SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake Facebook pwd reset, Royal Baby SPAM

FYI...

Fake Facebook pwd reset SPAM / nphscards .com
- http://blog.dynamoo.com/2013/07/you-requested-new-facebook-password.html
- "This fake Facebook spam leads to malware on nphscards .com:
Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate -hacked- site and then through one or both of these following scripts:
[donotclick]ftp.thermovite .de/kurile/teeniest.js
[donotclick]traditionlagoonresort .com/prodded/televised.js
The victim is then directed to [donotclick]nphscards .com/topic/accidentally-results-stay.php (report here*) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards .com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards .com is also on the same server and is probably hijacked."
* http://urlquery.net/report.php?id=3976081

- https://www.virustotal.com/en/ip-address/162.216.18.169/information/
___

Royal Baby News Spam
- http://threattrack.tumblr.com/post/56335087514/cnn-royal-baby-breaking-news-spam
July 24, 2013 - "Subjects Seen:
"Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
Washington (CNN)— What will the Obamas get the royal wee one? Sources say it’s a topic under discussion in the White House and at the State Department.
No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.
Kate and William bring home royal baby boy

Malicious URLs
wurster .ws/rump/index.html
assuredpropertycare .net/intersperse/index.html
tennisclub-iburg .de/hepper/index.html
nphscards .com /topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54&P=2d&Ek=j&PD=j
nphscards .com /topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
nphssoccercards .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...5c204d2a4/tumblr_inline_mqg3qltKRB1qz4rgp.png

- http://blog.dynamoo.com/2013/07/cnn-perfect-gift-for-royal-baby-tree.html
24 July 2013 - "This fake CNN spam leads to malware on nphscards .com:
Date: Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From: "Perfect gift for royal baby ... a tree?" [BreakingNews @mail.cnn .com]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
CNN
U.S. presidents have spotty record on gifts for royal births ..."

Screenshot: https://lh3.ggpht.com/-q2zR6Kvn-ng/UfBShXGCb-I/AAAAAAAABmQ/4Vbk1T74toY/s400/cnn-baby.png

The payload works in exactly the same way as this fake Facebook spam* earlier today and consists of a hacked GoDaddy domain (nphscards .com) hosted on 162.216.18.169 by Linode."
* http://blog.dynamoo.com/2013/07/you-requested-new-facebook-password.html

- https://www.virustotal.com/en/ip-address/162.216.18.169/information/

- http://www.threattracksecurity.com/it-blog/royal-baby-spam-leads-to-blackhole-zbot-malware/
July 24, 2013 - "... “Royal Baby” Malware to start making the rounds... The Malware in question involves... Blackhole Exploit Kit, which leads end-users to Zbot (the Zeus Infostealer) / Medfos ( which typically displays adverts, connects to numerous IP addresses and can also download additional files )..."
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/07/royalbabymalwarespam.jpg
___

eBay iPhone Order Spam
- http://threattrack.tumblr.com/post/56341055129/ebay-iphone-order-spam
July 24, 2013 - "Subjects Seen:
Payment Received - eBay item #[removed] NEW WHITE-CA Acoustic Guitar+GIGBAG+STRAP+TUNER+LESSON
Typical e-mail details:
Hello Dear Customer,
Your payment has been received for the following item. If extra shipping
charges is required per our ad and not received (for all military addresses/AK/PR/PO
Box and other U.S.territories outside of the 48 states), we may contact you
shortly. Be sure your Ebay registered address and contact phone number
is accurate as the order will be processed as such.

Malicious URLs
compare-treadmills .co .uk/fosters/index.html
bernderl .de/fife/index.html
tennisclub-iburg .de/hepper/index.html
nphscards .com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=RpZTfjhgRFCk
nphscards .com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f&D=2d&pb=U&sR=I
nphscards .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...42c9ddd94/tumblr_inline_mqg89rlx4R1qz4rgp.png
___

Fake inTuit emails - "Your payments are being processed for deposit"
- http://security.intuit.com/alert.php?a=84
7/23/13 - "People are receiving -fake- emails with the title "Your payments are being processed for deposit". Below is a copy of the email people are receiving.
> http://security.intuit.com/images/phish84.jpg
This is the end of the -fake- email.
- Steps to Take Now
Do not open the attachment in the email...
Delete the email..."

:fear:

 

[AplusWebMaster]

Fake CNN SPAM, Malicious Facebook E-Mail ...

FYI...

Fake CNN SPAM / evocarr .net
- http://blog.dynamoo.com/2013/07/cnn-77-dead-after-train-derails-spam.html
25 July 2013 - "This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr .net:
Date: Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From: 77 dead after train derails [BreakingNews @mail.cnn .com>]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: "The train was broken in half. ... It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...

Screenshot: https://lh3.ggpht.com/-DV8NS7UNyVg/UfEkgvPaxkI/AAAAAAAABmk/2NCENHV902w/s400/cnn-train.png

The link in the email goes to a legitimate -hacked- site which tries to load one or more of the following scripts:
[donotclick]church.main .jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage .com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch .de/referees/metacarpals.js
From there the victim is sent to a landing page at [donotclick]evocarr .net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following -hijacked- GoDaddy domains are on the same IP and can be considered suspect:
evocarr .net
serapius .com
leacomunica .net
mindordny .org
rdinteractiva .com
yanosetratasolodeti .org "
___

CNN Spanish Train Derailment Spam
- http://threattrack.tumblr.com/post/56423696906/cnn-spanish-train-derailment-spam
July 25, 2013 - "Subjects Seen:
"Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
77 dead after train derails, splits apart in Spain
iReporter: ‘It was a horrific scene’
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: “The train was broken in half. … It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) — An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...

Malicious URLs
caribbeancinemas .net/cheerfullest/index.html
sroehl .de/inpatient/index.html
evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
evocarr .net/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...e9f46f9a4/tumblr_inline_mqhv187d9o1qz4rgp.png
___

Malicious Facebook E-Mail Spam Campaigns
- http://threattrack.tumblr.com/post/56424852456/malicious-facebook-e-mail-spam-campaigns
July 25, 2013
"New Password Request:
> https://gs1.wac.edgecastcdn.net/801...362834db2/tumblr_inline_mqhvuapVxT1qz4rgp.png
Friend Request:
> https://gs1.wac.edgecastcdn.net/801...ed8746bc3/tumblr_inline_mqhw93PsWI1qz4rgp.png
Tagged Photos Notification:
> https://gs1.wac.edgecastcdn.net/801...05fdd9e5f/tumblr_inline_mqhvvvTHbs1qz4rgp.png
Subjects Seen:
You requested a new Facebook password
<Name> wants to be friends with you on Facebook.
<Name> tagged 2 photos of you on Facebook
Typical e-mail details:
New Password Request:
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Friend Request:
<Name> wants to be friends with you on Facebook.
Tagged Photos Notification:
<Name> added 5 photos of you.

Malicious URLs
dl2htd .de/surfaces/index.html
airductservicepro .com/lighthouse/index.html
99906.webhosting33.1blu .de/stupids/index.html
128.121.242.173 /nutritional/index.html
handmadelifecoaching .com/compelled/index.html
villaflorida .biz/deepness/index.html
ekaterini.mainsys .gr/exhorted/index.html
hackspitz .com/gnarl/index.html
joerg.gmxhome .de/skeptically/index.html
lostfounddevices .com/mama/index.html
spurtwinslotshelvingsystems .co .uk/aquamarine/index.html
bbsmfg .biz/servo/index.html
198.251.67.11 /reprehended/index.html
evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
evocarr .net/adobe/update_flash_player.exe
___

Incoming Fax Report Spam
- http://threattrack.tumblr.com/post/56436571606/incoming-fax-report-spam
July 25, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: <random>
Typical e-mail details:
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 04:42:54 CST
Speed: 26606 bps
Connection time: 05:09
Pages: 6
Resolution: Normal
Remote ID:
Line number: 1
DTMF/DID:
Description: June Payroll
Click here to view the file online ...

Malicious URLs
funeralsintexas .com/someplace/index.html
keralahouseboatstourpackages .com/mansion/index.html
christinegreenmd .com/inductees/index.html
ente-gmbh .de/bragg/index.html
impresiona2 .net/topic/regard_alternate_sheet.php?uf=2i2h2f5653&Je=302g572f5352572i572f&Y=2d&kc=i&bN=Q
impresiona2 .net/topic/regard_alternate_sheet.php?Ef=2i2h2f5653&Le=56302d2f2h53562j2j55&a=2d&dV=l&JB=a
impresiona2 .net/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...97200b195/tumblr_inline_mqi537QlWe1qz4rgp.png

Fake FAX SPAM - 2013vistakonpresidentsclub .com
- http://blog.dynamoo.com/2013/07/incoming-fax-report-spam.html
25 July 2013 - "This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub .com:
Date: Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From: Administrator [administrator @victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 1150758119
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll
Click here to view the file online ...

The link in the spam leads to a legitimate -hacked- site and then on to one or more of these three intermediary scripts:
[donotclick]1954f7e942e67bc1.lolipop .jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio .de/djakarta/opel .js
[donotclick]www.pep7 .at/hampton/riposts.js
From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub .com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam*) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side."
* http://blog.dynamoo.com/2013/07/cnn-perfect-gift-for-royal-baby-tree.html

** http://blog.dynamoo.com/search?q=jolly+works+hosting

:fear::fear:

 

[AplusWebMaster]

Fake eBay, weather SPAM...

FYI...

Fake eBay SPAM / artimagefrance .com
- http://blog.dynamoo.com/2013/07/welcome-to-ebay-community-spam.html
26 July 2013 - "This fake eBay email leads to malware on artimagefrance .com:
Date: Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From: eBay [eBay@ reply1.ebay .com]
Subject: [redacted] welcome to the eBay community! ...

Screenshot: https://lh3.ggpht.com/-A3yIPZIZmr0/UfJ29Ko7f1I/AAAAAAAABnY/oICYwUwvGPU/s640/fake-ebay.png

The link in the email goes to a legitimate -hacked- site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229 /deputy/clodhoppers.js
[donotclick]andywinnie .com/guessable/meteor.js
[donotclick]hansesquash .de/wimples/dunning.js
The victim is then sent to a malware landing page at [donotclick]artimagefrance .com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case..."

... eBay Spam
- http://threattrack.tumblr.com/post/56515852365/welcome-to-ebay-spam
July 26, 2013 - "Subjects Seen:
<Name> welcome to the eBay community!
Typical e-mail details:
Welcome to eBay
The simpler way to save and shop
Start shopping ...

Malicious URLs
gwiz .de/balloonists/index.html
dialogueseriesonline .com/snag/index.html
dbrsnet .info/restore/index.html
b-able .gr/overshot/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...0ce8ba421/tumblr_inline_mqjq2fl7mw1qz4rgp.png
___

Fake Intellicast weather SPAM / artimagefrance .com
- http://blog.dynamoo.com/2013/07/intellicastcom-spam-artimagefrancecom.html
26 July 2013 - "This fake weather spam leads to malware on artimagefrance .com:
Date: Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]
From: "Intellicast.com" [weather @intellicast .com]
Subject: Intellicast.com [weather @intellicast .com]
Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit ...

The payload and infection technique is exactly the same as the one used here*."
* http://blog.dynamoo.com/2013/07/welcome-to-ebay-community-spam.html

Intellicast Weather Report Spam
- http://threattrack.tumblr.com/post/56517479825/intellicast-com-weather-report-spam
July 26, 2013 - "Subjects Seen:
Intellicast .com <weather@intellicast .com>
Typical e-mail details:
Intellicast .com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit Intellicast .com:
intellicast .com/Local/Weather.aspx?location=USNH0164

Malicious URLs
tohoradio .dx .am/depression/index.html
tohoradio .dx .am/packers/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...18f031633/tumblr_inline_mqjrk1Oilk1qz4rgp.png
___

Fake BoA transaction SPAM / payment receipt 26-07-2013 .zip
- http://blog.dynamoo.com/2013/07/bank-of-america-your-transaction-is.html
26 July 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From: impairyd04 @gmail .com
Subject: Your transaction is completed
Transaction is completed. $09681416 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached...

There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal*. The Malwr report** is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant..."
(Long list of URLs at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...2d4e3348640cb179d20d5802/analysis/1374847946/

** https://malwr.com/analysis/YmQwZGUwYTVjMDczNDVjNTlkOThkY2E0MDYyYjJkNmQ/
___

CNN Walking Dead News Alert Spam
- http://threattrack.tumblr.com/post/56519745779/cnn-walking-dead-news-alert-spam
July 26, 2013 - "Subjects Seen:
BreakingNews CNN: New season new ‘Walking Dead’
Typical e-mail details:
What you’ll see on the new ‘Walking Dead’
Before heading to Comic-Con in San Diego last weekend, the cast members of “The Walking Dead" were each given a folder with talking points about the upcoming fourth season.
The folders contained information on what the actors could and couldn’t say about the new episodes, which premieres October 13 on AMC. Although none of the actors could reveal the contents of the folders, it was clear that there are lots of secrets to be kept about where “The Walking Dead" will be headed when it returns.
Full Story »»

Malicious URLs
grupocelebrate .com .br/lozenge/index.html
stem.harrisonschools .org/optimization/index.html
grupocelebrate .com .br/saintlier/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...a9d1f4ea1/tumblr_inline_mqjthnGGfk1qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake Facebook, Secured Message, HSBC E-Advice SPAM

FYI...

Fake Facebook SPAM - happykido .com
- http://blog.dynamoo.com/2013/07/facebook-spam-happykidocom.html
29 July 2013 - "This fake Facebook spam leads to malware on happykido .com:
Date: Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From: Facebook [update+zj4o40c2_aay @facebookmail .com]
Subject: Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas ...

Apparently all these people look alike:
- https://lh3.ggpht.com/-CkL-FcPTPRE/UfaM-AwUVCI/AAAAAAAABoY/erhuMZqK_wg/s400/fake-facebook.png
This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:
[donotclick]system-hostings .info/aphrodisiac/nought.js
[donotclick]gc.sceonline .org/worsens/patronizingly.js
[donotclick]www.kgsindia .org/retell/manson.js
from there, the victim is sent to a malware landing page on a -hijacked- GoDaddy domain at [donotclick]happykido .com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161 ..."

- https://www.virustotal.com/en-gb/ip-address/50.2.138.161/information/
___

Fake "Key Secured Message" SPAM / SecureMessage .zip
- http://blog.dynamoo.com/2013/07/key-secured-message-spam.html
29 July 2013 - "This spam has a malicious attachment:
Date: Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From: "Marcia_Manning @key .com" [Marcia_Manning @key .com]
Subject: Key Secured Message
You have received a Secured Message from:
Marcia_Manning @key .com
The attached file contains the encrypted message that you have received. To decrypt the
message use the following password - nC4WR706
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your
computer.
- Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments...

The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email ( which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46*. The Malwr analysis** shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel .com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:
[donotclick]a1bridaloutlet .co .uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive .com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93 /MM75.exe (5/45)
[donotclick]paulalfrey .com/guBwFA.exe (5/46)
Recommended blocklist:
198.57.130.34
198.61.134.93 ..."
* https://www.virustotal.com/en-gb/fi...507d6fea2623163bab0e62c9/analysis/1375109054/

- https://www.virustotal.com/en-gb/ip-address/198.57.130.34/information/

- https://www.virustotal.com/en-gb/ip-address/198.61.134.93/information/

** https://malwr.com/analysis/YWJiMDkyNjdhY2Y3NGFkY2I3MmNlMjBlMjAxZWVhMmU/

Key.com Secured Message Spam
- http://threattrack.tumblr.com/post/56785961967/key-com-secured-message-spam
July 29, 2013 - "Subjects Seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
<removed>@key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - <removed>
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law...

Malicious URLs
198.57.130.35 :8080/ponyb/gate.php
webmail.alsultantravel .info:8080/ponyb/gate.php
alsultantravel .com:8080/ponyb/gate.php
webmail.alsultantravel .com:8080/ponyb/gate.php
a1bridaloutlet .co.uk/aiswY6.exe
giftedintuitive .com/kQYjoPqY.exe
198.61.134.93 /MM75.exe
paulalfrey .com/guBwFA.exe

Malicious File Name and MD5:
SecureMessage.zip (01CC5CE52FC839EBCE6497FB88B1781F)
SecureMessage.exe (81129764C62417D5B06C73E6FAD838A5)

Screenshot: https://gs1.wac.edgecastcdn.net/801...a953064e7/tumblr_inline_mqpdwp4v541qz4rgp.png
___

HSBC E-Advice Spam
- http://threattrack.tumblr.com/post/56785714666/hsbc-e-advice-spam
July 29, 2013 - "Subjects Seen:
HSBC E-Advice
Typical e-mail details:
Please find attached your Advice containing information on your transactions of last working day with the bank.
Please do not reply to this e-mail address. If you have any queries, please contact our Customer Services.
Yours faithfully
HSBC Bank

Malicious URLs
198.57.130.35 :8080/ponyb/gate.php
webmail.alsultantravel .info:8080/ponyb/gate.php
alsultantravel .com:8080/ponyb/gate.php
webmail.alsultantravel .com:8080/ponyb/gate.php
wx04.strato-wlh .de/EggT.exe
labycar .com/Zi6L.exe
208.112.50.5 /c38QVmd.exe
s148231503.onlinehome .us/y3R.exe

Malicious File Name and MD5:
HSBC_advice.zip (6C5A65A05E72ADFC64318E7730199192)
HSBC_advice.exe (E1DBB4BE2A7AE2180100A02C5E3E2D95)

Screenshot: https://gs1.wac.edgecastcdn.net/801...f5b526fcc/tumblr_inline_mqpdol30Ux1qz4rgp.png
___

FedEx Shipment Notification Spam
- http://threattrack.tumblr.com/post/56791204438/fedex-shipment-notification-spam
July 29, 2013 - "Subjects Seen:
FedEx Shipment Notification
Typical e-mail details:
This tracking update has been requested and attached to this email
Reference information includes: Invoice number, Reference, Special handling/Services, Residential Delivery. Reference information is attached to this email.
Tracking number: <removed>
To track the latest status of your shipment, click on the tracking number above, or visit us at fedex .com...
This tracking update has been sent to you by FedEx on the behalf of the Requestor noted above. FedEx does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
Thank you for your business.

Malicious File Name and MD5:
FedEx Notification.zip (7CFE2BE8E249E9A05664CB2E4BABD6AC)
FedEx Notification_.PDF.exe (E4EC9F6232A272EA76B65F94A86FF184)
FedEx Reference information.zip (F28D58D5CA4910495DBB786E8AC0E5D3)
FedEx Reference information.pdf.exe (CE23868B4F645A39CBB6AE98796346CB)

Screenshot: https://gs1.wac.edgecastcdn.net/801...fc94a77d3/tumblr_inline_mqphqrDK0H1qz4rgp.png
___

DocuSign Confidential Company Agreement Spam
- http://threattrack.tumblr.com/post/56792357413/docusign-confidential-company-agreement-spam
July 29, 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of DocuSign Support.
All parties have completed the envelope ‘Please DocuSign this document: 2013 Company Contracts..pdf’.
To view, download or print the completed document click below.
View in DocuSign

Malicious URLs
thealphatechnologies .com/interlaces/index.html
digitalcaptive .net/chickpea/index.html
ftp(DOT)kirchdach .at/kimonos/index.html
webmail.alsultantravel .com:8080/ponyb/gate.php
happykiddoh .com/topic/able_disturb_planning.php
happykiddoh .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...4c3dadf91/tumblr_inline_mqpiivHReI1qz4rgp.png

More here:
- https://www.virustotal.com/en-gb/ip-address/198.57.130.34/information/
"... domains resolved to the given IP address...
... Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset..."
___

Visa Recent Transactions Report Spam
- http://threattrack.tumblr.com/post/56814041368/visa-recent-transactions-report-spam
July 29, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Augustus_Molina
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom

Malicious URLs
asam.atspace .eu/windsocks/index.html
deltaboatworks .net/adobe/update_flash_player.exe
deltaboatworks .net/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...8c499bc02/tumblr_inline_mqpvicYWPV1qz4rgp.png

:fear::fear:

 

[AplusWebMaster]

Fake CNN Angelina Jolie SPAM, Pharma - Malware sites to block

FYI...

Fake CNN Angelina Jolie SPAM / deltadazeresort .net
- http://blog.dynamoo.com/2013/07/cnn-angelina-jolie-tops-list-of-highest.html
30 July 2013 - "This fake CNN spam leads to malware on deltadazeresort .net:
Date: Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From: CNN [BreakingNews @mail .cnn .com]
Subject: CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Agelina Jolie attends a June 2013 premiere of Brad Pitt's movie, "World War Z" ...

Screenshot: https://lh3.ggpht.com/-PEc8KASFfZ4/UffZuOm5_fI/AAAAAAAABo8/ek411jNZMr0/s400/jolie.png

The link in the email goes to a legitimate -hacked- site and then to one or more of three scripts:
[donotclick]00002nd.rcomhost .com/immanent/surfeit.js
[donotclick]theplaidfox .com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs .com/afforestation/provosts.js
From there the victim is sent to a landing page at [donotclick]deltadazeresort .net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:
66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US) ..."

CNN Angelina Jolie Spam
- http://threattrack.tumblr.com/post/56879888289/cnn-angelina-jolie-spam
July 30, 2013 - "Subjects Seen:
CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Typical e-mail details:
(EW.com) — She might not get paid as much as “Iron Man," but there’s no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.
This year, Jolie topped Forbes’ annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

Malicious URLs
gbheatings .com/thou/index.html
casa-dor .com/bookstore/index.html
deltadazeresort .net/topic/able_disturb_planning.php
deltadazeresort .net/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...b487022a8/tumblr_inline_mqr8k5iSDk1qz4rgp.png
___

Pharma sites to block 30/7/13
- http://blog.dynamoo.com/2013/07/pharma-sites-to-block-30713.html
30 July 2013 - "This IPs host (fake) pharma sites which seem to be associated with this gang* and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent...
Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79 ..."
(More listed at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___

Malware sites to block 30/7/13
- http://blog.dynamoo.com/2013/07/malware-sites-to-block-30713.html
30 July 2013 - "These sites and IPs are associated with this gang*, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika
___

Fake Pinterest password SPAM / onsayoga .net
- http://blog.dynamoo.com/2013/07/your-password-on-pinterest-was.html
30 July 2013 - "This fake Pinterest spam leads to malware on onsayoga .net:
Date: Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From: Pinterest [caulksf8195 @customercare .pinterrest .net]
Subject: Your password on Pinterest was Successfully modified!
A Few Updates...
[redacted]
Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
Ask for a New Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].

Screenshot: https://lh3.ggpht.com/-RA2Ds5rYUic/UfgEta3g9TI/AAAAAAAABpM/1ptRb_zTs_c/s400/pinterest.png

The link goes through a legitimate -hacked- site and then on to [donotclick]www .pinterest.com.onsayoga .net/news/pinterest-paswword-changes.php (report here*) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)
These IPs are controlled by this gang** and form part of this large network*** of malicious IPs and domains. I recommend you use -that- list in conjunction with blocking onsayoga .net."
* http://urlquery.net/report.php?id=4226343

** http://blog.dynamoo.com/search/label/Amerika

*** http://blog.dynamoo.com/2013/07/malware-sites-to-block-30713.html
___

Fake eBay SPAM / deltamarineinspections .net
- http://blog.dynamoo.com/2013/07/ebay-ready-to-get-started-heres-how.html
30 July 2013 - "There is currently an eBay-themed "ready to get started? Here’s how" spam run active, effectively almost the same as this one*, except this time there is a new set of intermediate scripts and payload page. The three scripts** involved are:
[donotclick]03778d6.namesecurehost .com/meaningful/unsnapping.js
[donotclick]icontractor .org/followings/trolloped.js
[donotclick]tvassist .co .uk/plead/grueled.js
..leading to a payload page at [donotclick]deltamarineinspections .net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are -hijacked- from a GoDaddy account and belong to the same poor sod that last control of the ones here***.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net ..."
* http://blog.dynamoo.com/2013/07/welcome-to-ebay-community-spam.html

** http://blog.dynamoo.com/search/label/ThreeScripts

*** http://blog.dynamoo.com/2013/07/cnn-angelina-jolie-tops-list-of-highest.html
___

Fake Facebook SPAM again / deltaoutriggercafe .com
- http://blog.dynamoo.com/2013/07/facebook-spam-deltaoutriggercafecom.html
30 July 2013 - "These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe .com:
Date: Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Issac Dyer wants to be friends with you on Facebook.
facebook
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]...

I don't know about you, but I think Isaac looks a bit like a girl:
> https://lh3.ggpht.com/-pCmjcU0ocQs/Ufgp_qXf_XI/AAAAAAAABpc/L5SzS_CfCVA/s1600/facebook.png
Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run*. However, in this case the target has now changed to [donotclick]deltaoutriggercafe .com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been -hijacked- from GoDaddy.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltaoutriggercafe .com
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net ..."
* http://blog.dynamoo.com/2013/07/ebay-ready-to-get-started-heres-how.html

:fear::fear:

 

[AplusWebMaster]

Fake IRS SPAM, Threat Outbreak Alerts ...

FYI...

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Deposit Notification Email Messages - 2013 Jul 31
Fake Online Banking Software Security Update Email Messages [Trusteer] - 2013 Jul 31
Fake Customer Complaint Attachment Email Messages - 2013 Jul 31
Fake Product Services Specification Request Email Messages - 2013 Jul 31
(More detail and links at the cisco URL above.)
___

IRS Tax Payment Rejected Spam
- http://threattrack.tumblr.com/post/56980373227/irs-tax-payment-rejected-spam
July 31, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : <removed> ) was Rejected
Typical e-mail details:
... Your federal Tax payment (ID: <removed>), recently sent from your checking account was returned by the your financial institution.
For more information, please visit the following link -eftps.com/eftps/payments/history/detail/view?eft=
Transaction Number: <removed>
Payment Amount: $ 7882.00
Transaction status: Rejected
ACH Trace Number: <removed>
Transaction Type: ACH Debit Payment-DDA

Malicious URLs
diyhomeimprovementtips .com/clunkier/index.html
ossjobs .com/tangled/index.html
singular-cy .com/throughout/index.html
deltaoutriggercafe .com/adobe/update_flash_player.exe
deltaoutriggercafe .com/topic/regard_alternate_sheet.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...bf176a4e5/tumblr_inline_mqt7s5cWsD1qz4rgp.png

:fear:

 

[AplusWebMaster]

Pump and dump SPAM, Blackhole status ...

FYI...

Pump and dump SPAM - Biostem ...
- http://blog.dynamoo.com/2013/08/pump-and-dump-spam-flogs-dead-horse.html
1 August 2013 - "About a month-and-a-half ago* I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR)** when it was trading at around $0.30. Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..
This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!
Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.
You might want to sit down before reading this... Stocks To
Look At!
So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop***, and looking at news reports there seems to be little chance of recovery.
Screenshot: https://lh3.ggpht.com/-itbe0rPDyM4/UfoPa4iKsjI/AAAAAAAABpw/CC1UsgfthSQ/s1600/biostem5.png
But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks.. "
* http://blog.dynamoo.com/2013/06/hair-biostem-pump-and-dump-rakes-in.html

** http://www.nasdaq.com/symbol/hair

*** http://www.nasdaq.com/press-release/biostem-us-corporation-suspends-operations-20130717-01105
___

Current State of the Blackhole Exploit Kit
- http://blog.trendmicro.com/trendlab...e-current-state-of-the-blackhole-exploit-kit/
July 31, 2013 9:42 pm (UTC-7) - "The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself. Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game. Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/07/bhekEbay1.jpg
The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/07/newbhektable2.png
... These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat... Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update... and using a web reputation security product..."
___

UPS Package Pickup Spam
- http://threattrack.tumblr.com/post/57066116667/ups-package-pickup-spam
Aug. 1, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <removed> )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
bettersigns .net/ponyb/gate.php
50.57.185.72 :8080/ponyb/gate.php
arki .com :8080/ponyb/gate.php
web1w3.nfrance .com/bzfBGWP.exe
serw.myroitracking .com/kQYjoPqY.exe
442594-web1.youneedmedia .com/MM75.exe
ftp(DOT)jason-tooling .com/nhdx.exe

Malicious File Name and MD5:
UPS_Label_<date>.zip (199C2A4EED41CF642FBDDF60949A1DD3)
UPS-Label_<date>.exe (E1388381884E7434A0A559CAED63B677)

Screenshot: https://gs1.wac.edgecastcdn.net/801...1a4aa1a7d/tumblr_inline_mquwubWDl91qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake AMEX, MoneyGram SPAM...

FYI...

Fake American Express Alerts
- https://isc.sans.edu/diary.html?storyid=16285
Last Updated: 2013-08-02 16:20:31 UTC - "Right now we are seeing -fake- American Express account alerts*. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used. Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content."
* https://isc.sans.edu/diaryimages/images/Screen Shot 2013-08-02 at 12_08_22 PM.png

American Express Spending Notification Spam
- http://threattrack.tumblr.com/post/57162394091/american-express-spending-notification-spam
Aug. 2, 2013 - "Subjects Seen:
Account Alert: Recent Charge Approved
Typical e-mail details:
Dear Customer,
Spend Activity since your last statement close date has reached the notification amount you set for your account.

Malicious URLs
blackamber .net/ulnq.html
medialifegroup .com/~medialifeyerel/xkaq.html
drstephenlwolman .com/topic/sessions-folk-binds.php
northernforestcanoetrail .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...ce4217497/tumblr_inline_mqwugv1PGc1qz4rgp.png
___

MoneyGram Payment Notification Spam
- http://threattrack.tumblr.com/post/57160949542/moneygram-payment-notification-spam
Aug. 2, 2013 - "Subjects Seen:
Payment notification email
Typical e-mail details:
Dear client!
You are receiving this notification because of you have been received the payment.
It may take a few moment for this transaction to appear in the Recent Activity list on your account page.
Payment details
Transaction sum: 950 USD
Transaction date: 2013/08/02
View the details of this transaction online
Thank you for using MoneyGram services!

Malicious URLs
blackamber .net/ulnq.html
medialifegroup .com/~medialifeyerel/xkaq.html
drstephenlwolman .com/topic/sessions-folk-binds.php
northernforestcanoetrail .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...2b56de84d/tumblr_inline_mqwtbf4BM61qz4rgp.png
___

NACHA Direct Deposit was Declined Spam
- http://threattrack.tumblr.com/post/57171844820/nacha-direct-deposit-was-declined-spam
2 August 2013 - "Subjects Seen:
Direct Deposit payment was declined
Typical e-mail details:
Attn: Chief Accountant
Please be informed, that your most recent Direct Deposit payment (<removed>) was cancelled,because your business software package was out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please refer to your financial institution to obtain your updated version of the software needed.
Sincerely yours
ACH Network Rules Department

Malicious URLs
24-7datura .com/wp-sts.php?2HWU2JNHOTU80DVU
zippierearliest .in/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...b351064e7/tumblr_inline_mqx0zsTrzI1qz4rgp.png
___

Fake Discover Card SPAM / capitalagreements .com
- http://blog.dynamoo.com/2013/08/your-most-recent-payment-has-been.html
2 August 2013 - "This fake Discover Card spam leads to malware on capitalagreements .com:
Date: Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From: Discover Card [dontrply .service.discovercard .com]
Reply-To: dontrply @service.discovercard .com
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your most recent payment has been processed.
Dear Customer,
This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.
To view more details please click here.
Log In to review your account details or to make additional changes...

Screenshot: https://lh3.ggpht.com/-8026dlem4nw/UfwAlX00pnI/AAAAAAAABqk/FgzguSvT0yk/s1600/discover-card.png

The link in the email goes to a legitimate -hacked- site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys .gr/overspreading/hermaphrodite.js
[donotclick]sisgroup .co .uk/despairs/marveled.js
[donotclick]psik.aplus .pl/christian/pickford.js
After that, the victim is directed to the malware landing page at [donotclick]capitalagreements .com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.
The attack is fundamentally the same as this American Express themed malspam run described here*.
Recommended blocklist:
66.228.60.243
northernforestcanoetrail .com
northforestcanoetrail .org
yourcaribbeanconnection .com
capitalagreements .com
buyfranklinrealty .com
franklinrealtyofcc .com
frccc. com
sellcitruscountyrealestate .com "
* http://techhelplist.com/index.php/spam-list/293-account-alert-recent-charge-approved-malware

:fear:

 

[AplusWebMaster]

Fake Apple Store Gift Card SPAM

FYI...

Fake Apple Store Gift Card SPAM ...
- http://threattrack.tumblr.com/post/57701798476/apple-store-gift-card-spam
August 9, 2013 - "Subjects Seen:
Apple Store Gift Card
Typical e-mail details:
Apple Store Gift Card
Dear client! You got our $100 Apple Store Gift Card.
Apple Store Gift Cards can be applied to buy Apple hardware and accessories at any Apple Retail Store, the Apple Online Store,
or over the phone by calling 1-800-MY-APPLE.
Please follow the link or read the attachment to get the Apple Store Gift Card code.

Malicious URLs
kidscareinternationalschool .com/f2eyvyj.html
nsmontessoricenter .com/fz13t.html
stevecozz .com/topic/sessions-folk-binds.php

Malicious File Name and MD5:
GiftCard28493.zip (F4B3986EE1828BDCDD46EE412BE0BA61)
Apple gift card.exe (74CFF87704AEC030D7AD1171366AFF87)

Screenshot: https://gs1.wac.edgecastcdn.net/801...10a0a0525/tumblr_inline_mr7syuZiMr1qz4rgp.png

- http://blog.webroot.com/2013/08/09/...mails-serve-client-side-exploits-and-malware/
August 9, 2013 - "Apple Store users, beware! A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve successfully received a legitimate ‘Gift Card’ worth $200. What’s particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails...
Sample screenshot of the spamvertised email:
> http://webrootblog.files.wordpress....its_malicious_software_social_engineering.png
... MD5: 74cff87704aec030d7ad1171366aff87 * ... UDSangerousObject.Multi.Generic; PWSZbot-FBX!74CFF87704AE.
... sampled client-side exploit: MD5: 91cb051d427bd7b679e1abc99983338e ** ... Mal/ExpJava-F..."
(More detail at the websense URL above.)
* https://www.virustotal.com/en/file/...836266674db1e502fd4ff9d7728ec52a794/analysis/
File name: Apple gift card.exe
Detection ratio: 24/44
Analysis date: 2013-08-09 14:03:28 UTC
** https://www.virustotal.com/en/file/...adfdd5dbb3683a87f2bd1cbc963b09a9a36/analysis/
File name: java-exploit-from-173.246.105.15.jar
Detection ratio: 4/45
Analysis date: 2013-08-11 05:11:11 UTC

- https://www.virustotal.com/en/ip-address/173.246.105.15/information/

Diagnostic page for AS29169 (GANDI-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:29169
"... over the past 90 days, 204 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-11... we found 12 site(s) on this network... that appeared to function as intermediaries for the infection of 71 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 91 site(s)... that infected 407 other site(s)..."

:fear:

 

[AplusWebMaster]

Hack threatens outdated Joomla sites

FYI...

Hack threatens outdated Joomla sites
- http://krebsonsecurity.com/2013/08/simple-hack-threatens-oudated-joomla-sites/
Aug. 12, 2012 - "If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors. The patch* released on July 31, 2013 applies to Joomla 2.5.13 and earlier 2.5.x versions, as well as Joomla 3.1.4 and earlier 3.x versions... For sites powered by unsupported versions of Joomla (1.5.x, and a cursory Google search indicates that there are tens of thousands of these 1.5.x sites currently online), attackers do not even need to have an account on the Joomla server for this hack to work... Earlier this month, security firm Arbor Networks warned** that it was tracking a Web site botnet dubbed “Fort Disco” which was made up of hacked Joomla and WordPress sites. Earlier in the year, Web site security firm Incapsula*** said it had tracked more than 90,000 Web sites powered by WordPress that were backdoored with malicious code."
* http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

** http://www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/

*** http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

- https://net-security.org/secworld.php?id=15407
14 August 2013

- https://secunia.com/advisories/54326/
Release Date: 2013-08-02
Where: From remote
Impact: System access
Solution Status: Vendor Patch
Software: Joomla! 2.x, 3.x
... vulnerability is confirmed in version 3.1.4 and reported in versions prior to 2.5.14 and 3.1.5.
Solution: Update to version 2.5.14 or 3.1.5 *

- https://atlas.arbor.net/briefs/index#-740710151
High Severity
August 16, 2013 23:24
Joomla is a hot target for attackers of varying motives. This recent security patch should be installed in order to reduce attacks.
Analysis: Thousands of compromised Joomla sites are currently being used in botnets and vulnerabilities like this make the attackers job even easier. The fact that this security hole was used to attack financial users in Europe, the Middle East and Asia and re-direct them to the popular Black Hole Exploit Kit is a testament to the criminal value of such security holes. Financial users mean money and bank accounts and other types of access so it is a smart attack on the part of the attackers but could be very damaging for any user that was out of date and subject to exploitation which could lead to installs of malware such as Zeus, P2P Zeus, Citadel or other banking malware.
Source: http://threatpost.com/joomla-patches-zero-day-targeting-emea-banks/101976
___

Virgin Media Bill Spam
- http://threattrack.tumblr.com/post/58065662184/virgin-media-bill-spam
Aug. 12, 2012 - "Subjects Seen:
Your Virgin Media bill is ready
Typical e-mail details:
Hello,
Your Virgin Media bill is ready and waiting for you.

Malicious File Name and MD5:
latest bill ref.<random>.pdf.zip (547845B4164A7029E19CB8D5FEC97234)
latest bill ref.<random>.pdf.exe (8D44660D20DF2A03DB9F1A981902A392)

Screenshot: https://gs1.wac.edgecastcdn.net/801...0fcda8876/tumblr_inline_mrfe9mPBWr1qz4rgp.png
___

Fake Facebook SPAM / guterhelmet .com
- http://blog.dynamoo.com/2013/08/facebook-spam-guterhelmetcom.html
12 August 2013 - "This fake Facebook spam leads to malware on guterhelmet .com:
Date: Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From: Facebook [update+zj433fgc2_aay @facebookmail .com]
Subject: Willie Powell wants to be friends with you on Facebook.
facebook
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.
Willie Powell
Bao Aguliar
Bibi Akel
Eleanora Casella
Murray Carsten
Jordana Fiqueroa
Jona Fiorelli
Leisha Heape
Lacresha Hautala
Monnie Carrillo
Missy Carreiro
find more pages
go to facebook
the message was sent to {mailto_username} @ {mailto_domain}...

Is it me, or does everyone look the same?
> https://lh3.ggpht.com/-8Laq2BN98T8/Ugk_zRYHaqI/AAAAAAAABwY/b8u6XfspbSk/s1600/facebook3.png
... The link in the email goes through a legitimate -hacked- site and then on to one of three scripts:
[donotclick]golift .biz/lisps/seventeen.js
[donotclick]fh-efront .clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus .org/products/cleats.js
From there, the victim is -redirected- to a -hijacked- GoDaddy domain with a malicious payload at [donotclick]guterhelmet .com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains...
Recommended blocklist:
192.81.135.132
golift .biz
fh-efront.clickandlearn .at
ftp.elotus .org
guterglove .com
grandrapidsleaffilter .com
greenbayleaffilter .com
guterhelmet .com
guterprosva .com "

- https://www.virustotal.com/en/ip-address/192.81.135.132/information/
___

Gap between Google Play and AV vendors on adware classification
- http://research.zscaler.com/2013/08/normal-0-false-false-false-en-us-x-none_8.html
August 8, 2013 - "Two critical items impacting mobile use are privacy and a positive user experience. The mobile app market is built on trust. Questionable mobile advertising practices, such as apps employing deceptive adware practices, negatively impact the end user’s perception of both privacy and the user experience. Doing things like capturing personal information such as email addresses, device IDs, IMEIs, etc. without properly notifying users and modifying phone settings and desktops without consent, is annoying and unacceptable for mobile users. While the majority of mobile ads are not malicious, they are undesirable for most. Zscaler regularly analyzes applications in the Google Play store to profile apps and identify those presenting security and privacy risks. By studying this data, we have come up with some interesting statistics concerning the prevalence of ‘adware’ in apps permitted into the Google Play store... Why are AV vendors flagging a huge number of applications as adware while Google is freely permitting them into the Google Play store? The excessive use of advertisements can negatively impact customer privacy and result in a -negative- user experience. On the other hand, advertisements are necessary for app developers looking to earn money when providing free apps. So where should the line be drawn? Google has clearly chosen to be very -lenient- with aggressive advertising practices, while Apple has taken the opposite approach, as they have shown that they’re willing to sacrifice advertising revenue to provide a positive user experience, even restricting the ability of advertisers to track device IDs and MAC addresses. How do we define adware? We feel that adware exhibits one or more of the following intrusive behaviors without requesting appropriate user consent (ref- Lookout Blog*)..."
(More detail and graphic charts at the zscaler URL above.)
* https://blog.lookout.com/blog/2013/06/26/lookout-flags-newly-classified-adware/
___

Central Tibetan admin website strategically compromised as part of Watering Hole Attack
- https://www.securelist.com/en/blog/...y_Compromised_as_Part_of_Watering_Hole_Attack
August 12, 2013 - "A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary... The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is... The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year... The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking .com (59.188.239.46)... This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423..."

- https://www.virustotal.com/en/ip-address/59.188.239.46/information/

- http://google.com/safebrowsing/diagnostic?site=AS:17444

:fear::fear:

 

[AplusWebMaster]

Malware sites to block 8.13.2013 ...

FYI...

Malware sites to block 13/8/13
- http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html
13 August 2013 - "These IPs and domains belong to this gang* and this list follows on from the one I made last week**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-6813.html
___

Pharma sites to block
- http://blog.dynamoo.com/2013/08/pharma-sites-to-block.html
13 August 2013 - "These fake pharma sites and IPs seem related to these malware domains*, and follows on from this list last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html

** http://blog.dynamoo.com/2013/08/pharma-sites-to-block-6813.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 12
Fake Money Transfer Notification Email Messages - 2013 Aug 12
Fake Account Payment Notification Email Messages - 2013 Aug 12
Fake Product Order Notification Email Messages - 2013 Aug 12
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 12
Fake Payment Notification Email Messages - 2013 Aug 12
Fake Bank Details Reconfirmation Email Messages - 2013 Aug 12
Fake Documents Attachment Email Messages - 2013 Aug 12
Fake Portuguese Electrical Equipment Invoice Notification Email Messages - 2013 Aug 12
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 12
Fake Banking Account Information Email Messages - 2013 Aug 12
(More detail and links at the cisco URL above.)
___

LinkedIn Connection Spam
- http://threattrack.tumblr.com/post/58154197039/linkedin-connection-spam
Aug. 13, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
bobbiler.corewaysolution .com/images/wp-gdt.php?x95S4F4MY33PRBG0W
sharperspill .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...edb9ea921/tumblr_inline_mrh6bwqsx91qz4rgp.png
___

CNN Breaking News Rehtaeh Parsons Spam
- http://threattrack.tumblr.com/post/58154735687/cnn-breaking-news-rehtaeh-parsons-spam
Aug. 13, 2013 - "Subjects Seen:
CNN: ” Canadian teenager Rehtaeh Parsons”
Typical e-mail details:
2 face charges in case of Canadian girl who hanged self after alleged rape
Canadian teenager Rehtaeh Parsons
Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening. Full story »

Malicious URLs
retailers.truelinkswear .com/rundown/index.html
dp56148868.lolipop .jp/numeracy/index.html
ftp(DOT)equinejournal .com/apogee/index.html
ead-togo .com/croons/index.html
guterprotectionperfection .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...a991cad41/tumblr_inline_mrh6o3wH431qz4rgp.png
___

Fake Bank of America SPAM / Instructions Secured E-mail.zip
- http://blog.dynamoo.com/2013/08/bank-of-american-spam-instructions.html
13 August 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From: "Alphonso.Wilcox" [Alphonso.Wilcox @bankofamerica .com]
Subject: Instructions Secured E-mail.pdf
I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.
Thanks,
Amado.Underwood
Bank of America
Principal Business Relationship Manager...

Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.
The detection rate for this initial malware is just 9/45 at VirusTotal**.
This is a pony/gate downloader which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack*, and it also utilises a -hijacked- GoDaddy domain.
The download then attempts to download a second stage from the from the following locations (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs .com/D5F7G.exe
[donotclick]betterbacksystems .com/kvq.exe
[donotclick]www.printdirectadvertising .com/vfMJH.exe
[donotclick]S381195155.onlinehome .us/vmkCQg8N.exe
The second stage has an even lower detection rate of just 3/45*** ...
Recommended blocklist:
192.81.135.132
guterprotectionperfection .com
Missionsearchjobs .com
betterbacksystems .com
www .printdirectadvertising .com
S381195155.onlinehome .us "
* http://blog.dynamoo.com/2013/08/facebook-spam-guterhelmetcom.html

** https://www.virustotal.com/en-gb/fi...925f583812b2cee9dcd22177/analysis/1376406778/

*** https://www.virustotal.com/en-gb/fi...4e43d3396fe2b4c8f94fff81/analysis/1376407672/

:fear:

 

[AplusWebMaster]

Bogus Firefox, Twitter Spam ...

FYI...

Bogus Firefox updates
- https://net-security.org/malware_news.php?id=2559
Aug. 13, 2013 - "A series of Internet campaigns pushing bogus Firefox updates onto unwary users have been spotted by researchers, and among them is one that lures them in through “Green Card Lottery” ads... According to ThreatTrack's analysis*, the website is capable of detecting which browser the user uses and to recommend an update for it. Nevertheless, the offered "update" is always the same: Firefox v13 (long outdated - the current version is 23), with several "add-ons, adware, toolbars and other malicious and irritating accompaniments" also trying to get installed via the installation wizard:
> http://www.net-security.org/images/articles/tt-13082013.jpg
Among this tag-along software is the Delta Toolbar, Webcake (a browser add-on that, among other things, serves ads), Optimizer Pro (a questionable PC-tune-up program), QuickShare (a deceptive browser plugin that steals data and redirects to unwanted websites) and an ad for “unlimited cloud storage”. All this "crapware" is sure to bring grief to the victims. It will slow down their computer, for sure, but the biggest problem is that they will end up with a outdated browser that can be successfully targeted with drive-by-download schemes, more additional malware and they will likely become victims of identity theft in the long run..."
* http://www.threattracksecurity.com/it-blog/outdated-browser-detected-firefox-update/
___

Malicious Spam Targets Virgin Media Patrons, Consul General
- http://www.threattracksecurity.com/...-targets-virgin-media-patrons-consul-general/
Aug. 13, 2013 - "... a fresh campaign of malicious spam that purports to originate from various brands and names but delivers the same malicious attachment to recipients. As of this time of writing, the spam is disguised as a mail coming from Virgin Media* and a notification of an expiring car insurance addressed to the Consul General of Suriname**... detections we have for related malicious files form these spam, as of this writing:
- Both compressed files are detected as Trojan.Zip.Bredozp.b (v).
- The uncompressed .EXE files, which are essentially one and the same, is detected as Win32.Malware!Drop.
The file it downloads is malicious, and it changes at random..."
* http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/virgin-media-spam.png

** http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/car-insurance-spam.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Aug 14
Fake MMS Notification Email Messages - 2013 Aug 14
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 14
Fake Package Delivery Information Email Messages - 2013 Aug 14
Fake Payment Confirmation Notification Email Messages - 2013 Aug 13
Fake Secure Message Notification Email Messages - 2013 Aug 13
Fake Debt Collection Notice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 13
Fake Account Payment Notification Email Messages - 2013 Aug 13
Fake Product Purchase Order Email Messages - 2013 Aug 13
Fake Xerox Scan Attachment Email Messages - 2013 Aug 13
Fake UPS Parcel Notification Email Messages - 2013 Aug 13
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 13
Fake Product Services Specification Request Email Messages - 2013 Aug 13
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
(More detail and links at the cisco URL above.)
___

Twitter Spam ...
- http://krebsonsecurity.com/2013/08/buying-battles-in-the-war-on-twitter-spam/
Aug 14, 2013 - "The success of social networking community Twitter has given rise to an entire shadow economy that peddles -dummy- Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University and the University of California, Berkeley, Twitter traditionally has done so only -after- these fraudulent accounts have been used to spam and attack legitimate Twitter users..."
(More detail at the krebsonsecurity URL above.)
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/58242338970/wells-fargo-important-documents-spam
Aug. 14, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Eleanor_Wyatt
Wells Fargo Advisors
817-246-9671 office

Malicious URLs
gutterprosmaryland .com/forum/viewtopic.php
gutterhelmetleafguardgutterprotection .com/forum/viewtopic.php
gutterguardbuyersguide .com/forum/viewtopic.php
gutterglovegutterprotection .com/forum/viewtopic.php
dp55197480.lolipop .jp/1ayPTHK.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg .biz/VKPqrms.exe
caribbeancinemas .net/MLEYCY9.exe

- https://www.virustotal.com/en/ip-address/64.71.35.14/information/

Malicious File Name and MD5:
DOC_<e-mail>.zip (B1342413F0AEE3E6440453689D26803B)
DOC_{_MAILTO_USERNAME}.exe (ABAFB7DA0F23112064F6BC3A1F93DDF6)

Screenshot: https://gs1.wac.edgecastcdn.net/801...34ea3da0b/tumblr_inline_mriyb83O4Y1qz4rgp.png
___

Fake ADP SPAM / hubbywifeburgers .com
- http://blog.dynamoo.com/2013/08/adp-spam-hubbywifeburgerscom.html
14 Aug 2013 - "This fake ADP spam leads to malware on hubbywifeburgers .com:
Date: Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From: "ADPClientServices @adp .com" [service @citibank .com]
Subject: ADP Security Management Update
ADP Security Management Update
Reference ID: 39866
Dear ADP Client August 2013
This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.
Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.
Please review the following information:
� Click here to view more details of the enhancements in Phase 2
� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)... The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Screenshot: https://lh3.ggpht.com/-33hn5xJdiRw/UgvV5vzDLkI/AAAAAAAABxM/-IcZiCFuBLo/s1600/adp-spam2.png

Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate -hacked- site that tried to load one of the following three scripts:
[donotclick]e-equus.kei .pl/perusing/cassie.js
[donotclick]cncnc .biz/pothooks/addict.js
[donotclick]khalidkala .com/immigration/unkind.js
From there, the victim is sent to a malware site that uses a -hijacked- GoDaddy domain at [donotclick]hubbywifeburgers .com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here*). This IP probably contains other hijacked domains from the same owner.
Recommended blocklist:
199.195.116.51
hubbywifeburgers .com
e-equus.kei .pl
cncnc .biz
khalidkala .com "
* https://www.virustotal.com/en/ip-address/199.195.116.51/information/

:fear::fear:

 

[AplusWebMaster]

Something evil on 162.211.231.16 ...

FYI...

Something evil on 162.211.231.16
- http://blog.dynamoo.com/2013/08/something-evil-on-16221123116.html
15 August 2013 - "The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example*) which have been going on for some time [1] [2] and uses several domains... All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear .com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack. I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)
Recommended blocklist:
162.211.231.16 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4568967

1] https://www.virustotal.com/en-gb/ip-address/162.211.231.16/information/

2] http://urlquery.net/search.php?q=162.211.231.16&type=string&start=2013-07-31&end=2013-08-15&max=50
___

Fake "INCOMING FAX REPORT" SPAM / chellebelledesigns .com
- http://blog.dynamoo.com/2013/08/incoming-fax-report-spam.html
15 August 2013 - "A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns .com:
From: Administrator [administrator @victimdomain]
Date: 15 August 2013 16:08
Subject: INCOMING FAX REPORT : Remote ID: 1043524020
***********************INCOMINGFAXREPORT*****************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll
Click here to view the file online
*********************************************************

Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate -hacked- site and then on to one of three scripts:
[donotclick]millionaireheaven .com/mable/rework.js
[donotclick]pettigrew .us/airheads/testier.js
[donotclick]www .situ-ingenieurgeologie .de/tuesday/alleviation.js
from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns .com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server...
Recommended blocklist:
173.246.104.55 ..."
(More domains listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/173.246.104.55/information/
___

UPS Quantum View Spam
- http://threattrack.tumblr.com/post/58338584106/ups-quantum-view-spam
Aug. 15, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
chellebelledesigns .com/ponyb/gate.php
1800callabe .com/ponyb/gate.php
abemoussa .com/ponyb/gate.php
keralahouseboatstourpackages .com/FXx.exe

Malicious File Name and MD5:
UPS-Label_<random>.zip (607F7CBD6CEF3DDD5F5DB88612FC91B6)
UPS-Label_<date>.exe
(782D6C5633D139704221E927782195E0)

Screenshot: https://gs1.wac.edgecastcdn.net/801...0fb72312e/tumblr_inline_mrkyb1P4hG1qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake ADP, WellsFargo SPAM

FYI...

Fake ADP SPAM / ADP_week_invoice.zip|exe
- http://blog.dynamoo.com/2013/08/adp-spam-adpweekinvoicezipexe.html
16 August 2013 - "This fake ADP spam has a malicious attachment:
Date: Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From: "run.payroll.invoice @adp .com" [run.payroll.invoice @adp .com]
Subject: ADP Payroll INVOICE for week ending 08/16/2013
Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this* other malicious spam run which is running in parallel."
* http://blog.dynamoo.com/2013/08/ceo-portal-statements-notices-event.html

ADP Payroll Invoice Spam
- http://threattrack.tumblr.com/post/58422233895/adp-payroll-invoice-spam
16 August 2013 - "Subjects Seen:
ADP Payroll INVOICE for week ending 08/16/2013
Typical e-mail details:
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.

Malicious URLs
hubbywifeco .com/forum/viewtopic.php
hubbywifedesigns .com/forum/viewtopic.php
hubbywifedesserts .com/forum/viewtopic.php
hubbywifefoods .com/forum/viewtopic.php
208.106.130.52 /39UvZmv.exe
demoscreactivo .com/DKM9.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg.biz/VKPqrms .exe
cccustomerctr .com/39UvZmv.exe

Malicious File Name and MD5:
ADP_week_invoice.zip (8C67BC641A95379867C4B9EBAE68446A)
ADP_week_invoice.exe
(6EBF2EA3DB16B3E912068D0A9E33320E)

Screenshot: https://gs1.wac.edgecastcdn.net/801...43b3ae948/tumblr_inline_mrmold4lru1qz4rgp.png
___

Fake Wells Fargo SPAM "CEO Portal Statements & Notices Event" -report_{DIGIT[12]}.exe
- http://blog.dynamoo.com/2013/08/ceo-portal-statements-notices-event.html
16 August 2013 - "This fake Wells Fargo email has a malicious attachment:
Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw @wellsfargo .com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46*. The Malwr report shows that this malware does various things**, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco .com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another -hijacked- domain, hubbywifecakes .com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52 /39UvZmv.exe
[donotclick]demoscreactivo .com/DKM9.exe
[donotclick]roundaboutcellars .com/Utuw1.exe
[donotclick]bbsmfg .biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46***... Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco .com
hubbywifecakes .com
208.106.130.52
demoscreactivo .com
roundaboutcellars .com
bbsmfg .biz "
*
https://www.virustotal.com/en-gb/fi...59d16a1a4bcd6d06ceacfbea/analysis/1376665654/

** https://malwr.com/analysis/NjAxNGMwYmRiMWNjNDIzMDhlMmIxMjgwYmJlMWY3YzU/

*** https://www.virustotal.com/en-gb/fi...b9bb57eb783964be5afb49c9/analysis/1376666041/

- https://www.virustotal.com/en-gb/ip-address/66.151.138.80/information/

- https://www.virustotal.com/en-gb/ip-address/208.106.130.52/information/

:fear::sad:

 

[AplusWebMaster]

Malware sites to block 19/8/13, Fake Facebook SPAM...

FYI...

Malware sites to block 19/8/13
- http://blog.dynamoo.com/2013/08/malware-sites-to-block-19813.html
19 August 2013 - "These sites and IPs belong to this gang*, and this list follows one from this one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html
___

Fake Facebook SPAM / hubbywifewines .com
- http://blog.dynamoo.com/2013/08/facebook-spam-hubbywifewinescom.html
19 August 2013 - "This fake Facebook spam leads to malware on hubbywifewines .com:
Date: Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines .com/topic/able_disturb_planning.php hosted on 72.5.102.192* (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods .com
Recommended blocklist:
72.5.102.192
hubbywifewines .com
hubbywifefoods .com
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it"
* https://www.virustotal.com/en/ip-address/72.5.102.192/information/
___

Booking.com Confirmation Spam
- http://threattrack.tumblr.com/post/58704894229/booking-com-confirmation-spam
Aug. 19, 2013 - "Subjects Seen:
Confirmation <random>
Typical e-mail details:
BOOKING CONFIRMATION
Issued: 08/18/2013
BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE
====================================
Confirmation number: <removed>
Booking source: booking.com
(please refer to this brand when
communicating with the guest)
BOOKING SUMMARY
Check in: 29-Aug-2013
Check out: 31-Aug-2013
Total number of rooms: 1 per night
Total number of room nights: 1 (1 room for 1 night each)
Total booking amount: $314.00
Room: 1 Night 1-2 people
Number of guests: Adults: 1 Children: 0
Bedding configuration: One or 2 People
=====Comments=====
Guest comments: non-smoking
Any comments from the guest are by request only and have not been guaranteed...
The guest is also aware that you may require them to provide a security deposit at
check-in to guarantee payment of any incidental charges.
The Team Booking.com

Malicious File Name and MD5:
BOOKING ISSUED 18.Aug.2013.zip (61EE0B0EE92F717D50F42EB0171BAD6E)
BOOKING ISSUED 18.Aug.2013.pdf.exe (948FD2EA728F38886DF824AA2BB7FD3A)

Screenshot: https://gs1.wac.edgecastcdn.net/801...037bd82ff/tumblr_inline_mrsd6ucgl61qz4rgp.png
___

Fake Facebook password SPAM / frankcremascocabinets .com
- http://blog.dynamoo.com/2013/08/you-requested-new-facebook-password.html
19 August 2013 - "This fake Facebook spam follows on from this one*, but has a different malicious landing page at frankcremascocabinets .com:
From: Facebook [update+hiehdzge @facebookmail .com]
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets .com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server...
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it
giuseppepiruzza .com
frankcremascocabinets .com
gordonpoint .biz
hitechcreature .com
frankcremasco .com "
* http://blog.dynamoo.com/2013/08/facebook-spam-hubbywifewinescom.html

- https://www.virustotal.com/en/ip-address/184.95.37.102/information/
___

UK Tax-Themed Spam leads to ZeuS/ZBOT
- http://blog.trendmicro.com/trendlabs-security-intelligence/uk-tax-themed-spam-leads-to-zeuszbot/
Aug 19, 2013 - "Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites. We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”. Sample spam with alleged VAT return “receipt”:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/08/Tax-season-uk-spam.jpg
The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email... The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information. The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss... we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors..."
___

Fake Citi SPAM / securedoc.zip
- http://blog.dynamoo.com/2013/08/you-have-received-secure-message-spam.html
19 August 2013 - "This fake Citi spam contains a malicious attachment:
Date: Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment...

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46*. The Malwr analysis** (and also ThreatExpert***) shows that the file first connects to [donotclick]frankcremascocabinets .com/forum/viewtopic.php (a -hijacked- GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:
[donotclick]lobbyarkansas .com/0d8H.exe
[donotclick]ftp.ixcenter .com/GMMo6.exe
[donotclick]faithful-ftp .com/kFbWXZX.exe
This second part has another very low VirusTotal detection rate of just 3/46****...
Recommened blocklist:
184.95.37.96/28
frankcremascocabinets .com
giuseppepiruzza .com
gordonpoint .biz
gordonpoint .info
hitechcreature .com
frankcremasco .com
lobbyarkansas .com
ftp.ixcenter .com
faithful-ftp .com "
* https://www.virustotal.com/en/file/...169ee8ac6e07ff038125fe61/analysis/1376945701/

** https://malwr.com/analysis/NjcwNGFhOWNjY2Y3NGNhMDgwNDU3NjdhNjk5ZDA1MTI/

*** http://www.threatexpert.com/report.aspx?md5=007da88f903a5c2c4fbf106d28218cf9

**** https://www.virustotal.com/en/file/...75d9be16cd26c47ff813f8c7/analysis/1376946672/

:fear:

 

[AplusWebMaster]

Fake Browser Updates drop Shylock Malware...

FYI...

Fake Browser Updates drop Shylock Malware
- http://www.threattracksecurity.com/it-blog/fake-browser-updates-drop-shylock-malware/
August 19, 2013 - "We’re no stranger to fake and often malicious Internet browsers* that are served up on equally fake and malicious Web sites. These latest samples found by... our threat researchers in the AV Labs, are hosted on the domain, browseratrisk(dot)com. It is found that once users access pages on this malicious domain with either Internet Explorer (IE), Firefox or Chrome, it opens a fake “update” page for the said browsers and auto-downloads the fake files. Below are screenshots of these pages:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/ff-shylock-wm.jpg
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/chrome-shylock-wm.jpg
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/ie-shylock-wm.jpg
... Users may find it difficult to close and navigate to other tabs after download, thanks to certain loop commands on the page’s code, which we’ve seen before**. If users choose to install the downloaded fake browser updates, it then drops a variant of either Sirefef or Shylock/Caphaw malware... Win32.Malware!Drop... Shylock had hit the news in January of this year as the banking Trojan capable of using Skype chat to spread. Note that the dropped file may change at roughly every three to four hours. The website server is also known to house Blackhole Exploit kits... If users access browseratrisk(dot)com via their mobile devices and on OSX, they are redirected to FriendFinder, a popular online dating service, via the mirror site, stealthtec(dot)net. When it comes to software updates, it pays to be wary of random sites claiming your current Internet browser needs to be updated. It is best to -ignore- these pages and go straight to official pages..."
* http://www.threattracksecurity.com/it-blog/?s=browser&x=12&y=21

** http://www.threattracksecurity.com/it-blog/fake-critical-browser-update-site-serves-malware/

:fear:

 

[AplusWebMaster]

Fake Facebook, Credit Card SPAM ...

FYI...

Fake Facebook SPAM / dennissellsgateway .com
- http://blog.dynamoo.com/2013/08/facebook-spam-dennissellsgatewaycom.html
21 August 2013 - "This fake Facebook spam leads to malware on dennissellsgateway .com:
Date: Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Gene Maynard wants to be friends with you on Facebook.
facebook
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate -hacked- site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas .org/jonson/tried.js
[donotclick]italiangardensomaha .com/moocher/pawned.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there, the victim ends up on a -hijacked- GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway .com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains...
Recommended blocklist:
72.5.102.146
dennissellsgateway .com
justinreid .us
waterwayrealtyteam .us
www.it-planet .gr
italiangardensomaha .com
ftp.crimestoppersofpinellas .org "

>> Update: Another spam is circulating with a different pitch, but the -same- malicious payload:
Dear Customer,
The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report ...

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/
___

Fake Malwarebytes scammer surveys ...
- http://blog.malwarebytes.org/news/2013/08/fake-malwarebytes-scammer-surveys-victims/
August 20, 2013 - "... a twitter account pretending to be speaking for Malwarebytes. The twitter account, @ malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them! The link leads to a blogspot page titled “Malwarebytes Anti-Malware 1.75 Full + Serial” that is covered in our signage and provides a link to download “Malwarebytes Anti-Malware” with text and graphics directly from our own website.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/08/MalwareAMBlog-1024x810.png
After clicking on the “Download Now” button, you are presented with a download page requesting a small favor.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/08/MalwareAMOFfer.png
... Unfortunately for anyone who has fallen for this scam, this website does -not- belong to Malwarebytes nor is supported by one of our authorized distributors... Don’t become a victim and always download software from legitimate sites. Even if you just Google “Malware” or the phrase “Malware Removal,” legitimate sources to download our product are within the first few results. Tell your friends and if you encounter a survey site, maybe you should try finding your download somewhere else..."
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Malicious Attachment Email Messages - 2013 Aug 21
Fake Secure Message Notification Email Messages - 2013 Aug 21
Fake Confirmation of Payment Information Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 21
Fake UPS Parcel Notification Email Messages - 2013 Aug 21
Fake Product Solicitation Email Messages - 2013 Aug 21
Fake Product Purchase Request Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
(More detail and links at the cisco URL above.)
___

Fake Facebook SPAM / thenatemiller.co
- http://blog.dynamoo.com/2013/08/facebook-spam-thenatemillerco.html
21 August 2013 - "This fake Facebook spam leads to malware on thenatemiller .co:
Date: Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but -hacked- site that attempts to load the following three scripts:
[donotclick]gemclinicstore .com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup .com/toffies/ceiling.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller .co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains...
Recommended blocklist:
72.5.102.146
successchamp .com
dennissellsgateway .com
thenatemiller .co
thenatemiller .info
justinreid .us
waterwayrealtyteam .us
thenatemiller .biz
gemclinicstore .com
mathenyadvisorygroup .com
www.it-planet .gr ..."

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/

:fear:

 

[AplusWebMaster]

Fake Red Sox, Chase Bank, Discover Card SPAM...

FYI...

Fake Red Sox Baseball SPAM / lindoliveryct .net
- http://blog.dynamoo.com/2013/08/red-sox-baseball-spam-lindoliveryctnet.html
22 Aug 2013 - "This fake Red Sox spam leads to malware on lindoliveryct .net:
Date: Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]
From: ticketoffice@ inbound.redsox .com
Subject: Thank You for your order. ( RSXV - 4735334 - 0959187 )
Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase, please contact our Ticket Services department by calling (toll free) 877-REDSOX9.
Note that you will receive a separate email within the next two business days which will include the vouchers you will need for both parking at the Prudential Center and your Duck Boat ride to the ballpark, included in each End of Summer Family Pack purchase.
Please remember that all sales are final-there are no refunds or exchanges issued on any tickets. Also note that all game times are subject to change. Be sure to visit redsox.com for the latest Red Sox news and any game time updates.
Thanks again! We look forward to seeing you at the ballpark this season.
Boston Red Sox Ticketing Department...

Screenshot: https://1.bp.blogspot.com/-B_1VXJv600M/UhZUOCcg2NI/AAAAAAAABy0/pskZHcKamYw/s1600/redsox.png

The link goes through a legitimate -hacked- site (in this case using a WordPress flaw) and ends up on [donotclick]www.redsox .com.tickets-service.lindoliveryct.net/news/truck-black.php (report here*) which is actually the domain lindoliveryct .net rather than redsox .com... The WHOIS details for this domain are fake and indicate it is the work of the Amerika gang...
The malicious domain is multihomed on the following IPs which host several other malicious domains:
66.230.163.86 (Goykhman And Sons LLC, US)
86.183.191.35 (BT, UK)
188.134.26.172 (Perspectiva Ltd, Russia)
Recommended blocklist:
66.230.163.86
86.183.191.35
188.134.26.172 ..."
* http://urlquery.net/report.php?id=4682777
___

Chase Bank Remittance Spam
- http://threattrack.tumblr.com/post/59019303653/chase-bank-remittance-spam
Aug 22, 2013 - "Subjects Seen:
Remittance Docs <random>
Typical e-mail details:
Please find attached the remittance If you are unable to open the attached file, please reply to this email with a contact telephone number.
The Finance Dept will be in touch in due course.
Vanessa_Rodriquez
Chase Private Banking

Malicious URLs
watch-fp .ca/ponyb/gate.php
watch-fp .com/ponyb/gate.php
watch-fp .info/ponyb/gate.php
watch-fp .mobi/ponyb/gate.php
jatw.pacificsocial .com/VSMpZX.exe
richardsonlookoutcottages .nb .ca/Q5Vf.exe
riplets .net/Qa7nXVT.exe

Malicious File Name and MD5:
Docs_<name>.zip (37A1C5AC9C0090A07F002B0A2ED57D3D)
Docs_<date>.exe
(E9FBB397E66B295F5E43FE0AA3B545D7)

- Screenshot: https://gs1.wac.edgecastcdn.net/801...e12e67471/tumblr_inline_mrxy44WuCD1qz4rgp.png
___

Discover Card Account Information Update Spam
- http://threattrack.tumblr.com/post/59025861611/discover-card-account-information-update-spam
Aug 22, 2013 - "Subjects Seen:
Your account login information updated
Typical e-mail details:
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.

Malicious URLs
aywright .com/parables/index.html
intuneuk .com/aspell/index.html
flagitak .poznan.pl/deceptiveness/index.html
carpentryunlimitedvermont .com/slangy/index.html
labs-srl .it/misquotations/index.html
75.103.99.168 /superintend/index.html
watch-fp .ca/topic/able_disturb_planning.php

- Screenshot: https://gs1.wac.edgecastcdn.net/801...826e4f11b/tumblr_inline_mry2hgeDjI1qz4rgp.png

- http://blog.dynamoo.com/2013/08/discover-card-your-account-login.html
22 August 2013 - "This fake Discover card spam leads to malware on abemuggs .com:
Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [no-reply@ facebook .com]
Subject: Your account login information updated
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes...

Screenshot: https://3.bp.blogspot.com/-yFKra6yjZxQ/UhZqLgXefaI/AAAAAAAABzM/PbOV1lEPdbE/s1600/discover-card2.png

The link in the email uses the Twitter redirection service to go to [donotclick]t. co/9PsnfeL8hh then [donotclick]x .co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198 .netsolhost .com/frostbite/hyde.js
[donotclick]96.9.28.44 /dacca/quintilian.js
[donotclick]cordcamera.dakisftp .com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs .com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs .com
abesmugs .com
abemugs .com
andagency .com
mytotaltitle .com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs .com
02aa198.netsolhost .com
cordcamera.dakisftp .com "

- https://www.virustotal.com/en/ip-address/74.207.253.139/information/

- https://www.virustotal.com/en/ip-address/96.9.28.44/information/
___

Fake Remittance Docs SPAM / Docs_08222013_218.exe
- http://blog.dynamoo.com/2013/08/remittance-docs-2982780-spam.html
22 August 2013 - "This fake Chase spam has a malicious attachment:
Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From: Jed_Gregory [Jed_Gregory@ chase .com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036 ...

The attachment is in the format Docs_victimdomain .com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46*. The Malwr analysis** shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp .ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial .com/VSMpZX.exe
[donotclick]richardsonlookoutcottages .nb .ca/Q5Vf.exe
[donotclick]idyno.com .au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46***. This appears to be a Zbot variant... The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server...
Recommended blocklist:
72.5.102.146 ..."
* https://www.virustotal.com/en/file/...2a7a97b3c32b25b0d49ab464/analysis/1377201922/

** https://malwr.com/analysis/YTNiNzMwZjUyZjMxNGE4ODhmNDJlZGFiYjY4YjU3ZmY/

*** https://www.virustotal.com/en/file/...019fedbf4261938b7e441d1d/analysis/1377202683/

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/

:fear:

 

[AplusWebMaster]

Fake Wells Fargo SPAM, Orbit Downloader - DDoS

FYI...

Fake Wells Fargo SPAM / WellsFargo_08232013.exe
- http://blog.dynamoo.com/2013/08/wells-fargo-spam-wellsfargo08232013exe.html
23 August 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From: Morris_Osborn@ wellsfargo .com
Please review attached documents.
Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103...

In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45*, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware. What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf**] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity... The WHOIS details for the domain huyontop .com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop .com as being potentially malicious and block it if you can."
* https://www.virustotal.com/en/file/...bc57b7cad5ecd091c6335759/analysis/1377272785/

** http://www.dynamoo.com/files/analysis_32325_00949d04acead6bc20e1bc1acd09feb3.pdf

- https://www.virustotal.com/en/ip-address/216.194.165.222/information/
___

Orbit Downloader - DDoS component found
- https://net-security.org/malware_news.php?id=2570
Aug 23, 2013 - "... The DDoS component has been discovered by ESET researchers* while doing a routine examination of the software, and subsequent analysis of previous versions has shown that it was added to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013)... ESET has decided to make its AV software detect all versions of Orbit Downloader with DoS functionality. Trend Micro, Kaspersky Land and Ikarus decided to follow suit, at least for the latest version of OD. Users are advised to deinstall the software and choose another one for their needs."

* http://www.welivesecurity.com/2013/...dark-side-of-a-popular-file-downloading-tool/
21 Aug 2013

** https://www.virustotal.com/en/file/...14fbd471f114420e5ba7735a7363cf23ec6/analysis/

:fear:

 

[AplusWebMaster]

Fake UPS, Paypal SPAM ...

FYI...

Fake UPS SPAM / UPS Invoice 74458652.zip
- http://blog.dynamoo.com/2013/08/ups-spam-ups-invoice-74458652zip.html
26 August 2013 - "This fake UPS invoice has a malicious attachment:
From: "UPSBillingCenter @ups .com" [UPSBillingCenter@ ups .com]
Subject: Your UPS Invoice is Ready
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..
The VirusTotal detection rate is a so-so 18/46*. The Malwr analysis** is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint .org/forum/viewtopic.php
[donotclick]mierukaproject .jp/PjSE.exe
[donotclick]programcommunications .com/WZP3mMPV.exe
[donotclick]fclww .com/QdytJso0.exe
[donotclick]www .lajen .cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46***.
The domain gordonpoint .org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other -hijacked- domains...
Recommended blocklist:
74.207.229.45
gordonpoint .org
hitechcreature .com
industryseeds .ca
infocreature .com
itanimal .com
itanimals .com
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
mierukaproject .jp
programcommunications .com
fclww .com
www .lajen .cz "
* https://www.virustotal.com/en/file/...c16d01feb5964b21364c13ae/analysis/1377553766/

** https://malwr.com/analysis/NTE2MGRjODQzNTQzNGQ2NjliZDVhYjgxYzUzY2NlOTg/

*** https://www.virustotal.com/en/file/...3331fb71597bfbb98ee8d0c6/analysis/1377552510/

- https://www.virustotal.com/en/ip-address/74.207.229.45/information/
___

PayPal Protection Services Spam
- http://threattrack.tumblr.com/post/59424449055/paypal-protection-services-spam
Aug 26. 2013 - "Subjects Seen:
Resolution of case #<random>
Typical e-mail details:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details
Sincerely,
Protection Services Department

Malicious URLs
8744f321834af6ba.lolipop .jp/monetary/index.html
scentsability .org/interlocks/index.html
batcoroadlinescorporation .com/misfire/index.html
gordonpoint .org/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...70db2f066/tumblr_inline_ms5pg88gPk1qz4rgp.png

:fear::fear: