attacks originating from .co.cc addresses, the APWG said..."

:fear:
 
Fake e-mails w/malware attachments...

FYI...

Virus Outbreak In Progress...
- http://www.ironport.com/toc/

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Money Order Attachment - E-mail - Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23578
Fake FedEx Package Delivery Failure - E-mail- Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23577
Fake Legal Department Payment - E-mail - July 7, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23590
Fake Credit Card Overdue - E-mail - July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23589
Fake USPS Package Delivery - E-mail - Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23529
Fake UPS Package Delivery - E-mail - Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23197

:fear::mad:
 
SBS hacked...

FYI...

SBS hacked...
- http://www.sbs.com.au/article/124519/SBS-website-statement-July-18-2011
July 18, 2011 - "Over the last 2 days, the SBS website has been the victim of a hacking attack... this source has been able to enter the site on this occasion and has inserted a link to a third party ‘malware site’. Users who may have inadvertently visited this third party malware site could then have had their machines infected with a virus depending on their security settings. SBS recommends that any site users who may be concerned about infection run a full security scan... Our digital team has been working throughout the weekend to rectify the problem and have now resolved the problem. Investigations are ongoing regarding how this issue occurred and what steps can be taken to ensure it does not happen again..."

:fear::mad::fear:
 
SPAM w/malware attachments...

FYI...

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
July 19, 2011

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Personal Loan Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23677
Fake Tax Backlog Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23679
Fake VISA Customer Services Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23678
Fake Purchase Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23662
Fake Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23660
Fake Profile Picture E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23663
Fake Image Screen Shot E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23656

:mad:
 
"No such file or directory" error...

FYI...

Python: No such file or directory – Your site is likely compromised
- http://blog.sucuri.net/2011/07/python-no-such-file-or-directory-your-site-is-likely-compromised.html
July 18, 2011 - "If you run a WordPress site and you are seeing the following error at the top of your pages:
sh: /usr/local/bin/python: No such file or directory
It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links... If you are unsure if your site is compromised, try doing a quick scan here:
http://sitecheck.sucuri.net ..."

:mad::fear:
 
Last edited:
m86 Security Report - 1H 2011

FYI...

m86 Security Report - 1H 2011
- http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_report_1h2011.pdf
July 20, 2011 - "... During this period, Web-based threats continued to grow more sophisticated. However, email threats such as spam decreased markedly following the takedown of major spam operations. Key Points:
• Many of the vulnerabilities targeted today are found in the Adobe and Java platforms. This highlights the fact that these applications often remain unpatched. Organizations and individuals should ensure that these software applications are patched promptly.
• Although spam volumes have declined since the closure of Spamit.com and takedown of the Rustock botnet, spam remains a problem for most organizations. The volume of malicious spam has returned to previous levels. Attackers continue to craft more legitimate looking messages in order to coax users into executing malicious files.
• Cybercriminals continue to experiment with combined attacks, evidenced by the recent spate of “spear-phishing” (target attacks that used Microsoft Office document files with embedded shockwave files that exploit vulnerabilities in Adobe Flash).
• There has been an increase in phishing attacks that include an HTML attachment, which is used to bypass anti-spam an anti-phishing filters in the browser.
Facebook scams surged in the first half of 2011, as cybercriminals experimented with different ways to dupe social networkers into helping them earn a profit. One scam led users to trojans and fake anti-virus software for the Mac..."
(More detail in the PDF at the URL above.)

:fear::fear:
 
Fake Java Update uses victim PC's in DDoS...

FYI...

Fake Java Update uses victim PC's in DDoS...
- http://www.malwarecity.com/blog/fake-java-update-uses-your-pc-in-ddos-offensive-1113.html
20 July 2011 - "Software patches, allegedly missing codecs and Flash Player or Java updates have been quite often used as baits in order to lure computer users into installing malware. We have recently come across this type of malware dissembling as a regular update to the Java platform. Closer investigation on the file revealed more than meets the eye: a carefully-crafted piece of malware that is extremely viral (i.e. spreads using an array of media) and can be used as a powerful tool to initiate distributed denial-of-service attacks. This e-threat seems to be in-sync with the canvas of on-line attacks we’ve been witnessing lately, especially those attributed to the independent hacktivist groups, such as Anonymous or their spin-off (and now defunct) organization called LulzSec. Both groups made a habit of targeting a wide range of institutions, including companies and government organizations not as much for money but as part of their “Antisec” credo. Backdoor.IRCBot.ADEQ is a Trojan disguised as a Java update. It is extremely “contagious”, as it can be downloaded from a multitude of locations, most of them being legit websites that have been infected by the tool... Backdoor.IRCBot.ADEQ uses private messages in order to communicate with its master, who sends the bot an assortment of commands, including the URL of a particular website the malware needs to flood... On top of that, the bot proceeds to uninstalling other bots such as Cerberus, Blackshades, CyberGate, or OrgeneraL DDoS Bot Cryptosuite if found injected into winlogon.exe, csrss.exe and services.exe. This is an essential step for the bot to ensure that the user doesn’t suspect any malicious activity on the computer, as well as to ensure that all the other pieces of malware racing for network bandwidth won’t get it. Plus, the bot also tries to prevent the user from noticing that the Trojan is constantly sending data to the Internet. It successfully adds itself to the list of authorized applications in the Windows Firewall, and tries to kill firewall alerts issued by antivirus solutions when they pop up. This makes Backdoor.IRCBot.ADEQ an efficient DDoS tool to be used by an attacker to take down sites or hinder the activity of a particular company...In the recent security landscape, Anmonymous and LulzSec have launched a couple of DDoS attacks against high-profile institutions. While the open-source Low-Orbit Ion Cannon tools have played a role in orchestrating the incident, most of the power was provided by botnets, as most permanent members of the organization “herd” botnets ranging between 5 and 30,000 infected machines. Botnets are universal tools of trade... A company might also get blackmailed and asked to pay a specific amount of money, or their servers will automatically be flooded with connection requests which it will be unable to answer, causing it to collapse. In the meanwhile, the company loses potential customers and, implicitly, money."

Hat-tip to cnm @ spywareinfoforum.com for the link...

:fear::mad:
 
Fake Flash updates...

FYI...

Fake Flash updates...
- http://sunbeltblog.blogspot.com/2011/07/correct-version-aversion.html
July 22, 2011 - "... they're hoping the victims they attract to a scam like this won't pay much attention to what they're clicking on, never mind confirm that the Flash numbering offered matches up with reality. We detect this as VirTool.Win32.Obfuscator.hg!b1 (v), another 2GCash clickfraud Trojan**, and the VirusTotal score is currently at 5/43*."
* http://www.virustotal.com/file-scan...3f93bf513688631102bab3b07287ccaa77-1311346336
File name: install.52078.exe
Submission date: 2011-07-22 14:52:16 (UTC)
Result: 5/43 (11.6%)

** http://sunbeltblog.blogspot.com/2011/07/update-center-targets-chrome-and.html

:mad:
 
Google AdWords phishing attack...

FYI...

Google AdWords phishing attack...
- http://nakedsecurity.sophos.com/2011/07/26/google-adwords-phishing-attack-strikes-inboxes/
July 26, 2011 - "Have you received an email from Google saying that your Google AdWords campaign may have stopped running?... The messages have been spammed out across the internet, attempting to trick users into visiting a bogus website that pretends to be the Google AdWords login page... It's a realistic replica of the main Google AdWords page, created with some care in an attempt to phish your credentials off you. And don't forget, your same username and password will be not just used by Google AdWords, but also Gmail, Google Docs, Google+ and so forth... In short, your Google username and password are a very attractive commodity to phishers..." (from google-oa .net) That's certainly not Google, and the fact that the domain has only just been registered makes it even more suspicious..."

:fear::mad:
 
SpyEye's target list - US, UK, Canada, Germany, and Australia now on top

FYI...

SpyEye's target list - US, UK, Canada, Germany, and Australia now on top
- http://www.trusteer.com/blog/us-uk-canada-germany-and-australia-now-top-spyeyes-target-list
July 26, 2011 - "Research findings from the Trusteer Situation Room and our anomaly detection service Pinpoint indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using SpyEye. Analyzing the SpyEye command and control centers that our risk analysis team reviews every month revealed that 60% of the SpyEye bots target financial institutions in the US. This is followed by the UK with 53%, Canada with 31%, Germany 29%, and Australia 20%... the percentage of SpyEye bots targeting Canadian banks has more than doubled from 14% in May to 31% in June... SpyEye continues to expand its “hit list”... SpyEye developers appear to have figured how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these detection systems. SpyEye seems to follow Agile software development practices, namely it is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers. At certain times, we have even seen two new versions of the malware released every week... A new version means that the program code itself has been modified, while a new variant is just new packing around the same code... early versions of the malware included a feature to remove Zeus from an infected host machine. This feature was, of course, in place to ensure that SpyEye is the only financial malware on the infected computer..."
___

SpyEye Tracker
- https://spyeyetracker.abuse.ch/
"... quick statistics about the SpyEye Trojan:
SpyEye C&C servers tracked: 381
SpyEye C&C servers online: 184
SpyEye C&C server with files online: 38
• Average SpyEye binary Antivirus detection: 26.14% ..."

ZeuS Tracker
- https://zeustracker.abuse.ch/
"... quick statistics about the ZeuS crimeware:
ZeuS C&C servers tracked: 659
ZeuS C&C servers online: 223
ZeuS C&C servers with files online: 53
ZeuS FakeURLs tracked: 19
ZeuS FakeURLs online: 6
• Average ZeuS binary Antivirus detection rate: 38.67% ..."

(... as of 2011.08.04)

:mad:
 
Last edited:
SPAM/fraud aimed at credit card users ...

FYI...

SPAM/fraud aimed at credit card users...
- http://community.websense.com/blogs...s-my-credit-card-really-been-compromised.aspx
28 Jul 2011 - "Websense... has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders. The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more. The format seems old, with the content and attached file properties being the distinctive factor. With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked... There is less the wording within the message body and the header information with regards to sender address or connecting IP's which are listed in this blog post*... The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine)..."
* http://garwarner.blogspot.com/2011/07/mastercard-spam-leads-to-fake-av.html

- http://labs.m86security.com/2011/07/malicious-hotel-transaction-spam/
July 29, 2011

>> http://tools.cisco.com/security/center/viewAlert.x?alertId=23741
July 29, 2011
___

Sophisticated injection abuses the Twitter trend service
- http://community.websense.com/blogs...ed-injection-abuse-twitter-trend-service.aspx
27 Jul 2011 - "... Websense... has detected a mass injection campaign that has infected more than 10,000 Web sites. What is surprising is the size of injected code; it’s very big – over 6,000 kbs. Surely such a large injection code can contain a lot of malicious content. The attacker used 5 layers of obfuscated methods to conceal the final redirect code. The redirect target is determined based on Twitter trend services... The redirect target is different every day, and even different at day and at night... The URL redirects customers to the Blackhole Exploit Kit where a rogue AV application will be installed. Below are IP addresses that host the Blackhole Exploit Kit.
46.165.192.232
46.20.119.80
66.135.59.143
216.155.147.12
64.150.187.129
200.35.147.150
108.59.2.202 ..."

:mad: :mad:
 
Last edited:
Zeus SPAM continues...

FYI...

Zeus SPAM continues...
- http://garwarner.blogspot.com/2011/07/government-related-zeus-spam-continues.html
Update: New Zeus distribution site, July 29th AM:
"We are receiving SPAM emails this morning from "nacha .org" From: addresses that direct us to this Zeus distribution site.
hxxp ://federalreserve-alert .com/transaction_report.pdf.exe
... VirusTotal report... (5 of 43) detections. Only 2 of those are calling this Zeus.
---
July 28, 2011 - "... new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.
One of the two spammed destinations is:
alert-irs .com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c
This malware is currently showing a (12 of 43) detection rate at VirusTotal...
The other spammed destination is:
fdic-updates .com .com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2
This malware is currently showing a (8 of 43) detection rate at VirusTotal...
Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.
The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing..."
(Much more detail at the garwarner.blogspot URL above.)

> http://www.cis.uab.edu/forensics/

:fear::mad:
 
willysy .com Mass Injection... 3.8 million pages

FYI...

willysy .com mass injection... more than 3.8 million pages
- http://blog.armorize.com/2011/07/willysycom-mass-injection-has-hit-more.html
7.31.2011 - "... As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, -not- sites or domains. And so we've largely updated and reformatted (so new info appears at the front) the initial report*, adding to it the infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more."
* http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html
"... 5. Browser exploits used:
CVE-2010-0840 - Java Trust
CVE-2010-0188 - PDF LibTiff
CVE-2010-0886 - Java SMB
CVE-2006-0003 - IE MDAC
CVE-2010-1885 - HCP
6. Exploit domain:
arhyv .ru, counv .ru ...
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv .ru, vntum .ru
7. Malware URL:
hxxp ://46.16.240.18 /9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot ..."
___

- http://www.google.com/safebrowsing/diagnostic?site=AS:51632
"... last time suspicious content was found was on 2011-08-01..."

:mad:
 
Last edited:
Fake Flash for Mac ...

FYI...

Fake Flash for Mac ...
- http://www.f-secure.com/weblog/archives/00002206.html
August 1, 2011 - "We've come across a fake FlashPlayer.pkg installer for Mac... Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands. The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site... Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server... At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down. The other remote server returning fake search requests appears to be still active. We detect this trojan as Trojan:BASH/QHost.WB."
(Screenshots available at the f-secure URL above.)

:mad:
 
You must log in or register to reply here.
Back
Top