SPAM frauds, fakes, and other MALWARE deliveries...

AplusWebMaster · Aug 27, 2013

Fake emails: Threat Outbreak Alerts, UPS scam...

FYI...

Fake email - Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification Email Message - 2013 Aug 27
Fake Money Transfer Notification Email Messages - 2013 Aug 27
Fake Bank Payment Notice Email Messages - 2013 Aug 27
Fake Account Payment Notification Email Messages - 2013 Aug 27
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 27
Fake Package Shipping Notification Email Messages - 2013 Aug 27
Fake Business Complaint Notification Email Messages - 2013 Aug 27
Fake Tax Return Information Email Messages - 2013 Aug 27
Email Messages with Malicious Attachments - 2013 Aug 27
Fake Product Purchase Order Request Email Messages - 2013 Aug 27
Fake Tax Documentation Email Messages - 2013 Aug 27
Fake Product Services Specification Request Email Messages - 2013 Aug 27
(More detail and links at the cisco URL above.)
___

UPS Email scam delivers Backdoor
- http://blog.trendmicro.com/trendlab.../convincing-ups-email-scam-delivers-backdoor/
Aug 27, 2013 - "... most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate email notifications... We recently found an email sample spoofing the popular mail courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its true, malicious intent.
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/08/ups_spamrun_825.png
As seen in the email screenshot above, the malware-hosting site is hyperlinked to the legitimate UPS URL where the .PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however, when they clicked the URL it leads to the downloading of the malicious ZIP file. To further convince users of its legitimacy, the recipient’s email address were created to closely resemble the actual UPS email address. The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information in several FTP clients or file manager software. In addition, BKDR_VAWTRAK.A also steals email credentials from Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat! among others. In order to avoid detection on the system, this backdoor deletes certain registry keys related to Software Restriction Policies... this attack was moderate in number, constituting approximately 1 in every 300-400 thousand spam on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent Royal Baby spam outbreak consisted of 1 in every 200 spam on the days of that outbreak. This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes training like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering..."

:fear:

AplusWebMaster · Aug 28, 2013

High Profile Domains under Siege

FYI...

High Profile Domains under Siege
- http://blog.opendns.com/2013/08/27/high-profile-domains-under-siege/
August 27, 2013 - "We are actively seeing several high profile domains being -hijacked- at the DNS level and are actively blocking all requests from the apparent attackers’ name servers. The attacker looks to have compromised domain name registrar MelbourneIT. Reported domains include Share This, Twitter, Huffington Post, and the New York Times. We’re not linking to those sites for obvious reasons. The IP addresses and domains that have been involved in -redirection- have been blocked by OpenDNS... We are now blocking all requests that are coming from the known bad name servers... screenshots show the bad name server, 141.105.64.37, which is currently hosting domains including malware and phishing along with the domains affected by today’s attack..."
(Screenshots at the opendns URL above.)

- https://www.virustotal.com/en/ip-address/141.105.64.37/information/

- https://isc.sans.edu/diary.html?storyid=16451
Last Updated: 2013-08-27 21:09:58 UTC

- http://www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/
27 August 2013

- http://arstechnica.com/security/201...lash-with-hackers-for-control-of-their-sites/
Aug 27 2013, 10:10pm EST

:fear:

AplusWebMaster · Aug 29, 2013

Sendori software update - malware...

FYI...

Sendori software update - malware...
- https://isc.sans.edu/diary.html?storyid=16466
Last Updated: 2013-08-29 04:27:07 UTC - "Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process. The URL path (to be considered hostile) is: hxxp ://upgrade.sendori .com/upgrade/2_0_16/sendori-win-upgrader.exe...
VirusTotal results currently nine malware hits (9/46*). Malwr results** are rather damning, and as Kevin stated, Zeus-like... Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe ...
Sendori replied to Kevin's notification with; they are engaged and investigating:
'Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks Sendori Support team' ...
Comment(1): I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support. My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it.
Kevin Branch..."

... sendori .com/consumer_problem.html
"Sendori software works in tandem with web browsers to dramatically speed access to tens of thousands of the most popular websites..."

* https://www.virustotal.com/en/file/...a16eee991ec1b6c205bcb4cf768d70b441d/analysis/

** https://malwr.com/analysis/Y2E4ZDlkMzQ5MjkyNDdmYjhhNjhmZDVlMDcyMjk2NGU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake eFax Message Notification Email Messages - 2013 Aug 29
Fake Account Payment Notification Email Messages - 2013 Aug 29
Fake Purchase Order Request Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Fake Payment Information Email Messages - 2013 Aug 29
Fake Shipping Information Email Messages - 2013 Aug 29
Fake Product Order Email Messages - 2013 Aug 29
Fake Account Information Request Email Messages - 2013 Aug 29
Fake Photo Sharing Email Messages - 2013 Aug 29
Fake Product Purchase Request Email Messages - 2013 Aug 29
Fake Invoice Notification Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Email Messages with Malicious Attachments - 2013 Aug 29
Fake Account Deposit Notification Email Messages - 2013 Aug 29
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 29
Fake Product Services Specification Request Email Messages - 2013 Aug 29
Fake Product Purchase Order Email Messages on August 28, 2013 - 2013 Aug 29
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 29
Fake Scanned Document Attachment Email Messages - 2013 Aug 29
(More detail and links at the cisco URL above.)

:fear:

AplusWebMaster · Aug 30, 2013

Visa/PayPal, Paychex SPAM...

FYI...

Visa/PayPal Spam
- http://threattrack.tumblr.com/post/59770780239/visa-paypal-spam
Aug 30, 2013 - "Subjects Seen:
Resolution of case #PP<random>
Typical e-mail details:
Dear Visa card holder,
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details on the Usa.visa.com/personal/
Visa does not tolerate fraud or illegal activities. Your complaint has been noted in the record of the Visa card holder you reported. If we find this user has violated our policies, we will investigate and take appropriate action. If this occurs, you may be contacted in the future about the status of this complaint.
To make sure future transactions proceed smoothly, we suggest you visit the PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid fraudulent sellers in the “Fraud Prevention Tips for Buyers” section.

Malicious URLs
dp56148868.lolipop .jp/brassing/index.html
rossizertanna .it/occupancy/index.html
abesgrillnbar .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...5adb41405/tumblr_inline_msci80fxum1qz4rgp.png
___

Paychex Insurance Spam
- http://threattrack.tumblr.com/post/59780780295/paychex-insurance-spam
Aug 30, 2013 - "Subjects Seen:
Paychex Insurance Agency
Typical e-mail details:
The security of your personal information is of the utmost importance to Paychex, so we have sent the attached as a secure electronic file.
For more details please see on the page. View all details »
Note: The attached file contains encrypted data. In order to view the file, you must have already installed the decryption software that was previously provided by Paychex.
If you have any question please call us at 800-472-0072, option 4. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
Paychex Insurance Agency

Malicious URLs
ftp(DOT)willetthofmann .com/logistically/index.html
ftp(DOT)willetthofmann .com/shadiest/index.html
abesonthego .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...c0e2416dc/tumblr_inline_mscq91NzEx1qz4rgp.png
___

Federal Reserve Suspicious Activity Spam
- http://threattrack.tumblr.com/post/59791687246/federal-reserve-suspicious-activity-spam
Aug 30. 2013 - "Subjects Seen:
FW: IMPORTANT - Suspicious Activity <random>
Typical e-mail details:
Greetings, addressing you is Ariel Howe, Superior Accounting Officer at Federal Reserve. We have received an inquiry from your Financial Institution regarding an incoming money transfer from Harvey Norman Holdings Ltd. retail with concern on the company’s current activity which is valued as “High Risk Activity”. In order to release the funds to your account please complete the attached form “IIMT Form 401”.
Please note if no further action will be taken the funds will be remain locked in the Federal Reserve System or returned to the Money transfer initiator.
Ariel Howe
Superior Accounting Officer
Office of Inspector General
c/o Board of Governors of the Federal Reserve System

Malicious File Name and MD5:
Case_<random>.zip (35C95C02EB974CA2302D2BA3EB7E5322)
Case_<date>.exe (F9A37404F1150C48AEC238BAC44977FC)

Screenshot: https://gs1.wac.edgecastcdn.net/801...763f60ab2/tumblr_inline_mscxwbY9v51qz4rgp.png

:fear::sad:

AplusWebMaster · Sep 2, 2013

Malware sites to block 2/9/13 ...

FYI...

Malware sites to block 2/9/13
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-2913.html
2 Sep 2013 - "These IPs and domains are associated with this gang* and should all be considered as malicious. This list follows on from this earlier one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-19813.html
___

Fake Facebook SPAM / london-leather .com
- http://blog.dynamoo.com/2013/09/facebook-spam-london-leathercom.html
2 Sep 2013 - "This fake Facebook spam leads to malware on london-leather .com:
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: Victoria Carpenter commented on your status...
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute"
Go to comments
Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]...

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem .cz/5xxb8 then [donotclick]93.93.189.108 /exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj .com/mummifies/stabbed.js
[donotclick]mobileforprofit .net/affected/liberal.js
[donotclick]tuviking .com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy...
Recommended blocklist:
173.246.104.184
london-leather .com
kitchenwalla .com
kidswalla .com
jerseyluggage .com
jerseycitybags .com
kiddypals .com
kennethcolenyoutlet .com
codebluesecuritynj .com
mobileforprofit .net
tuviking .com"

- https://www.virustotal.com/en/ip-address/173.246.104.184/information/
___

MONK SPAM tries to profit from WAR threat
- http://blog.dynamoo.com/2013/09/monk-spam-tries-to-profit-from-war.html
2 Sep 2013 - "The MONK (Monarchy Resources Inc) pump-and-dump spam continues*. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:
From: belova04@ jeel .com
Date: 2 September 2013 17:32
Subject: This Stock just released Big News!
Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!...

As previously discussed*, the stock price for this company has tanked** and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me. Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.
It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares...

* http://blog.dynamoo.com/2013/08/monk-monarchy-resources-inc-pump-and.html

** http://www.nasdaq.com/symbol/monk/interactive-chart?timeframe=1y&charttype=line

:fear::fear:

AplusWebMaster · Sep 3, 2013

Fake PayPal, Breaking Bad SPAM...

FYI...

Fake PayPal SPAM / londonleatheronline .com
- http://blog.dynamoo.com/2013/09/paypal-spam-londonleatheronlinecom.html
3 Sep 2013 - "This fake PayPal spam leads to malware on londonleatheronline .com:
Date: Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From: PayPal [service@ int .paypal .com]
Subject: Identity Issue #PP-716-472-864-836
We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@ paypal .com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details
Your case ID for this reason is PP-U3PR33YIL8AV
For your protection, we might limit your account access. We apologize for any inconvenience this may cause.
Thanks,
PayPal ...

The link in the email goes to a legitimate -hacked- site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni .com/liquids/pythias.js
[donotclick]tuviking .com/trillionth/began.js
[donotclick]walegion.comcastbiz .net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack* ...
Recommended blocklist:
173.246.104.184
jerseycitybags .com
jerseyluggage .com
kennethcolenyoutlet .com
kiddypals .com
kidswalla .com
kitchenwalla .com
london-leather .com
londonleatheronline .com
ftp.casacalderoni .com
tuviking .com
walegion.comcastbiz .net "
* http://blog.dynamoo.com/2013/09/facebook-spam-london-leathercom.html

- https://www.virustotal.com/en/ip-address/173.246.104.184/information/
___

Breaking Bad Spam lurks - note pasting site
- http://www.threattracksecurity.com/it-blog/breaking-bad-spam-lurks-on-note-pasting-site/
Sep 3, 2013 - "... fresh links being dumped across a site designed to let users paste notes and images then share with their friends, in a similar manner to Pastebin... frantic posting of links galore... The site itself has Bidvertiser ads placed above and below the “watch now” graphic, which may cause end-users to think they’re related to the image. Not so – clicking the “Download” button took us to an internet speed test. Clicking the Breaking Bad image took us to a second Tumblr which is so excited about offering up ads that it ends up sliding a scroll ad right behind the survey splash.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste3.jpg
... They just can’t decide what they want you to click on first! Another link takes end-users to a video player install complete with various advertising related additions.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste4.jpg
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste5.jpg
... As with all of these spam runs, you’re better off avoiding. At best, you’ll end up with some terrible grainy rip of a TV show on some free file host (after filling in a bunch of offers); at worst, you’ll end up with no TV show, unwanted installs and advert clickthroughs which lead to who-knows-where (after filling in a bunch of offers)."
___

Facebook News feed Suggestion Spam
- http://threattrack.tumblr.com/post/60178964754/facebook-news-feed-suggestion-spam
Sep 3, 2013 - "Subjects Seen:
Hi <name>, here are some Pages you may like
Typical e-mail details:
Like these Pages to get updates in your News Feed...

Malicious URLs
iecc .com .au/complying/index.html
pictondental .com .au/hilda/index.html
ladiscoteca .org/john/index.html
bonway-onza .com/thalami/index.html
watchfp .mobi/topic/able_disturb_planning.php
mvwebsites .com .au/bmSe4BN.exe
mystatesbororealestate .com/rhdkD6.exe
mit-stolz-vorbei-dollbergen .de/w8BDM.exe
petrasolutions .com/JpVsf.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...77f4f64a4/tumblr_inline_msk090lk5B1qz4rgp.png

:fear::fear:

AplusWebMaster · Sep 4, 2013

Facebook SPAM, more...

FYI...

Facebook SPAM / watchfp .net
- http://blog.dynamoo.com/2013/09/facebook-spam-watchfpnet.html
4 Sep 2013 - "All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp .net:
Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1 @facebookmail .com]
Subject: Blake Miranda tagged 5 photos of you on Facebook
facebook
Blake Miranda added 5 photos of you.
See photos
Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:
> https://lh3.ggpht.com/-qWsaS5oax8Y/UiZl5ycfTdI/AAAAAAAAB2M/YGE-dNgQjlo/s1600/facebook4.png
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u .to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa .de/triassic/index.html which loads one of the following:
[donotclick]safbil .com/stashed/flout.js
[donotclick]ftp.spectrumnutrition .ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste .de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp .net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
watchfp .net
safbil .com
ftp.spectrumnutrition .ca
schornsteinfeger-helmste .de "
___

Something evil on 174.140.168.239
- http://blog.dynamoo.com/2013/09/something-evil-on-174140168239.html
4 Sep 2013 - "The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239 ..."
(More listed at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=174.140.168.239&type=string&start=2013-06-20&end=2013-09-04&max=400

2) https://www.virustotal.com/en-gb/ip-address/174.140.168.239/information/

3) http://blog.dynamoo.com/2013/06/hp-spam-hpscan06292013398zip-fail.html
___

Something very wrong with Gandi US (AS29169 / 173.246.96.0/20)
- http://blog.dynamoo.com/2013/09/something-is-very-wrong-with-gandi-us.html
4 Sep 2013 - "Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago. The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites... the warnings I have given about this IP range just in this blog alone* (ignoring all external sources)... Google prognosis**... there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host. Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185 ..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Gandi

** http://www.google.com/safebrowsing/diagnostic?site=AS:29169
___

Fake PayPal SPAM / dshapovalov .info
- http://blog.dynamoo.com/2013/09/paypal-spam-dshapovalovinfo.html
4 Sep 2013 - "This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov .info:
Date: Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From: PayPal [service@ int. paypal .com]
Subject: History of transactions #PP-011-538-446-067
ID
Transaction: { figure } {SYMBOL }
On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now
Sincerely, Services for protection
Department
PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.
To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.
Copyright © 1999-2013 PayPal. All rights reserved.
PPID PP {DIGIT } The history of monetary transactions

The link in the email goes through a URL shortening service at [donotclick]url7 .org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23 /observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169 /garrotting/rumples.js
[donotclick]northeastestateagency .co .uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro ,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack*. There are other hijacked GoDaddy domains on the same domain...
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
journeyacrossthesky .com
dshapovalov .info
watchfp .net
dshapovalov .info
mineralmizer.webpublishpro .com
northeastestateagency .co .uk
81.143.33.169 "
* http://blog.dynamoo.com/2013/09/facebook-spam-watchfpnet.html

Current PayPal related Spam Ploys
- http://threattrack.tumblr.com/post/60269257866/current-paypal-related-spam-ploys
Sep 4, 2013 - "Subjects Seen:
Resolution of case #PP-<random>
With your balance was filmed - 500 $ -Resolution of case #PP-<random>
Identity Issue #PP-<random>
History of transactions #PP-<random>
Typical e-mail details:
Resolution of Case:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably. For more details please see on the page View all details
Sincerely,
Protection Services Department ..."

Malicious URLs
ervinscarpet .com/impartially/index.html
jp-intarsia .de/concurred/index.html
hadjis-law .com/creamy/index.html
taylorandgregory .co .uk/assent/index.html
shiing01.x-y .net/stopping/index.html
fonotape.com .ar/bosun/index.html
fonotape.com .ar/supplicate/index.html
dshapovalov .info/topic/able_disturb_planning.php
dshapovalov .info/forum/viewtopic.php
petrasolutions .com/JpVsf.exe
mystatesbororealestate .com/rhdkD6.exe
mvwebsites .com .au/bmSe4BN.exe

Screenshots: https://gs1.wac.edgecastcdn.net/801...d67e8035b/tumblr_inline_msltkrWOF91qz4rgp.png

- https://gs1.wac.edgecastcdn.net/801...91b58d388/tumblr_inline_mslu2htvkm1qz4rgp.png

- https://gs1.wac.edgecastcdn.net/801...cd666a70e/tumblr_inline_mslu3jsH031qz4rgp.png

- https://gs1.wac.edgecastcdn.net/801...c88d3077d/tumblr_inline_mslu4ypOP01qz4rgp.png
___

Fake HSBC SPAM / Original Copy (Edited).zip
- http://blog.dynamoo.com/2013/09/hsbc-spam-original-copy-editedzip.html
4 Sep 2013 - "This fake HSBC spam links to a malicious ZIP file:
Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [wireservice@ hsbc .com .hk]
Reply-To: hsbcadviceref@ mail .com
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Yours faithfully,
Global Payments and Cash Management
HSBC ...

Screenshot: https://lh3.ggpht.com/-Oj2DePefzfQ/UidKx0UPuHI/AAAAAAAAB4A/kpV1gytxjg8/s1600/hsbc.png

The link in the email goes to a file sharing site at [donotclick]ge .tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16*. The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report** shows some network activity including a suspect connection to ftp.advice .yzi .me (185.28.21.26, Hostinger International US) which might be worth blocking."
* https://www.virustotal.com/en-gb/fi...2956faa6e15d92afff36c09b/analysis/1378306613/

** http://www.threatexpert.com/report.aspx?md5=e7a3e70ca76f5445e898215a282488de

- https://www.virustotal.com/en/ip-address/185.28.21.26/information/

:fear:

AplusWebMaster · Sep 5, 2013

More fake Facebook SPAM ...

FYI...

More Fake Facebook SPAM / kapcotool .com
- http://blog.dynamoo.com/2013/09/facebook-spam-kapcotoolcom.html
5 Sep 2013 - "This fake Facebook spam leads to malware on kapcotool.com:
From: Facebook [no-reply@ facebook .com]
Date: 5 September 2013 15:21
Subject: Michele Murdock wants to be friends with you on Facebook.
facebook
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request ...

The -link- in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa .com/97855 and then to [donotclick]magic-crystal .ch/normalized/index.html, and at this point it attempts to load the following three scripts:
[donotclick]00398d0.netsolhost .com/mcguire/forgiveness.js
[donotclick]202.212.131.8 /ruses/nonsmokers.js
[donotclick]japanesevehicles .us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains...
Recommended blocklist:
74.207.227.154
jgburgerlounge .ca
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
justcreature .com
justmonster .com
kalcodistributors .com
kapcotool.com00398d0.netsolhost .com
japanesevehicles .us
202.212.131.8 "

- https://www.virustotal.com/en/ip-address/74.207.227.154/information/
___

NACHA SPAM / nacha-ach-processor .com
- http://blog.dynamoo.com/2013/09/nacha-spam-nacha-ach-processorcom.html
5 Sep 2013 - "This fake NACHA spam... leads to malware on nacha-ach-processor .com:
From: The Electronic Payments Association - NACHA [leansz35@ inbound .nacha .com]
Date: 5 September 2013 17:55
Subject: Rejected ACH transfer
The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.
Cancelled transaction
ACH ID: 985284643257
Rejection Reason See additional info in the statement below
Transaction Detailed Report View Report 985284643257
About NACHA
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.
14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate -hacked- site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor .com/news/ach-report.php (report here**) which is hosted on the following IPs:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)
The IPs in use identify it as belonging to what I call the Amerika gang*. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains*.
Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60 ..."
(More listed at the dynamoo URL above.)

* http://blog.dynamoo.com/search/label/Amerika

** http://urlquery.net/report.php?id=4976262
___

Citizens Bank Issue File Processed Spam
- http://threattrack.tumblr.com/post/60376948329/citizens-bank-issue-file-processed-spam
Sep 5, 2013 - "Subjects Seen:
Issue File <random> Processed
Typical e-mail details:
Regarding Issue File <random> -
Total Issue Items # 36 Total Issue Amount $38,043.98
This will confirm that your issue file has been processed. Please verify the information in attached report; if you find there are discrepancies in what you believe your totals should be and what we have reported, please contact the Reconciliation Department at 1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24 hours after you receive this notice.

Malicious File Name and MD5:
issue_report_<random>.zip (1189CEBD553088A94EC3BC2ECB89D34B)
issue_report_<date>.exe (6C66CAE230E0772B75A327AE925F648A)

Screenshot: https://gs1.wac.edgecastcdn.net/801...a290953d5/tumblr_inline_mso1f929LQ1qz4rgp.png
___

Websense - Java/Flash research - Dangerous Update Gap...
- http://community.websense.com/blogs...sh-research-shows-a-dangerous-update-gap.aspx
5 Sep 2013 - "... Nearly 50 percent of -enterprise- traffic used a Java version that was more than two years out of date... Nearly 40 percent of users are not running the most up-to-date versions of Flash... nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old..."

:sad:

AplusWebMaster · Sep 6, 2013

Something evil on 37.59.164.209 (OVH)

FYI...

Something evil on 37.59.164.209 (OVH)
- http://blog.dynamoo.com/2013/09/something-evil-on-3759164209-ovh.html
6 Sep 2013 - "37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux..."
(Long list of URLs at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/37.59.164.209/information/
___

CNN Breaking News SPAM: “The United States began bombing!”
- http://threattrack.tumblr.com/post/60455017144/cnn-breaking-news-spam-the-united-states-began
Sep 6. 2013 - "Subjects Seen:
CNN: “The United States began bombing”
Typical e-mail details:
(CNN) — Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus. Full story »
Rescuing Hannah Anderson
*Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
*No one has claimed responsibility for her death, but police suspect militants
*Banerjee wrote “A Kabuliwala’s Bengali Wife” about her escape from the Taliban

Malicious URLs
nevisconservatories .co .uk/soupy/index.html
axsysfinancial .biz/mingle/index.html
holatorino .it/favor/index.html
luggagepoint .de/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...02891c543/tumblr_inline_mspnesVMT61qz4rgp.png

- http://blog.dynamoo.com/2013/09/cnn-united-states-began-bombing-spam.html
6 Sep 2013 - "This fake CNN spam leads to malware on luggagepreview .com:
Date: Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From: CNN [BreakingNews@ mail .cnn .com]
Subject: CNN: "The United States began bombing"
The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013 ...

Screenshot: https://lh3.ggpht.com/-BbuqrJRRbjc/UioW1yo_RwI/AAAAAAAAB50/04oyPrWRzGc/s1600/cnn-bombing.png

The link in the email is meant to go to [donotclick]senior-tek .com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo .it/disburse/ringmaster.js
[donotclick]stages2saturn .com/scrub/reproof.js
[donotclick]www.rundherum .at/rabbiting/irritate.js
From there the visitor is sent to a malicious payload at [donotclick]luggagepreview .com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains...
Recommended blocklist:
174.140.171.207 ..."

- https://www.virustotal.com/en/ip-address/174.140.171.207/information/

- http://www.symantec.com/connect/fr/blogs/chemical-attack-syria-used-enticement-targeted-attack
6 Sept 2013
___

"Scanned Document Attached" SPAM / FSEMC.06092013.exe
- http://blog.dynamoo.com/2013/09/scanned-document-attached-spam.html
6 Sep 2013 - "This fake financial spam contains an encrypted attachment with a malicious file in it.
Date: Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From: Fiserv [Lawanda_Underwood@ fiserv .com]
Subject: FW: Scanned Document Attached
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Adam_Paul@ fiserv .com
To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.
This message will be available until Saturday Sep 07, 2013 at 17:50:42
EDT4
If you have any questions, please contact your Fiserv representative...

Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47*. The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data... What happens next is unclear, but you can guarantee that it is nothing good. Blocking access to ce-cloud .com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it."
* https://www.virustotal.com/en/file/...0e476c8b2c4a79e5f228eb30/analysis/1378501983/
___

More new Facebook SPAM / www .facebook.com.achrezervations .com
- http://blog.dynamoo.com/2013/09/facebook-spam-wwwfacebookcomachrezervat.html
6 Sep 2013 - "This fake Facebook spam leads to malware on www .facebook.com.achrezervations .com:
Date: Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From: Facebook [notification+puppies9@ mail .facebookmail .net]
Reply-To: noreply [noreply@ postmaster .facebookmail .org]
Subject: Cole Butler confirmed your Facebook friend request
facebook
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
Daren Douglas
1 mutual friends
Add Friend
Gertrude Souza
14 mutual friends
Add Friend
Brice Kelly
3 mutual friends
Add Friend ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe...

Screenshot: https://lh3.ggpht.com/-vdq1WhJkOzY/Uinn23pxApI/AAAAAAAAB5k/mb7uFKXCU2I/s1600/facebook.png

The link in the email goes to a legitimate -hacked- site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations .com/news/implement-circuit-false.php (report here*) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)
The following IPs and domains are all malicious and belong to this gang**, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60 ..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4996887

** http://blog.dynamoo.com/search/label/Amerika
___

Threat Outbreak Alerts cover the latest data regarding malicious email-based and web-based threats, including spam, phishing, viruses, malware, and botnet activity.
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Account Payment Notification Email Messages - 2013 Sep 06
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 06
Fake Product Quote Email Messages - 2013 Sep 06
Fake Order Payment Confirmation Email Messages - 2013 Sep 05
Fake Airline Ticket Order Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Link - 2013 Sep 05
Fake Photo Sharing Email Messages - 2013 Sep 05
Fake Money Transfer Notification Email Messages - 2013 Sep 05
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 05
Fake Product Order Confirmation Email Messages - 2013 Sep 05
Fake Invoice Notification Email Messages - 2013 Sep 05
Fake Document Attachment Email Messages - 2013 Sep 05
Fake Shipping Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Attachments - 2013 Sep 05
Fake Shipping Confirmation Email Messages - 2013 Sep 05
Fake Scanned Document Attachment Email Messages - 2013 Sep 05
Fake Product Purchase Request Email Messages - 2013 Sep 05
Fake Personal Picture Sharing Email Messages - 2013 Sep 05
Fake Product Order Email Messages - 2013 Sep 05
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 05
(More detail and links available at the cisco URL above.)

:fear::fear:

AplusWebMaster · Sep 7, 2013

Quotation.zip SPAM, Adware spread with Mevade variants ...

FYI...

Quotation.zip SPAM with malicious VBS script
- http://blog.dynamoo.com/2013/09/dealerbidcouk-quotationzip-spam-with.html
7 Sep 2013 - "The website dealerbid.co .uk has been compromised and their servers -hacked- in order to send spam to their customer list. Something similar has happened before a few months ago*. In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:
From: Christopher Rawson [christopher.r@ kema .com]
Date: 7 September 2013 14:04
Subject: Quotation
Hello,
We have prepared a quotation, please see attached
With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability ...

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www .dealerbid .co .uk and mail.dealerbid .co .uk. The email is sent to an address ONLY used to register at dealerbid .co .uk. So, the upshot is that this domain is compromised and it is compromised right now. The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text... Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46**... it attempts to download further components from klonkino.no-ip .org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip .org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip .org
146.185.24.207 ... "

* http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html

** https://www.virustotal.com/en/file/...a9d8e83d63e2eb73d5230f02/analysis/1378571897/

- https://www.virustotal.com/en/ip-address/146.185.24.207/information/
___

Adware spread with Mevade variants ...
- http://blog.trendmicro.com/trendlab...ce/us-taiwan-most-affected-by-mevade-malware/
Sep 6, 2013 - "... rise in the number of Tor users... directly attributed to the Mevade malware... The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different... The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication... The IP addresses that host these C&C servers are located in Russia. Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected... In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing -adware- and -toolbars- ... Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical... How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to -avoid- visiting and downloading files from unverified websites or links from email, social media etc..."

:fear::fear:

AplusWebMaster · Sep 9, 2013

Malware sites to block 9.9.13 ...

FYI...

Malware sites to block 9/9/13
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913.html
9 Sep 2013 - "These domains and IPs are associated with this gang*, this list supersedes (or complements) the one I made last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-2913.html
___

Malware sites to block 9/9/13, part II
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913-part-ii.html
9 Sep 2013 - "Another set of IPs and domains related to this attack* detailed by Sophos, and overlapping slightly with the malicious servers documented here**. I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja .cc) to do evil things.
46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110 ..."
(Long list at the dynamoo URL above.)
* https://secure2.sophos.com/en-us/th...pyware/Troj~Agent-ADKW/detailed-analysis.aspx

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Shipping Notification Email Messages - 2013 Sep 09
Fake Processed Payment Notification Email Messages - 2013 Sep 09
Fake Account Payment Notification Email Messages - 2013 Sep 09
Fake Important Documents Notification Email Messages - 2013 Sep 09
Fake Anti-Phishing Email Messages - 2013 Sep 09
Fake Product Order Email Messages - 2013 Sep 09
Fake Real Estate Inquiry Email Messages - 2013 Sep 09
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 09
Fake Shipping Confirmation Email Messages - 2013 Sep 09
Fake Bank Transfer Notice Email Message - 2013 Sep 09
Fake Invoice Statement Attachment Email Messages - 2013 Sep 09
Fake Product Order Quotation Email Messages - 2013 Sep 09
Fake Business Complaint Notification Email Messages - 2013 Sep 09
Fake Product Purchase Order Email Messages - 2013 Sep 09
Fake Product Order Request Email Messages - 2013 Sep 09
Fake Letter of Intent Attachment Email Messages - 2013 Sep 09
Fake Product List Attachment Email Messages - 2013 Sep 09
Fake Account Deposit Notification Email Messages - 2013 Sep 09
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 09
Fake Purchase Order Request Email Messages - 2013 Sep 09
(More detail and links at the cisco URL above.)

:fear:

AplusWebMaster · Sep 10, 2013

Fake FISC ACH, BBB SPAM...

FYI...

Fake FISC ACH SPAM / fiscdp.com.airfare-ticketscheap .com
- http://blog.dynamoo.com/2013/09/ach-file-id-999107-has-been-processed.html
10 Sep 2013 - "This fake FISC ACH spam leads to malware on www .fiscdp .com.airfare-ticketscheap .com:
Date: Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From: Financial Institution Service [improvehv89@ m.fiscdp .gov]
Subject: ACH file ID "999.107" has been processed successfully
Files FISC Processing Service
SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83 ...

Screenshot: https://lh3.ggpht.com/-Iz3whiN6ueg/Ui8p3ZBdj8I/AAAAAAAAB6U/vbU8dZM88fM/s400/fisc.png

The link in the email goes to a legitimate -hacked- site and then on to a malware landing page at [donotclick]www.fiscdp .com.airfare-ticketscheap .com/news/opens_heads_earlier.php (reports here* and here**) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)
The WHOIS details for airfare-ticketscheap .com are -fake- and the domain was registered just yesterday... The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89 ..."
(More URLS listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=5071327

** http://wepawet.iseclab.org/view.php?hash=475d28a937b23a953b975e1f28ecf035&t=1378821965&type=js

- https://www.virustotal.com/en/ip-address/174.142.186.89/information/
___

Fake BBB SPAM / Case_0938818_2818.exe
- http://blog.dynamoo.com/2013/09/bbb-spam-case09388182818exe.html
10 Sep 2013 - "This fake BBB spam has a malicious attachment:
Date: Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From: Better Business Bureau [Aldo_Austin@ newyork .bbb .org]
Subject: FW: Case IN11A44X2WCP44M
The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.
In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.
We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201

Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46* at VirusTotal. Automated analysis of the malware is inconclusive... but it does generate outbound traffic to kwaggle .com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife .co .uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.
Recommended blocklist:
64.50.166.122
kwaggle .com
thisisyourwife .co .uk "
* https://www.virustotal.com/en-gb/fi...3b42bc12c9d2e9d4e5d1046c/analysis/1378823569/

- https://www.virustotal.com/en/ip-address/64.50.166.122/information/

:fear:

AplusWebMaster · Sep 11, 2013

Threats - Online Bullying ...

FYI...

Threats - Online Bullying ...
- http://www.threattracksecurity.com/it-blog/ask-fm-threats-go-beyond-online-bullying/
Sep 11, 2013 - "Three weeks ago... co-founders of social networking site Ask.fm, released a statement regarding some changes on the site’s safety policy in an effort to curb the dramatic increase of cyberbullying occurrences within its platform. Ask.fm boasts at least 57 million registered users, majority of which are teens and tweens. The site’s anonymity feature has sadly become the means for some users to deliberately target and verbally assault others. The proposed changes are no quick fix, nor are they remedies to the deeper problems of what motivates one to bully someone online. However, I believe that it’s a good first step to achieve the objective. Giving users the option to opt out of accepting and entertaining anonymous questions and/or comments could be a big blow to trolls. Some victims of online bullying in Ask.fm have taken upon themselves to resolve the matter of anonymity by attempting to unmask who these people are. How? They look for tools online... that will lead to trouble... We have come across a number of sites hosting files that -pretend- to unmask Ask.fm users. Upon closer inspection, however, they’re malicious in nature at worse. These files can range from simple malware droppers to Bitcoin miners to PUPs bearing a gamified marketing tactic or something more dubious.
> http://www.threattracksecurity.com/.../2013/08/06A8F73D66FA9256970848DFA6ABA7AD.jpg
Sadly, such files like the above are easy to find. Users who find themselves installing -any- of these files on their computer will discover that they got something more than what they bargained for..."
___

Fake USPS SPAM / Label_FOHWXR30ZZ0LNB1.zip
- http://blog.dynamoo.com/2013/09/usps-spam-labelfohwxr30zz0lnb1zip.html
11 Sep 2013 - "This fake USPS spam has a malicious attachment:
Date: Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Missed package delivery
Priority: High Priority 1 (High)
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global...

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47*.... attempted connection to a -hijacked- GoDaddy domain drippingstrawberry .com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection, URLquery shows** some of the things going on with this server.
Recommended blocklist:
64.50.166.122 ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en/file/...0bead54086f47ce687a5e70a/analysis/1378926663/

** http://urlquery.net/search.php?q=64.50.166.122&type=string&start=2013-08-27&end=2013-09-11&max=50

- https://www.virustotal.com/en/ip-address/64.50.166.122/information/
___

Xerox WorkCentre Pro SPAM
- http://threattrack.tumblr.com/post/60947146663/xerox-workcentre-pro-spam
Sep 11, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: <e-mail domain>
Number of Images: 3
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name:
Attached file is scanned image in PDF format.

Malicious File Name and MD5:
Scan_<random>.zip (1BE34606E5B1D54C5E394982A3DD8965)
scanned_doc_<date>.exe (2E318671CEC024166586943AD04520C1)

Screenshot: https://gs1.wac.edgecastcdn.net/801...dcb569734/tumblr_inline_msz3pw9f951qz4rgp.png
___

Fake AVG Android Apps ...
- http://blogs.avg.com/mobile-2/examples-fake-avg-android-apps/
Sep 9, 2013 - "Our mobile security research team has found at least 33 applications that contain aggressive advertising components in the official Google Play store. The developers of these applications choose to imitate well-known companies like Google, Microsoft, Twitter, AVG among others. Here’s an example of some applications found in Google Play:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-11.png
... Below you can see another example of a -fake- AVG anti-virus app that can be found in Google Play:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-6.png
Remember, if you want to pay for a PRO version of an app, you absolutely must make sure that it is the legitimate version of the app you’re looking for... When you install one of these fake applications, it requests the user to change configurations related to the search options:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-31.png
After the user accepts the conditions, commericals for adult services are shown:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-4.png
Later, the app itself offers none of the functionality advertised (such as antivirus protection). This is a new advertising vector that takes advantage of people who might not be familiar with official company accounts... when you look for AVG’s Android solutions on Google Play you might find apps that are -not- released by AVG (the official developer is AVG Mobile) but from opportunistic scammers..."

- http://www.fireeye.com/blog/technical/2013/09/android-malware.html
Sep 10, 2013 - "... Before the advent of advanced malware, we used to see a bunch of fake AV on the windows platform... the same thing will happen in the case of Android malware, where eventually we will start seeing more serious and advanced techniques being employed in mobility. To protect yourself from malicious Android applications, please follow these simple steps:
1. Disable the “Allow installation of apps from Unknown Sources” setting.
2. Always install apps from trusted app markets."

:sad:

AplusWebMaster · Sep 12, 2013

Fake QuickBooks, AV, inTuit SPAM emails...

FYI...

Fake QuickBooks SPAM / Invoice_20130912.zip
- http://blog.dynamoo.com/2013/09/quickbooks-spam-invoice20130912zip.html
12 Sep 2013 - "This fake QuickBooks spam has a malicious attachment:
Date: Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Quentin Sprague ...

The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46*... the file attempt to communicate with the domain leightongriffiths .com on an apparently compromised server at 64.50.166.122 which has been seen before. Given that there are now several domains serving malware on the same server**... it is probably safe to assume that all the domains on that server are malicious and should be blocked.
Recommended blocklist:
64.50.166.122 ..."
* https://www.virustotal.com/en/file/...12abc716ad52285e28f75234/analysis/1379012535/

** https://www.virustotal.com/en/ip-address/64.50.166.122/information/
___

Fake Online Message - Mint Internet Banking
- http://security.intuit.com/alert.php?a=86
9/12/13 - "People are receiving fake emails with the title "Online Message from Mint Internet Banking' ...
> http://security.intuit.com/images/mint.jpg
... This is the end of the fake email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___

Fake AV and PRISM warning on hijacked website
- http://research.zscaler.com/2013/09/fake-av-and-prism-warning-on-hijacked.html
Sep 9, 2013 - "While many individuals are concerned about privacy in light of PRISM, some malicious actors are using the program to scare naive users into installing ransomware. Since August 23rd, we have seen about 20 domains that carry FakeAV and Ransomware. These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:
kringpad.websiteanddomainauctions .com:972/lesser-assess_away-van.txt?e=20
miesurheilijaaantidiabetic.conferencesiq .com:972/realism_relinquish-umbrella-gasp.txt?e=21
squamipi.worldcupbasketball .net:972/duty_therefore.txt?e=21
The malicious files seem to be changing. It started with the classic FakeAV, then switched to a fake PRISM warning. In both cases, the goal is to scare the target into paying the attacker to "fix" their computer... FakeAV remains a popular technique to lure targets into paying attackers...
- FakeAV scan of the computer
> https://lh3.ggpht.com/-XH8fcTYMAPQ/Uio9HCB6IfI/AAAAAAAAsyI/batvgm9HvrA/s1600/fakeav-2103-1.jpeg
- FakeAV claims to have found threats
> https://lh3.ggpht.com/-4jJX3X52nRw/Uio9QYzv6JI/AAAAAAAAsyQ/_7SEkFXS0gw/s1600/fakeav-2013-2.jpeg
The scan claims to have found 18 threats. Two have been cured, but the victim must -pay- to get the remaining 16 threats taken care of...
PRISM warning... The attacker uses the recent news about PRISM to claim that the victim's computer has been blocked because it accessed illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service...
- No less than 5 federal agencies are "blocking" your computer!
> https://lh3.ggpht.com/-_QJ4pSmyYqw/UipBeh9bnLI/AAAAAAAAsyo/oiQcSHvEc3o/s320/prism-1.jpeg
- Victim needs to pay up $300 to get his computer back.
> https://lh3.ggpht.com/-C4h73XCNJLM/UipB1WzBmZI/AAAAAAAAsyw/ZnFGY7A9BUs/s1600/prism-2.jpeg
Both malware connect to the same couple of IP addresses over ports 80 and 443 that include:
37.139.53.199
64.120.167.162
64.191.122.10
I expect attackers to take advantages of the upcoming UK laws on accessing adult content online to send new types of fake warnings to UK victims."

:fear:

AplusWebMaster · Sep 16, 2013

Fake Walls Fargo, eFax SPAM...

FYI...

Fake Walls Fargo SPAM- / WellsFargo - Important Documents.zip
- http://blog.dynamoo.com/2013/09/walls-fargo-spam-wellsfargo-important.html
16 Sep 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]
From: Harrison_Walsh @ wellsfargo .com
Subject: IMPORTANT Documents - WellsFargo
Please review attached documents.
Harrison_Walsh
Wells Fargo Advisors
817-674-9414 office
817-593-0721 cell Harrison_Walsh @wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file called WellsFargo - Important Documents.zip which in turn contains a malicious executable WellsFargo - Important Documents.exe which has a very low VirusTotal rate of 2/47*. Automated analysis tools... detect network traffic to [donotclick]www .c3dsolutions .com hosted on 173.229.1.89 (5Nines LLC, US). At present I do not have any evidence of further malware sites on that server."
* https://www.virustotal.com/en/file/...a585689618dde3f4c6fcb101/analysis/1379342203/
___

ZeuS/ZBOT: Most Distributed malware by Spam in August
- http://blog.trendmicro.com/trendlab...t-most-distributed-malware-by-spam-in-august/
Sep 16, 2013 - "... resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today. For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants. ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE...
Malware families spread by spam
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Zeus-spam-percentage.jpg
... the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.
> http://blog.trendmicro.com/trendlab...iles/2013/09/Spoofed-email-fareit-254x300.jpg
Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and tries to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market. FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT..."
___

Fake eFax SPAM / rockims .com
- http://blog.dynamoo.com/2013/09/efax-spam-rockimscom.html
16 Sep 2013 - "This fake eFax spam leads to malware on rockims .com:
Date: Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Corporate eFax message - 1 pages
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.
Fax Message [Caller-ID: 854-349-9584]
You have received a 1 pages fax at 2013-16-09 01:11:11 CST.
* The reference number for this fax is latf1_did11-1237910785-2497583013-24.
View this fax using your PDF reader.
Click here to view this message ...
Thank you for using the eFax service! ...

Screenshot: https://lh3.ggpht.com/-g0-MrOF8Xvw/UjdWvoTurOI/AAAAAAAAB84/BQAkE0cb-dM/s1600/efax.png

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online .de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools .ac .cy/initials/casanovas.js
[donotclick]ade-data .com/exuded/midyear.js
These then lead to a malware payload at [donotclick]rockims .com/topic/seconds-exist-foot.php which is a -hijacked- GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains...
Recommended blocklist:
192.81.133.143 ..."
(More URLs listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/192.81.133.143/information/

:fear:

AplusWebMaster · Sep 17, 2013

Amazon Gift Card phish, Fake ADP, FedEx, FDIC SPAM ...

FYI...

Amazon Gift Card -phish- ...
- http://www.threattracksecurity.com/...t-card-phish-makes-use-of-data-uri-technique/
Sep 17, 2013 - "Be wary of emails landing in mailboxes claiming to offer up “complimentary £50 gift cards” from Amazon. The mails, which claim to come from redeemATamazon(dot)co(dot)uk...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/amazonfakemail1.jpg
The mails are nice and professional looking, and the only real giveaway is that hovering over the “Redeem gift card” button displays a Tinyurl link -instead- of the expected Amazon URL... Clicking the Tinyurl link takes end-users to a very nice looking set of pages designed to offer up the so-called gift card, then extract personal information including cc number and name / address / dob... Once end-users have selected their card design, they’re suddenly informed that “Our constant security review has shown us that your account has been inactive. Please confirm your updated card information below. Once your details have been confirmed with our system, we will then post your free gift card to you” …along with a message that their card has expired and a billing information update is required... The concept of using this in a phish attack has been around for a while, but it isn’t too often you come across them... Amazon themselves list a lot of scam types on their Security & Privacy page* so you may want to familiarise yourselves with those. As always, if it sounds too good to be true then it probably is..."
* http://www.amazon.co.uk/gp/help/cus...1?ie=UTF8&nodeId=492866&qid=1370954895&sr=1-1
___

Fake ADP SPAM / ADP_831290760091.zip
- http://blog.dynamoo.com/2013/09/adp-spam-adp831290760091zip.html
17 Sep 2013 - "This fake ADP spam has a malicious attachment:
Date: Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From: ADP ClientServices
Subject: ADP - Reference #831290760091
Priority: High Priority 1 (High)
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #831290760091
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48*. Automated analysis [1] [2] [3] shows a connection attempt to awcoomer .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps.."
* https://www.virustotal.com/en-gb/fi...647ccb72a022bd70bf2285ae/analysis/1379432239/

1) https://malwr.com/analysis/MDM2MmVmYThiMzAwNGE4OGIyOTlmZjEyODIzZjE5YTI/

2) http://camas.comodo.com/cgi-bin/sub...4f7da003a8c690550df12647ccb72a022bd70bf2285ae

3) http://anubis.iseclab.org/?action=result&task_id=118929c3bd33d5cf4558fb39a8199c677&format=html
___

FedEx spam FAIL
- http://blog.dynamoo.com/2013/09/fedex-spam-fail.html
17 Sep 2013 - "This fake FedEx spam is presumably -meant- to have a malicious payload:
Date: Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From: webteam@ virginmedia .com
Subject: Your Rewards Order Has Shipped
Headers: Show All Headers
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Order Confirmation Number: 0410493
Order Date: 09/15/2013
Redemption Item Quantity Tracking Number
Paper, Document 16 <
fedex.com Follow FedEx:
You may receive separate e-mails with tracking information for reward ordered...

Screenshot: https://lh3.ggpht.com/--53hJkHQbuU/Ujh2GyxXzbI/AAAAAAAAB9Q/8HFvlXVNoHM/s1600/fedex.png

Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care."
___

FDIC Spam
- http://threattrack.tumblr.com/post/61500209698/fdic-spam
Sep 17, 2013 - "Subjects Seen:
FDIC: About your business account
FDIC: Your business account
Typical e-mail details:
Dear Business Customer,
We have important information about your bank.
Please View to view detailed information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Malicious URLs
data.texosn .ru/insurance.problem.html
no-mice .ru/insurance.problem.html
fdic.gov.horse-mails .net/news/fdic-insurance.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...919e3a939/tumblr_inline_mt9y7xPKjB1r6pupn.png

- http://blog.dynamoo.com/2013/09/fdic-spam-horse-mailsnet.html
17 Sep 2013 - "This fake FDIC spam leads to malware on www .fdic.gov.horse-mails .net:
Date: Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From: insurance.coverage@ fdic .gov
Subject: FDIC: About your business account
Dear Business Customer,
We have important news regarding your financial institution.
Please View to see further details.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÌC Questions for FDÌC?
Contact Us...
Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 ...

Screenshot: https://lh3.ggpht.com/-YGld7C9xZtw/Ujh69VMQLsI/AAAAAAAAB9g/15BqbI3D7QM/s1600/fdic.png

The link goes through a legitimate -hacked- site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails .net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs...:
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US) ...
new feature (pictured below)
> https://lh3.ggpht.com/-IXC9yHDKq48/Ujh85gQNIRI/AAAAAAAAB9s/nryohN6ihzQ/s1600/os-detection.png
Recommended blocklist...:
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55 ..."

:fear:

AplusWebMaster · Sep 21, 2013

Ajax Oracle Quotation Spam, 219.235.1.127, Beta Bot malware, Java 6 exploit ...

FYI...

Ajax Oracle Quotation Spam
- http://threattrack.tumblr.com/post/61803135323/ajax-oracle-quotation-spam
Sep 20, 2013 - "Subjects Seen:
my subject
Typical e-mail details:
Dear Sir/Madam
I am the Purchase Manager of AJAX ORACLE TRADING COMPANY LTD.We are a
major trading company located in Ontario Canada.
We are interested in purchasing your products as exactly shown in the DATA
SHEET as attached in this mail. Please check and get back to us as soon as
possible with your last price, payment terms and delivery time.
Your response will be highly appreciated.
Sincerely Yours.
Danny Davies
Sales Department
Ajax Oracle Trading Co.Ltd

Malicious File Name and MD5:
Quotation.zip (85E02878328919ABE4BB01FDEBD90E6)
Quotation.scr (3B56864260399FBB0259F817749E959C)

Screenshot: https://gs1.wac.edgecastcdn.net/801...b390fc6a2/tumblr_inline_mtg9dazzKD1r6pupn.png
___

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127
- http://blog.dynamoo.com/2013/09/whatsapp-3-new-voicemails-spam-and.html
20 September 2013 - "I am indebted to Gary Warner for his analysis* of this malware... This malware is particularly cunning...
> https://lh3.ggpht.com/-b6Aj4avuPQc/Ujy7tgfwSwI/AAAAAAAAB-Q/Q1ADawDWL6s/s1600/whatsapp.png
... it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48**, but who runs anti-virus software on their Android?... the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before... Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe."
(More detail at the dynamoo URL above.)
* http://garwarner.blogspot.com/2013/09/fake-av-malware-hits-android.html

** https://www.virustotal.com/en/file/...196e614ec9f72ba6bbb85535/analysis/1379711360/
___

Shylock Financial Malware Back and Targeting Two Dozen Major Banks
- https://atlas.arbor.net/briefs/index#-1822006250
Elevated Severity
September 20, 2013 21:24
The Shylock banking trojan malware, also known as Caphaw, is active and targeting at least twenty-four banking institutions.
Analysis: Shylock has "man in the browser" capabilities whereby it takes over the users system during banking transactions to commit fraud. As the fraud comes from the authorized user from the authorized system, the deviceprint is no longer a useful indicator of malicious activity. Shylock is increasing in popularity and is now aimed at more targets. Previously, it had a smaller number of regional targets.
Source: http://threatpost.com/shylock-financial-malware-back-and-targeting-two-dozen-major-banks/102343
"... researchers provided the list of 24 banks being targeted..."
___

Beta Bot malware blocks users A/V ...
- http://www.ic3.gov/media/2013/130918.aspx
Sep 18, 2013 - "The FBI is aware of a new type of malware known as Beta Bot. Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise. Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it -redirects- the user to compromised websites...
> https://www.ic3.gov/images/130918.png
Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.
Remediation strategies for Beta Bot infection include running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware."
- https://atlas.arbor.net/briefs/index#64584071
Title: FBI Warning Users About Beta Bot Malware
Published: Fri, 20 Sep 2013 21:24:05 +0000
The Beta Bot malware has caught the attention of the FBI, who have issued a warning bulletin.
___

Backdoor installed via Java 6 exploit...
- http://blog.trendmicro.com/trendlab...w-backdoor-family-installed-via-java-exploit/
Sep 20, 2013 - "... this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. This affects unsupported Java 6 users, meaning they’re at -extreme- risk since no patch will be available. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey. Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected... we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493*, that has been exploited since February 2013. It was patched in March... The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up... it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493 - 10.0 (HIGH)
Last revised: 08/22/2013

:fear:

AplusWebMaster · Sep 23, 2013

Fake FDIC emails, FBI ransomware ...

FYI...

Fake FDIC emails serve client-side exploits and malware ...
- http://www.webroot.com/blog/2013/09...d-emails-server-client-side-exploits-malware/
Sep 23rd, 2013 - "Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-con...ious_Software_Exploits_Social_Engineering.png
Sample redirection chain: hxxp ://stranniki-music .ru/insurance.problem.html (62.173.142.30) -> hxxp ://www.fdic .gov.horse-mails .net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@ writeme .com ... MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9*. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c**. Once executed, the sample phones back to... C&C servers..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...4d79d0b83e9cb3fac272e5f7ecaad90519a/analysis/
Detection ratio: 28/48
** https://www.virustotal.com/en/file/...553b92d3515c2a810c2299f394c39d5f652/analysis/
Detection ratio: 9/48
___

FBI Ransomware forcing child porn on infected computers
- http://www.webroot.com/blog/2013/09...omware-forcing-child-porn-infected-computers/
Sep 23, 2013 - "... new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level..."
Video 2:27: https://www.youtube.com/embed/FAoRSLvtkA4
___

LinkedIn Invitation Spam
- http://threattrack.tumblr.com/post/62068030698/linkedin-invitation-spam
Sep 23, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
67.215.196.13 /images/wp-gdt.php?x1MVGHILHO0IT6347
exitdaymonthyear .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...3fd9d26ab/tumblr_inline_mtl6hnaHBA1r6pupn.png

- https://www.virustotal.com/en/ip-address/67.215.196.13/information/

Tagged: Blackhole, Sirefef, LinkedIn

:fear:

AplusWebMaster · Sep 24, 2013

Fake DivX plug-in leads to Malware ...

FYI...

Fake DivX plug-in leads to Malware ...
- http://www.threattracksecurity.com/it-blog/fake-divx-plug-leads-picture-popping-malware/
Sep 23, 2013 - "Fans of semi-humorous Internet videos be warned: there’s a batch of files doing the rounds which pretend to be image files acting as DivX plug-ins... Sites pushing the files will claim you have the wrong type of DivX Plugin installed, with a new one being required to view the content. The first port of call (now replaced by a page-full of Javascript which we’re taking a look at) is / was located at sjsinternational(dot)com/shirleen
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/fbdivx1.jpg
“DivX plug-in required!
You don’t have the plugin required to view the video
Save the video and run it locally”
A rogue file – which appears to have been compiled in Russia – will be offered up to the end-user, typically offering up filenames that suggest photographs of a lewd and / or salacious nature. The files come from a .ua URL... one of the oldest tricks in the book is being used here – all the files claim to be gifs, jpegs and tif files, when they are (of course) anything but. Elsewhere on the same domain, we have a page which claims “You need to download and execute the Facebook app to see it! It’s amazing!” with yet another file being offered up. This page is still active, and located at sjsinternational(dot)com/marguerite.html
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/fbdivx2.jpg
... various URLs serving up the Malware have been very busy... More often than not, “Run this file to see a picture” results in no pictures and lots of files (bad ones, at that). This one is at least a little bit unusual if only because the end-user receives a (not very impressive) “reward” at the end of the hoop jumping. However, that reward comes loaded with Malware and should be avoided at all costs, whether posing as image files, Facebook apps or anything else you care to mention."
___

Fake Wire Transfer SPAM / INTL_Wire_Report-09242013.zip
- http://blog.dynamoo.com/2013/09/international-wire-transfer-spam.html
24 Sep 2013 - "This fake wire transfer spam has a malicious attachment:
Date: Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@ wellsfargo .com]
Subject: International Wire Transfer File Not Processed
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: S203-8767457
Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700 ...

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48*... network traffic to ta3online .org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site. Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this."
* https://www.virustotal.com/en/file/...c15f841e51d9369b85e285a1/analysis/1380058931/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Wire Transfer Failure Notification Email Messages - 2013 Sep 24
Fake Payment Information Email Messages - 2013 Sep 24
Fake Unpaid Debt Invoice Email Messages - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Fake Shipping Order Information Email Messages - 2013 Sep 24
Fake Picture Delivery Email Messages - 2013 Sep 24
Fake Account Payment Notification Email Messages - 2013 Sep 24
Fake Fax Document Delivery Email Messages - 2013 Sep 24
Fake Media File Sharing Email Messages - 2013 Sep 24
Fake Bank Payment Information Email Messages - 2013 Sep 24
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 24
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 24
(More detail and links at the cisco URL above.)

:fear::fear:

AplusWebMaster · Sep 25, 2013

Fake Intuit, AICPA SPAM ...

FYI...

Fake Intuit SPAM / Invoice_3056472.zip
- http://blog.dynamoo.com/2013/09/intuit-spam-invoice3056472zip.html
25 Sep 2013 - "It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..
Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From: Lewis Muller [Lewis.Muller @ intuit .com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48*... the usual sort of badness, including a call home to gidleybuilders .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week**. Two compromised domains in a week seems a bit more than a coincidence... legitimate domains are also on that same server..."
* https://www.virustotal.com/en/file/...134c18dff3b6f487eef88607/analysis/1380130529/

** http://blog.dynamoo.com/2013/09/adp-spam-adp831290760091zip.html
___

Fake Phish - FW: Invoice 8428502
- http://security.intuit.com/alert.php?a=87
9/25/2013 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Please be advised that that the attachment (Invoice_092513.exe) received with this email was removed in accordance with the Assante Virus policy. If you are aware of the contents of this attachment and you require it for business reasons please contact the IT Helpdesk (its@assante.com OR 888 955 8886). Please contact the sender if you are unsure of the contents or purpose for the attachment.
Your invoice is attached.
Sincerely,
Cliff Jeffers

This is the end of the -fake- email..."
___

Fake AICPA SPAM / children-bicycle .net
- http://blog.dynamoo.com/2013/09/aicpa-spam-children-bicyclenet.html
25 Sep 2013 - "This fake AICPA spam leads to malware on the domain children-bicycle .net:
From: Reggie Wilkins [blockp12@ clients.aicpa .net]
Date: 25 September 2013 15:03
Subject: Your accountant license can be cancelled.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,
We have received a complaint about your recent participation in tax return infringement for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.
Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants...

Screenshot: https://lh3.ggpht.com/-bGGHCaxMLis/UkL6RAFRnFI/AAAAAAAAB_c/04BZbMByhJ8/s1600/aicpa.png

... The link in the email goes to a legitimate -hacked- site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle .net/news/aicpa-all.php (report here*).. but only if the visitor is running Windows (more of which in a moment). The domain children-bicycle .net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang... The payload is hosted on the following IP addresses (all also listed here**):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa .org website:
> https://lh3.ggpht.com/-9WjcD-F-6Hk/UkL9_bvLrVI/AAAAAAAAB_o/5D0WOTEyMMU/s1600/aicpa-code.png
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29 ..."
* http://urlquery.net/report.php?id=5941489

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-2492013.html
___

6rf .net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211
- http://blog.dynamoo.com/2013/09/6rfnet-and-something-evil-on.html
25 Sep 2013 - "Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf .net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant .biz. The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains... That IP hosts various exploit kits* and is suballocated to a Russian customer... Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer... But that's not the only infection that 6rf .net is punting, as there is another malicious domain of [donotclick]yandex .ru.sgtfnregsnet .ru in use (report here**) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot .ru ***) which is also serving up an exploit kit... It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf .net ..."
(More listed at the dynamoo URL aqbove.)
* http://urlquery.net/search.php?q=198.50.225.121&type=string&start=2013-09-10&end=2013-09-25&max=50

** http://urlquery.net/report.php?id=5939386

*** http://urlquery.net/report.php?id=5924098

:fear:

SPAM frauds, fakes, and other MALWARE deliveries...

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member