SPAM frauds, fakes, and other MALWARE deliveries - archive

Phishing emails from "Nationwide" in circulation

FYI...

Phishing emails from "Nationwide" in circulation
- http://www.gfi.com/blog/nationwide-phishing-mails-in-circulation/
August 13, 2012 - "There’s some Emails floating around right now claiming to be from Nationwide*. The first wants customers to “validate your internet banking profile”, with the aid of the following missive:
> http://www.gfi.com/blog/wp-content/uploads/2012/08/nationphish.jpg
The second tries a different approach, claiming that they have “identified an unusual conflict between the customer number and profile details associated with your account”.
> http://www.gfi.com/blog/wp-content/uploads/2012/08/nationphish2.jpg
The emails lead to various URLs which appear to have been compromised (including a Belarus human rights website and what appears to be an Indonesian news portal) playing host to pages asking for security information. Of the two, the human rights site appears to have been fixed but the dubious pages are still live on the Indonesian portal at time of writing.
http://www.gfi.com/blog/wp-content/uploads/2012/08/nationphish3.jpg
Customers of Nationwide should treat -any- Emails asking to validate and/or confirm security information with the utmost suspicion and make a safety deposit in their spam folder."
* https://en.wikipedia.org/wiki/Nationwide_Building_Society
"Nationwide Building Society is a British mutual financial institution..."

:mad:
 
WordPress blogs... host Blackhole malware

FYI...

Insecure WordPress blogs... host Blackhole malware attack
- http://nakedsecurity.sophos.com/2012/08/10/blackhole-malware-attack/
August 10, 2012 - "... a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here's what a typical email looks like:
> https://sophosnews.files.wordpress.com/2012/08/malware-verify-order-email1.jpg?w=640
Subject: Verify your order
Message body:
Dear [name],
please verify your order #[random number] at [LINK]
We hope to see you again soon!
The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins* that it might use)."

"WordPress Plugin" search results ...
* https://secunia.com/advisories/search/?search=WordPress+Plugin
Found: 407 Secunia Security Advisories ...
Aug 13, 2012

:mad:
 
Last edited:
IRS SPAM campaign leads to BlackHole exploit kit

FYI...

IRS SPAM campaign leads to BlackHole exploit kit
- http://blog.webroot.com/2012/08/13/irs-themed-spam-campaign-leads-to-black-hole-exploit-kit/
August 13, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a BlackHole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit...
Screenshot of the spamvertised IRS themed email:
> https://webrootblog.files.wordpress...ient_side_exploits_black_hole_exploit_kit.png
Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress...t_side_exploits_black_hole_exploit_kit_01.png
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
... as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victim, hence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim..."

- https://www.virustotal.com/file/83e...86e45315799fc059049f89f5/analysis/1343319131/
File name: IRS.html
Detection ratio: 2/41
Analysis date: 2012-07-26
- https://www.virustotal.com/file/af3...4b4b2439bd12bfcc1315040207d2ae44557/analysis/
File name: 6d7b7d2409626f2c8c166373e5ef76a5.exe
Detection ratio: 30/41
Analysis date: 2012-08-04

:mad:
 
FYI...

Another Fake Intuit email: "Your order was shipped today"
> http://security.intuit.com/alert.php?a=53
[Last updated 8/14/2012 - "Fake email: "Your order was shipped today"
People are receiving emails with the title "Your order was shipped today." There are numerous messages in the email, including an offer to talk to a QuickBooks expert, the request to add a fake Intuit email to the user's address book, and the possibility to win a $30,000 small business grant. DO NOT click on any of these links. Below is the text portion of the email people are receiving. We have not included the graphic portion of the email which includes the fake links.

Dear Customer,
Great News! Your order, SBL46150408, was shipped today (see details below) and will arrive shortly. We hope that you will find that it exceeds your expectations. If you ordered multiple products, we may ship them in separate boxes (at no extra cost to you) to ensure the fastest possible delivery. We will Also provide you with the ability to track your shipments via the directions below.
Thank you for your order and we look forward to serving you again in the near future.

This is the end of the fake email. We have not included the graphics with the fake links in the information above. Steps to Take Now: Do not click..."]
___

JUST DELETE THE EMAIL if you get one, or 2 or 3... The only reason the hacks keep doing this is:
It works.

:mad:
 
PDF reader exploits-in-the-wild ...

FYI...

PDF reader exploits-in-the-wild ...
- http://blog.fireeye.com/research/2012/08/email-malware-trojan-myagent.html
2012.08.15 - "At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation... We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment... we have seen the malware get delivered as different files via email. The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits... We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware."

:mad:
 
Virus outbreak in progress...

FYI...

toc_threat_level_3.gif

- http://www.ironport.com/toc/
August 21, 2012

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - August 21, 2012
Fake Payment Notification E-mail Messages - August 21, 2012
Fake DHL Express Tracking Notification E-mail Messages - August 21, 2012
Fake Tax Refund Statement E-mail Messages - August 20, 2012
Malicious Personal Pictures Attachment E-mail Messages - August 20, 2012
Fake Criminal Complaint E-mail Messages - August 20, 2012
Fake Product Photo Attachment E-mail Message - August 20, 2012
Fake Money Transfer Notification E-mail Messages - August 20, 2012
Fake Private Photo Disclosure E-mail Messages - August 20, 2012 ...
Fake Microsoft Security Update E-mail Messages- August 17, 2012 ...

:mad:
 
F-secure Threat Report H1 2012

FYI...

F-secure Threat Report H1 2012
- https://www.f-secure.com/weblog/archives/00002411.html
August 21, 2012 - "... criminals were still as busy as ever. Our report includes the following case studies:
• ZeuS & Spyeye
• Flashback
• Blackhole
• Mobile Threats
• Ransomware
• Rogueware
You can download the report from:
- http://www.f-secure.com/static/doc/labs_global/Research/Threat_Report_H1_2012.pdf
"One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code."

:sad: :mad:
 
Fake Flash Player App is an SMS Trojan...

FYI...

Fake Flash Player App is an SMS Trojan ...
- http://www.gfi.com/blog/fake-flash-player-app-is-an-sms-trojan-and-adware/
August 22, 2012 - "Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn’t have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers. Of course, it’s possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites. It’s no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices... As of this writing, we’ve seen -eight- sites using Adobe’s logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they’re the same malicious variant... You may come across other websites claiming to host the latest version of Flash Player. In that case, better to steer clear from them and download only from Google Play*."
* https://play.google.com/store/apps/details?id=com.adobe.flashplayer&hl=en
___

- http://blog.webroot.com/2012/08/23/beware-of-fake-adobe-flash-apps/
August 23, 2012

:sad: :mad:
 
Last edited:
Fake BlackBerry ID emails ...

FYI...

Fake BlackBerry ID emails...
- http://community.websense.com/blogs...r-blackberry-id-in-this-attached-malware.aspx
22 Aug 2012 - "Websense... intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.
> http://community.websense.com/cfs-f...5F00_blackberry_5F00_email.PNG_2D00_550x0.png
... The malicious email itself is a copy and paste of a legitimate email from Blackberry. And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it. 17/36 AV engines identify the malware in VirusTotal*..."
* https://www.virustotal.com/file/7f4...9da6fe4cc91f34425172e77fc8474b7b082/analysis/
File name: Hotel-Booking_Confirmation.exe
Detection ratio: 27/42
Analysis date: 2012-08-23 10:54:21 UTC
> http://community.websense.com/cfs-f...00_blackberry_5F00_email_5F00_threatscope.PNG
___

Bogus greeting cards serve exploits and malware
- http://blog.webroot.com/2012/08/21/...us-greeting-cards-serve-exploits-and-malware/
August 21, 2012 - "Think you’ve received an online greeting card from 123greetings.com? Think twice! Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...gs_exploits_malware_blackhole_exploit_kit.png
... Upon clicking on -any- of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress...exploits_malware_blackhole_exploit_kit_01.png
... Client-side exploits served: CVE-2010-1885
Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 *...
Upon successful execution, the sample phones back to 87.120.41.155 :8080/mx5/B/in
More MD5s are known to have phoned back to the same command and control server... 87.120.41.155 is actually a name server offering DNS resolving services to related malicious and command and control servers... The second sample phones back to 87.204.199.100 :8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns..."
* https://www.virustotal.com/file/529...750f55be6e962da4caa6123eefbca10365f/analysis/
File name: 42307705ad637c615a6ed5fbf1e755d1
Detection ratio: 34/42
Analysis date: 2012-08-23 01:27:36 UTC

:mad: :mad:
 
Last edited:
Java 0-Day exploit-in-the-wild...

FYI...

Java 0-Day exploit-in-the-wild
- https://secunia.com/advisories/50133/
Last Update: 2012-08-28
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
Solution Status: Unpatched
Software: Oracle Java JRE 1.7.x / 7.x
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 6.8
... vulnerability is confirmed in version 7 update 6 build 1.7.0_06-b24. Other versions may also be affected.
Solution: No official solution is currently available...
Reported as a 0-day.
Original Advisory:
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

- https://isc.sans.edu/diary.html?storyid=13984
Last Updated: 2012-08-27 20:29:15 UTC - "... targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework..."
- https://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/
August 27, 2012
- http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html
August 27, 2012 - "... currently being used in targeted attacks..."

- http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
August 27, 2012 - "... On the analyzed sample the payload is downloaded from ok.aa24 .net/meeting /hi.exe... The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service. The malware connects to hello.icon .pk port 80. It seems to be a Poison Ivy variant. hello.icon .pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd ..."
> https://www.virustotal.com/file/09d...26a575840ad986b8f53553a4ea0a948200f/analysis/
File name: hi.exe
Detection ratio: 32/42
Analysis date: 2012-08-28 12:59:25 UTC

- https://www.virustotal.com/file/09d...26a575840ad986b8f53553a4ea0a948200f/analysis/
File name: hi.exe
Detection ratio: 36/42
Analysis date: 2012-08-29 10:55:45 UTC
___

- http://www.kb.cert.org/vuls/id/636312
Last revised: 28 Aug 2012 - "... Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability..."

- http://www.symantec.com/connect/blogs/new-java-zero-day-vulnerability-cve-2012-4681
8.28.2012 - "... attackers have been using this zero-day vulnerability for at least five days, since August 22... we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6*..."

* http://forums.spybot.info/showpost.php?p=429708&postcount=5

:fear::fear:
 
Last edited:
Java 0-day added to Blackhole Exploit Kit

FYI...

Java 0-day added to Blackhole Exploit Kit
- http://community.websense.com/blogs...ava-0-day-added-to-blackhole-exploit-kit.aspx
28 Aug 2012 - "... exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole... The Pre.jar file (VirusTotal link*) will use the new vulnerability to install the malware (VirusTotal link**) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report(1)... A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post(2)."
* https://www.virustotal.com/file/65a...206c42866a8e73676f5b5dd6b235871f874/analysis/
File name: Pre.jar
Detection ratio: 17/42
Analysis date: 2012-08-29 10:43:59 UTC
** https://www.virustotal.com/file/eee...4acda2ff10c18df8e22850b881996338137/analysis/
File name: about.exe
Detection ratio: 18/42
Analysis date: 2012-08-29 04:32:07 UTC
1) http://community.websense.com/cfs-f...2012_2D00_4681_5F00_zeus_5F00_threatscope.png
2) http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html
___

- http://h-online.com/-1677789
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."

- https://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

:mad::mad:
 
Last edited:
Fake QuickBooks update email ...

FYI...

Fake QuickBooks update email ...
- http://security.intuit.com/alert.php?a=54
8/28/2012 - "People are receiving emails with one of the following titles: "Important QuickBooks Update, "QuickBooks Security Update," "Urgent: QuickBooks Update," and "QuickBooks Update: Urgent." There is a link in the email. DO NOT click on the link.
Below is the text of the email people are receiving, including the errors in the email.

'You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.'

This is the end of the -fake- email..."

- http://blog.webroot.com/2012/08/29/...lions-of-exploits-and-malware-serving-emails/
August 29, 2012 - "... millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit..."

:mad: :mad:
 
Java 0-day exploit on 100+ sites serving malware

FYI...

Java v7u7 / v6u35 released
- http://forums.spybot.info/showpost.php?p=430342&postcount=6
August 30, 2012
___

- http://www.symantec.com/connect/blogs/java-zero-day-used-targeted-attack-campaign
Update August 30, 2012 - "... using a Java zero-day, hosted as a .jar file on websites, to infect victims... attackers have been using this zero-day for several days since August 22... resolves to 223.25.233.244. That same IP was used by the Nitro attackers back in 2011..."

- http://blog.trendmicro.com/the-nitro-campaign-and-java-zero-day
Aug 30, 2012

- http://nakedsecurity.sophos.com/2012/08/30/zero-day-java-flaw-exploited-tax-email/
August 30, 2012
- http://nakedsecurity.sophos.com/2012/08/30/oracle-releases-out-of-cycle-fixes-for-java/
August 30, 2012
___

Java 0-day exploit on 100+ sites serving malware
- https://www.computerworld.com/s/art...ploit_goes_mainstream_100_sites_serve_malware
August 29, 2012 - "... Websense... had found more than 100 unique domains serving the Java exploit. "The number is definitely growing...and because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days"... Yesterday, Michael Coates, Mozilla's director of security assurance, urged Firefox users to disable the browser's Java plug-in because Oracle has not issued fixes... Mozilla has the ability to add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox automatically queries the blocklist and notifies users before disabling the targeted add-ons..."
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 10.0 (HIGH)
Last revised: 08/31/2012 - "... as exploited in the wild in August 2012..."

- http://h-online.com/-1677789
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."

- https://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

- http://www.darkreading.com/taxonomy/index/printarticle/id/240006469
Aug 29, 2012

:mad: :sad:
 
Last edited:
Fake UPS, Paypal SPAM links to malware ...

FYI...

Fake UPS SPAM links to malware
- http://blog.webroot.com/2012/08/31/cybercriminals-impersonate-ups-serve-malware/
August 31, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick users into downloading and executing the malicious file hosted on a compromised web site...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/08/ups_print_shipping_label_spam_malware.png
... location of the malicious archive: buzzstar .co .uk/Label_Copy_UPS.zip
The malware has a MD5: b702590c01f76f02e2d8d98833d1c95f * ...
* https://www.virustotal.com/file/04d...a7082924dadba66b61f2c3fce44703eaefb/analysis/
File name: file-4438621_exe
Detection ratio: 20/25
Analysis date: 2012-08-31 02:25:37 UTC

Fake Paypal SPAM links to malware
- http://blog.webroot.com/2012/08/30/...ion-of-payment-received-emails-serve-malware/
August 30, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails. Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/08/paypal_spam_payment_notification_malware.png
... The malware has a MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ...
* https://www.virustotal.com/file/1f5...087517a7a336523b44536c9b7385c07d67a/analysis/
File name: smona_1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.bin
Detection ratio: 37/42
Analysis date: 2012-08-29 08:33:11 UTC

:fear: :mad:
 
You must log in or register to reply here.
Back
Top