SPAM frauds, fakes, and other MALWARE deliveries...

Fake resume, Company Reports SPAM ...

FYI...

Fake resume SPAM / Resume_LinkedIn.exe
- http://blog.dynamoo.com/2013/10/my-resume-spam-resumelinkedinexe.html
24 Oct 2013 - "This rather terse spam email message has a malicious attachment:
Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From: Elijah Parr [Elijah.Parr@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Elijah Parr
------------------------
Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From: Greg Barnes [Greg.Barnes@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Greg Barnes

The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable. VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools... show an attempted connection to homevisitor .co .uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1]* [2]**."
* https://www.virustotal.com/en-gb/ip-address/64.50.166.122/information/

** http://urlquery.net/search.php?q=64.50.166.122&type=string&start=2013-10-09&end=2013-10-24&max=50

- http://threattrack.tumblr.com/post/64955364250/linkedin-resume-spam
Oct 24, 2013 - "Subjects Seen:
My resume
Typical e-mail details:
Attached is my resume, let me know if its ok.
Thanks,
Mike Whalen

Malicious File Name and MD5:
Resume_LinkedIn.zip (AF04ED38D97867F8E773B6AFC14ED9F0)
Resume_LinkedIn.exe
(62F4A3DFE059E9030E2450D608C82899)

Screenshot: https://gs1.wac.edgecastcdn.net/801...c1e3e3347/tumblr_inline_mv6facqrta1r6pupn.png
___

Fake Company Reports emails lead to malware ...
- http://www.webroot.com/blog/2013/10/24/fake-important-company-reports-themed-emails-lead-malware/
Oct 24, 2013 - "A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.
Sample screenshots of the spamvertised email:
> https://www.webroot.com/blog/wp-con...Social_Engineering_Botnet_Company_Reports.png
Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 * ... Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH ... The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to... C&C servers (-many- listed at the webroot URL above)... MD5s are known to have phoned back to the same IP (38.102.226.14)... MD5s known to have phoned back to the same C&C servers over the last couple of days..."
* https://www.virustotal.com/en/file/...2d42363bc7e945633cdc2be9d0cd169360f/analysis/
File name: Company_Report_10222013.exe
Detection ratio: 28/44

- https://www.virustotal.com/en/ip-address/38.102.226.14/information/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Faxed Document Delivery Email Messages - 2013 Oct 24
Fake Payroll Report Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake UPS Payment Document Attachment Email Messages - 2013 Oct 24
Fake Financial Account Statement Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 24
Fake Invoice Statement Attachment Email Messages - 2013 Oct 24
Fake Payroll Invoice Notification Email Messages - 2013 Oct 24
Fake Product Purchase Order Email Messages - 2013 Oct 24
Fake Payment Confirmation Notification Email Messages - 2013 Oct 24
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 24
Fake Resume Delivery Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Product Quote Request Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Money Transfer Notification Email Messages - 2013 Oct 23
Fake Xerox Scanned Attachment Email Messages - 2013 Oct 23
(More detail and links at the cisco URL above.)

:mad: :fear:
 
Last edited:
Survey Scams - Halloween freebies ...

FYI...

Survey Scams - Halloween freebies ...
- http://blog.trendmicro.com/trendlab...loween-freebies-lead-to-ghastly-survey-scams/
Oct 24, 2013 - "... scams we saw used free Halloween products as bait. Searching for the phrase “Halloween GET FREE” leads to a suspicious YouTube video:
Suspicious YouTube video
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube1.jpg
The URL advertised on the video’s page leads users to a scam site that asks for your personal information, including your email address.
Survey site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube2.jpg
Survey scam
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube3.jpg
Using similar keywords on Twitter yielded two suspicious accounts. Each account had a Halloween-themed Twitter handle, perhaps to entice users into checking out the accounts.
Two suspicious Twitter accounts
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-twitter11.jpg
Each account advertises free Halloween candy with a corresponding URL to get the said candy. The advertised website leads users to survey scams, rather than candy. Facebook also became home to a Halloween-themed survey scam. We spotted a Facebook page that advertises free Halloween candy, like the scam on Twitter. To get the candy, users are supposed to click a link on the page.
Website advertising free candy
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-facebook1.jpg
But much like the other scams, this simply leads to a survey site. It’s interesting to note that users are directed to the page used in the YouTube scam mentioned earlier. To further entice users, the site promises Apple products in exchange for finishing the survey.
Apple products as “reward” for completed surveys
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-facebook3.jpg
It might be tempting to get free stuff online, but users should always be cautious when encountering these types of promos or deals. Cybercriminals are willing to promise anything and everything just to get what they want. When encountering deals that are too good to be true, users should err on the side of caution and assume that they are..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/tricks-and-threats-infographic/
"... Oct 29, 2011... filed under Bad Sites"
___

Fake Lloyds SPAM - Lloyds TSB msg...
- http://blog.dynamoo.com/2013/10/you-have-received-new-debit-lloyds-tsb.html
25 Oct 2013 - "This fake Lloyds TSB message has a malicious attachment:
Date: Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From: LloydsTSB [noreply@ lloydstsb .co .uk]
Subject: You have received a new debit
Priority: High Priority 1 (High)
This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
The details of the payment are attached...

Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't. The VirusTotal detection rate is a so-so 13/47*. Automated analysis... shows an attempted connection to www .baufie .com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box."
* https://www.virustotal.com/en-gb/fi...9493437343e27255ccd95ad4/analysis/1382702941/

- https://www.virustotal.com/en/ip-address/173.203.199.241/information/

:mad: :fear::fear:
 
Last edited:
Fake Mercedes-Benz winner SPAM ...

FYI...

Fake "You're a Mercedes-Benz winner!" SPAM
- http://blog.dynamoo.com/2013/10/you-are-mercedes-benz-winner-spam.html
27 Oct 2013 - "This is a slightly novel twist on an advanced fee fraud scam:
From: Mercedes-Benz [desk_notification@ yahoo .com]
Reply-To: bmlot20137@ live .com
Date: 27 October 2013 13:44
Subject: You are a Mercedes-Benz winner !!!
Dear Recipient,
You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner...
Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.
Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator

The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq). You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise."
Labels: 419, Advanced Fee Fraud, Scam, Spam

:fear: :mad:
 
Fake WhatsApp Voice msg. emails lead to malware

FYI...

Fake WhatsApp Voice msg. emails lead to malware
- http://www.webroot.com/blog/2013/10...1-new-voicemail-themed-emails-lead-malware-2/
Oct 28, 2013 - "... The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-con...us_Software_Social_Engineering_Cybercrime.png
Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 * ... Trojan.Win32.Sharik.qhd
... attempts to download additional malware from the well known C&C server at networksecurityx.hopto .org ..."
* https://www.virustotal.com/en/file/...aa22607004b5c70ac5c8109ef314ad36964/analysis/
___

Fake AMEX "Fraud Alert" SPAM / steelhorsecomputers .net
- http://blog.dynamoo.com/2013/10/american-express-fraud-alert-spam.html
28 Oct 2013 - "This fake Amex spam leads to malware on steelhorsecomputers .net:
From: American Express [fraud@ aexp .com]
Date: 28 October 2013 14:14
Subject: Fraud Alert : Irregular Card Activity
Irregular Card Activity
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 28th October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
https ://www .americanexpress .com/
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.
© 2013 American Express Company. All rights reserved.
AMEX Fraud Department

Screenshot: https://lh3.ggpht.com/-NyKdfJqQV8A/Um6McGvcPyI/AAAAAAAACLU/volqQqZZQw8/s1600/amex.png

The link in the email goes through a legitimate but -hacked- site and then runs of of the following three scripts:
[donotclick]kaindustries .comcastbiz .net/imaginable/emulsion.js
[donotclick]naturesfinest .eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse .com/handmade/analects.js
From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers .net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too..."
Recommended blocklist:
96.126.102.8
8353333 .com ..."

- https://www.virustotal.com/en/ip-address/96.126.102.8/information/
___

Past Due Invoice Spam
- http://threattrack.tumblr.com/post/65351182223/past-due-invoice-spam
Oct 28, 2013 - "Subjects Seen:
Past Due Invoice
Typical e-mail details:
Your invoice is attached. Please remit payment at your earliest convenience.

Malicious File Name and MD5:
invoice_95836_10282013.zip (7CDBF5827161838D7C5BD0E5B98E01C1)
invoice_95836_10282013.exe (C277EA5A86F25AC0B704CAF5832FC614)

Screenshot: https://gs1.wac.edgecastcdn.net/801...42dd14d83/tumblr_inline_mve559X8gD1r6pupn.png

:mad: :fear:
 
Last edited:
Fake Wells Fargo SPAM, 82.211.31.147, CookieBomb toolkit ...

FYI...

Fake Wells Fargo SPAM / Copy_10292013.zip
- http://blog.dynamoo.com/2013/10/wells-fargo-check-copy-spam.html
29 Oct 2013 - "These fake Wells Fargo spam messages have a malicious attachment:
Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From: Wells Fargo [Emilio.Hendrix@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
--------------------
Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From: Wells Fargo [Leroy.Dale@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...

Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary. The VirusTotal detection rate is just 3/47*. Automated analysis... shows an attempted connection to allisontravels .com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these."
* https://www.virustotal.com/en-gb/fi...98bae2929149fa2aa3cbe8aa/analysis/1383058267/

- http://threattrack.tumblr.com/post/65435227304/wells-fargo-check-copy-spam
Oct 29, 2013 - "Subjects Seen:
FW: Check copy
Typical e-mail details:
We had problems processing your latest check, attached is a image copy...

Malicious File Name and MD5:
Copy_10292013.zip (E0D3B0A7BCCDD0AA79A1F81C79A83784)
Copy_10292013.exe (93CCC1B516EFC3365CECED8AE0B57EE2)

Screenshot: https://gs1.wac.edgecastcdn.net/801...9a170c768/tumblr_inline_mvfr56kFaj1r6pupn.png
___

Something evil on 82.211.31.147
- http://blog.dynamoo.com/2013/10/something-evil-on-8221131147.html
29 Oct 2013 - "Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2]... domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself."
(Long list at the dynamoo URL above.)
1) http://urlquery.net/search.php?q=82.211.31.147&type=string&start=2013-10-14&end=2013-10-29&max=50

2) https://www.virustotal.com/en-gb/ip-address/82.211.31.147/information/
___

CookieBomb toolkit ...
- http://community.websense.com/blogs...0/29/evolution-of-the-cookiebomb-toolkit.aspx
Oct 29, 2013 - "... source of this message is a spambot or script. When looked over with an experienced eye, it becomes apparent this email may just have come from the Kelihos botnet...
46.180.44.231
46.185.22.123
109.162.98.248
Malware evolution is not new: indeed, since the days of Dark Avenger’s polymorphic engine, the Mutation Engine (MtE), obfuscation and evasion have been commonplace within most, if not all malware families... in as little as 6 months, a simple tool for delivering Exploit Kits to end users has not only had its code radically altered, but has split into two distinct campaigns. One campaign is as mentioned above, infecting legitimate hosts via the exploitation of vulnerabilities; the other... piggybacking on the Kelihos Botnet, which is an incredibly sophisticated and effective spam platform, as a means of exposing end users to EKs via blatantly malicious domains. Whether this tool was exclusively rented by/to the BHEK team, or whether in fact it was coded by them, remains to be seen."
- https://www.virustotal.com/en/ip-address/46.180.44.231/information/

- https://www.virustotal.com/en/ip-address/109.162.98.248/information/
___

Suspect network: 69.26.171.176/28
- http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html
29 Oct 2013 - "69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
%rwhois V-1.5:0000a0:00 rwhois.xeex .com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@ xeex .com
network:class-name:network

There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast .com
- https://malwr.com/analysis/MDMwMGY2ZWU0YTAxNGI3ZWI4NmNlNjAyYmFjMWRhMTU/
69.26.171.181 - allisontravels .com
- https://malwr.com/analysis/ZWE1NDQ0MTI3OTU2NDZjM2I1YWEyYWJhNDNlZjVjMzA/
69.26.171.182 - robotvacuumhut .com
- https://malwr.com/analysis/MDVlNjJkNDhjYzYyNDc0NDliZTZmNDY5ODRiNWVhM2I/
As a precaution, I would recommend temporarily blocking the whole range... other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection..."
(More domains listed at the dynamoo URL above.)

:mad: :fear::sad:
 
Last edited:
Fake eFax message SPAM, Something evil on 144.76.207.224/28 ...

FYI...

Fake eFax message SPAM / bulkbacklinks .com and Xeex .com
- http://blog.dynamoo.com/2013/10/corporate-efax-message-spam.html
30 Oct 2013 - "... do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.
Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From: eFax Corporate [message@ inbound . efax.com]
Subject: Corporate eFax message from "673-776-6455" - 2 pages
Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service..
-----------------------
Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From: eFax Corporate [message@ inbound .efax.com]
Subject: Corporate eFax message from "877-579-4466" - 5 pages
Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service...

Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file. This has a very low detection rate at VirusTotal of just 1/46*. Automated analysis tools... show an attempted connection to a domain bulkbacklinks .com on 69.26.171.187. This is part of the same compromised Xeex address range... Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list**."
* https://www.virustotal.com/en-gb/fi...d6f7929567e5882f24a77df4/analysis/1383148137/

** http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html
___

Something evil on 144.76.207.224/28
- http://blog.dynamoo.com/2013/10/something-evil-on-1447620722428.html
30 Oct 2013 - "The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report*)... This is a Hetzner IP range... Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious (Long list - see the dynamoo URL above)... I would recommend blocking all those domains plus the 144.76.207.224/28 range. Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges (Also listed at the dynamoo URL above)..."
* http://urlquery.net/report.php?id=7281185

:mad: :fear::fear:
 
Rogue Ads in Yahoo lead to Sirefef Infection

FYI...

Rogue Ads in Yahoo lead to Sirefef Infection
- http://www.threattracksecurity.com/it-blog/rogue-ads-yahoo-lead-sirefef-infection/
Oct 30, 2013 - "Our researchers in the AV Labs are continuing to see fake software being served on unfamiliar sponsored links or ads found in search results. Recently, we found an ad for a fake browser on Yahoo! after doing a search for “google chrome browser”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/yahoo-search-ad.png
Clicking the first ad we highlighted above leads users to the website, softpack(dot)info/chrome/:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/fake-chrome-page.png
Below this page are texts that read as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/lower-section-wm.png
... In case you’re not familiar, rogue sites like this usually serve free-to-download software that are modified to install adware. In this case, Google_Chrome_30.0.1599.69.exe, the -fake- browser file, is wholly malicious and belongs to the Sirefef/ZeroAccess malware family. We were able to retrieve two variants of this file...
MD5 9111ebfbf015c3096f650060819f744b – detected as Trojan.Win32.Generic!SB.0 (15/47*)
MD5 60a0e64fec6b5e509b666902e72833ea – detected as Trojan.Win32.Generic.pak!cobra (7/47**)
... We fed the files into our sandbox and found that -both- variants -disable- Windows security features and prevent the OS from updating automatically. Infected systems, especially those that run outdated software and have no added security software in place, face the risk of further infection from other malware. Users are advised to be careful in clicking ads for free software. It is still safer for you... to visit -official- pages of the software you wish to download and install onto your system. You may also consider installing AdBlock Plus*, a software that can be installed in the browser to prevent ads from appearing on sites while you surf..."
* https://www.virustotal.com/en/file/...98bcc981c595958fa1755c02/analysis/1383072130/

** https://www.virustotal.com/en/file/...105138b8f47c9f7be4118476312c030ffbd/analysis/

*** https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:mad: :fear::fear:
 
Fake Snapchat install leads to Adware

FYI...

Fake Snapchat install leads to Adware
- http://www.threattracksecurity.com/it-blog/fake-snapchat-install-leads-adware/
Nov 1. 2013 - "Our Labs recently identified numerous files claiming to be Snapchat.exe, which is a popular photo messaging application. These files were most assuredly not Snapchat, so we were curious to find out what was going on. As it turns out, a quick search in Bing brings forth answers:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchat-optimum-ad.png
The very first entry under the search is an ad, leading to videonechat(dot)com.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchatdorgem.jpg
The website simultaneously talks about installing Snapchat, while listing the program as “Dorgem” in small letters in the grey box on the top right hand side. At this point, you might want to take a wild guess as to whether you’re going to end up with Snapchat, a hugely popular and current application, or a now discontinued webcam capture program called -Dorgem- which has been bundled with programs you likely don’t need... The install offers up a number of ad serving programs, media players and additional software offered up with no relation to Snapchat whatsoever. During testing, we saw Realplayer, GreatArcadeHits, Optimizer Pro, Scorpion Saver and Word Overview...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/adknowledge-snap-7.png
Legitimate programs being bundled with Adware is a common enough tactic, but this is an Optimum Installer bundle where a website serves as clickbait for a deliberately misrepresented app – you most definitely do not get what you’re promised in return for installing numerous pieces of ad-serving software. Don’t fall for this one. VirusTotal pegs this one at 6/47*..."
* https://www.virustotal.com/en/file/...de944ce42d84e0d30f51433a/analysis/1383232536/
___

Email Quota Limit Credentials Phish
- http://threattrack.tumblr.com/post/65699040166/email-quota-limit-credentials-phish
Nov 1, 2013 - "Subjects Seen:
Email Quota Limit
Typical e-mail details:
Your mailbox has exceeded the storage limit, you may not be able to send or receive new mail until you re-validate your mailbox mail with the link below.
System Administrator

Malicious URLs
suppereasy.jimdo .com

Screenshot: https://gs1.wac.edgecastcdn.net/801...cc215f8d4/tumblr_inline_mvldpyDIa01r6pupn.png

:mad: :fear:
 
Last edited:
Ads lead to SpyAlertApp PUA ...

FYI...

Ads lead to SpyAlertApp PUA ...
- http://www.webroot.com/blog/2013/11...lertapp-pua-potentially-unwanted-application/
Nov 1, 2013 - "... They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs...
Sample screenshots of the landing page:
> https://www.webroot.com/blog/wp-con...Potentially_Unwanted_Application-896x1024.png
Landing URL: spyalertapp .com
Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 * ... Win32/ExFriendAlert.B; SearchDonkey (fs)
Once executed, it phones back to 66.135.34.182 and 66.135.34.181 ... PUA MD5s are known to have phoned back to these IPs... Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam**, a try."
* https://www.virustotal.com/en/file/...923eb08bb5a53befe44649ab/analysis/1382979505/

** http://www.mozilla.org/en-US/lightbeam/

- https://www.virustotal.com/en/ip-address/66.135.34.181/information/

- https://www.virustotal.com/en/ip-address/66.135.34.182/information/

:mad: :fear:
 
Fake SAGE, Fax SPAM ...

FYI...

Fake SAGE SPAM / Payroll_Report-PaymentOverdue.exe
- http://blog.dynamoo.com/2013/11/payment-overdue-please-respond-spam.html
4 Nov 2013 - "This -fake- SAGE spam has a malicious attachment:
Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From: Payroll Reports [payroll@sage .co .uk]
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Bernice Swanson
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet. This malware has a VirusTotal detection rate of just 4/47*, and automated analysis tools... shows an attempted connect to goyhenetche .com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones** too."
* https://www.virustotal.com/en-gb/fi...67274688c315b0a64b97d815/analysis/1383579237/

** https://www.virustotal.com/en-gb/ip-address/184.154.15.188/information/

Diagnostic page for AS32475 (SINGLEHOP-INC)
- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-11-04, and the last time suspicious content was found was on 2013-11-04... we found 73 site(s) on this network... that appeared to function as intermediaries for the infection of 371 other site(s)... We found 147 site(s)... that infected 543 other site(s)..."

- http://threattrack.tumblr.com/post/66000322286/sage-payroll-overdue-payment-spam
Nov 4, 2013 - "Subjects Seen:
Payment Overdue - Please respond
Typical e-mail details:
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Shelby Lloyd

Malicious File Name and MD5:
PaymentOverdue.zip (AF69AE41F500EBCE3A044A1FC8FF8701)
Payroll_Report-PaymentOverdue.exe (32B2481F9EF7F58D3EF3640ECFC64B19)

Screenshot: https://gs1.wac.edgecastcdn.net/801...8d702e85c/tumblr_inline_mvqx1rPlId1r6pupn.png
___

Ring Central Fax Spam
- http://threattrack.tumblr.com/post/66001198347/ring-central-fax-spam
Nov 4, 2013 - "Subjects Seen:
New Fax Message on 11/04/2013
Typical e-mail details:
To view this message, please open the attachment
Thank you for using RingCentral.

Malicious File Name and MD5:
<random #s>.pdf.exe (FE52EE7811D93A3E941C0A15126152AC)
<random #s>.zip (8728BBFD1ABAC087211D55BB53991017)

Screenshot: https://gs1.wac.edgecastcdn.net/801...96d1f19a0/tumblr_inline_mvqxpmLMDn1r6pupn.png

:fear::fear: :mad:
 
Last edited:
Fake ACH, USPS SPAM ...

FYI...

Fake ACH SPAM / ACAS1104201336289204PARA7747.zip
- http://blog.dynamoo.com/2013/11/ach-notification-ach-process-end-of-day.html
5 Nov 2013 - "This fake ACH (or is it Paychex?) email has a malicious attachment:
Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From: "Paychex, Inc" [paychexemail@ paychex .com]
Subject: ACH Notification : ACH Process End of Day Report
Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@ paychex .com during regular business hours.
Thank you for your cooperation.

Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46*. Automated analysis... shows an attempted connection to slowdating .ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised. The malware drops several files..."
* https://www.virustotal.com/en-gb/fi...7ec5381ad87eb190e1cf22bd/analysis/1383665169/

- https://www.virustotal.com/en/ip-address/69.64.39.215/information/
___

Fake USPS SPAM / Label_442493822628.zip
- http://blog.dynamoo.com/2013/11/usps-spam-label442493822628zip.html
5 Nov 2013 - "This -fake- USPS spam has a malicious attachment:
Date: Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From: USPS Express Services [service-notification@ usps .gov]
Subject: USPS - Missed package delivery
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: 442493822628
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services...

The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46*. Automated analysis... shows an attempted connection to sellmakers .com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised."
* https://www.virustotal.com/en-gb/fi...423dfa6bff94dd8c0348d5af/analysis/1383666106/

- https://www.virustotal.com/en-gb/ip-address/192.64.115.140/information/

:mad: :fear: :mad:
 
Last edited:
Fake invoice, Voicemail SPAM ...

FYI...

Fake invoice SPAM leads to DOC exploit
- http://blog.dynamoo.com/2013/11/invoice-17731-from-victoria-commercial.html
6 Nov 2013 - "This -fake- invoice email leads to a malicious Word document:
From: Dave Porter [mailto:dave.porter@blueyonder .co .uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd
Dear Customer :
Your invoice is attached to the link below:
[donotclick]http ://www.vantageone .co .uk/invoice17731.doc
Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Victoria Commercial Ltd

The email originates from bosmailout13.eigbox .net 66.96.186.13 which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone .co .uk/invoice17731 .doc which appears to be a -hacked- legitimate web site.
Detection rates have continued to improve throughout the day and currently stand at 10/47*. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys .com
feeds.nsupdatedns .com
It is the same attack as described by Blaze's Security Blog** and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60 ..."
* https://www.virustotal.com/en-gb/fi...cd3d8559eac3488102f51d0a/analysis/1383746893/

** http://bartblaze.blogspot.co.uk/2013/11/latest-ups-spam-runs-include-exploits.html

- https://www.virustotal.com/en/ip-address/118.67.250.91/information/

- https://www.virustotal.com/en/ip-address/158.255.2.60/information/
___

Fake voice mail SPAM / VoiceMail.zip
- http://blog.dynamoo.com/2013/11/voice-message-from-unknown-spam.html
6 Nov 2013 - "This -fake- voice mail spam comes with a malicious attachment:
Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From: Administrator [voice9@ victimdomain]
Subject: Voice Message from Unknown (886-966-4698)
- - -Original Message- - -
From: 886-966-4698
Sent: Wed, 6 Nov 2013 22:22:28 +0800
To: recipients@ victimdomain
Subject: Private Message

The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file. This malware file has a detection rate of 3/47* at VirusTotal. Automated analysis tools... show an attempted connection to twitterbacklinks .com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before** in this type of attack. Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28... domains are consistent with the ones compromised here*** and it is likely that they have all also been compromised."
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28 ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...f44d7f5fb0d4a7f35b1688f0/analysis/1383748084/

** http://blog.dynamoo.com/search/label/Xeex

*** http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html

:mad::mad: :fear:
 
Last edited:
Fake voicemail, Visa, DocuSign, FedEx SPAM ...

FYI...

Fake voicemail SPAM / Voice_Mail.exe
- http://blog.dynamoo.com/2013/11/you-received-voice-mail-spam.html
7 Nov 2013 - "This -fake- voice mail spam has a malicious attachment:
Date: Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From: Microsoft Outlook [no-reply@ victimdomain .net]
Subject: You received a voice mail
You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
Caller-Id:
698-333-5643
Message-Id:
80956-84B-12XGU
Email-Id:
[redacted]
This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server

Screenshot: https://lh3.ggpht.com/-TcGTepv34NQ/Unu1BKezJaI/AAAAAAAACOs/NNjOsDO0uC0/s1600/voicemail.png

Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47* and automated analysis tools... show an attempted connection to amazingfloorrestoration .com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious."
* https://www.virustotal.com/en-gb/fi...b081931af18b916c7adf14c4/analysis/1383838216/

- https://www.virustotal.com/en/ip-address/202.150.215.66/information/
___

Visa Recent Transactions Report Spam
- http://threattrack.tumblr.com/post/66285164149/visa-recent-transactions-report-spam
Nov 7, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Dion_Andersen
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom

Malicious File Name and MD5:
payment.exe (A4D868FB8A01CA999F08E5739A5E73DC)

Screenshot: https://gs1.wac.edgecastcdn.net/801...8f136cc96/tumblr_inline_mvwj2jIxPM1r6pupn.png
___

DocuSign - Internal Company Changes Spam
- http://threattrack.tumblr.com/post/66283048697/docusign-internal-company-changes-spam
Nov 7, 2013 - "Subjects Seen:
Please DocuSign this document : Company Changes - Internal Only
Typical e-mail details:
Sent on behalf of <email address>.
All parties have completed the envelope ‘Please DocuSign this document: Company Changes - Internal Only..pdf’.
To view or print the document download the attachment. (self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to <email domain>

Malicious File Name and MD5:
Company Changes - Internal Only.PDF.zip (1B853B2962BB6D5CAA7AB4A64B83EEFF)
Company Changes - Internal Only.PDF.exe (03C3407D732A94B05013BD2633A9E974)

Screenshot: https://gs1.wac.edgecastcdn.net/801...1dad6a4d7/tumblr_inline_mvwhhsr8NO1r6pupn.png
___

My FedEx Rewards Spam
- http://threattrack.tumblr.com/post/66278510467/my-fedex-rewards-spam
Nov 7, 2013 - "Subjects Seen:
Your Rewards Order Has Shipped
Typical e-mail details:
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.

Malicious File Name and MD5:
Order history page.zip (EE074EAACC3D444563239EF0C9F4CE0D)
Order history page.pdf.exe (DF86900EC566E13B2A8B7FD9CFAC5969)

Screenshot: https://gs1.wac.edgecastcdn.net/801...ef005039f/tumblr_inline_mvwdqhG7MY1r6pupn.png

:mad: :fear:
 
Last edited:
Malware sites to block, Voicemail SPAM, Styx and Nuclear ...

FYI...

Malware sites to block - (Nuclear EK)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-8112013-nuclear.html
8 Nov 2013 - "The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example*). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google. The domains are being used with subdomains, so they don't resolve directly. I have identified -3768- domains in this OVH range... The subdomains can found in this file [csv**] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30 ..."
(More domains listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7517029

** http://www.dynamoo.com/files/penziatki-private-customer.csv
___

Fake Voicemail SPAM / MSG00049.zip and MSG00090.exe
- http://blog.dynamoo.com/2013/11/voicemail-message-spam-msg00049zip-and.html
8 Nov 2013 - "Another day, yet another -fake- voicemail message spam with a malicious attachment:
Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
From: Voicemail [user@ victimdomain .com]
Subject: Voicemail Message
IP Office Voicemail redirected message

Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47*. Automated analysis... shows an attempted connection to seminyak-italian .com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not".
* https://www.virustotal.com/en-gb/fi...81b4cd14cc8737494b977f1e/analysis/1383936341/

- https://www.virustotal.com/en/ip-address/198.1.84.99/information/
___

Shylock/Caphaw Drops Blackhole for Styx and Nuclear
- http://www.threattracksecurity.com/it-blog/shylock-caphaw-drops-blackhole-for-styx-and-nuclear/
Nov 8, 2013 - "In early October, news of the arrest of “Paunch” and his cohorts in Russia... Because of this, experts in the security industry had noticed the lack of new updates for the BHEK. Our experts in the Labs also concurred a possible dropping of threats involving the BHEK. With this in mind, it’s highly likely for online criminals to look for other alternatives...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/directed-to-exploit.jpg
... Sutra TDS has been associated with a number of Web threats, such as exploits (BHEK), rogue AV and ransomware among others as part of their infection and/or propagation tactics for years. Even phishers have jumped into the bandwagon... steps you can take in protecting yourself against Styx-based threats:
• Make sure to update all your software in real-time. You might be better off using a patch management software to assist on this. Such programs run in the background and prompts users whenever it detects new updates for software users have installed on systems.
• Keep your antivirus software also up-to-date.
• Block or filter off URLs with patterns that resemble Sutra TDS landing pages. Please ask assistance from someone if you need to."
___

Key Bank Secure Message Spam
- http://threattrack.tumblr.com/post/66377019759/key-bank-secure-message-spam
Nov 8, 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @ res. cisco .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
Secure_Message.zip (4301BE522A5254DBB5DBCF96023526B9)
Secure_Message.exe (8E0E9C0995B220FA8DFBC8BFFA54759F)

Screenshot: https://gs1.wac.edgecastcdn.net/801...ccfa4df41/tumblr_inline_mvyd7vEbVl1r6pupn.png

:mad: :fear::fear:
 
Last edited:
Typhoon Scams, Adware sites to block ...

FYI...

Typhoon Scams... Email, Telephone, Door to Door
- http://www.threattracksecurity.com/it-blog/typhoon-haiyan-scams-rounds-email-telephone-door-door/
Nov 11, 2013 - "In the wake of Typhoon Haiyan, both law enforcement and members of the public are coming forward to make timely reminders related to donation scams.
1) Police in Huntsville, Ontario have warned of individuals from unverified donation campaigns* going door to door.
Sudden arrivals on your doorstep asking for donations related to any form of disaster should always be viewed with suspicion, and keep in mind that any form of ID can be faked convincingly. If the person is particularly pushy about you handing over money in a short period of time, be extra suspicious...
2) Anxious friends and relatives of those who have gone missing are apparently posting up too much personal information on social networks in their quest to re-establish contact... Avoid posting personal details to sites such as Twitter and Facebook.
3) In the US, cold calling from individuals claiming to be from the Salvation Army asking for Typhoon relief donations has begun. I did a little digging on the phone number listed, and it appears on a Snopes page*** related to Hurricane Sandy FEMA cleanup crews... If you want to donate through Salvation Army, you should visit their donation page** and keep cold calls to your telephone line on the back burner.
4) Scam emails are already in circulation. Expect the majority of these to ride on the coat-tails of efforts by organisations such as The Red Cross. One particularly devious tactic to watch out for is scammers giving you a real, genuine domain as a reply email to send your bank details to but including a fake as a CC address..."
(More detail at the threattracksecurity URL above.)

* http://moosefm.com/cfbg/news/14095-police-warning-about-potential-typhoon-scam

** https://donate.salvationarmyusa.org/TyphoonHaiyan

*** http://www.snopes.com/fraud/employment/femasandy.asp
___

- https://www.us-cert.gov/ncas/curren...phoon-Disaster-Email-Scams-Fake-Antivirus-and
Nov 12, 2013
___

Adware sites to block / "Consumer Benefit Ltd" ...
- http://blog.dynamoo.com/2013/11/consumer-benefit-ltd-adware-sites-to.html
11 Nov 2013 - "A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report*) and GFilterSvc.exe (report**) both in C:\WINDOWS\SYSTEM32. The blocks are 212.19.36.192/27 and 82.98.97.192/28 ... Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature... the following domains and IPs are all part of these "Consumer Benefit Ltd" ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28 ..."
(More detail and URLs listed at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/fi...aaf1e288245fc4f3f523b847/analysis/1384162704/

** https://www.virustotal.com/en-gb/fi...92254b210a153a25ce8d2ae7/analysis/1384162774/
___

Fake Confidential Message SPAM / To All Employees 2013.zip.exe
- http://blog.dynamoo.com/2013/11/to-all-employees-confidential-message.html
11 Nov 2013 - "This -fake- "all employees" email comes with a malicious attachment:
Date: Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
From: DocuSign Service [dse@ docusign .net]
Subject: To all Employees - Confidential Message
Your document has been completed
Sent on behalf of administrator@victimdomain.
All parties have completed the envelope 'Please DocuSign this document:
To All Employees 2013.doc'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF) This document contains information confidential and proprietary to spamcop .net
DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring yoursignature, please contact the sender directly...

The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47*. Automated analysis... shows a callback to trc-sd .com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP."
* https://www.virustotal.com/en-gb/fi...e937fe320222a7812c904d16/analysis/1384175853/

- https://www.virustotal.com/en-gb/ip-address/121.127.248.74/information/
___

Fake Paypal SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/identity-issue-pp-716-097-521-587-spam.html
11 Nov 2013 - "For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a -fake- spam pretending to be from PayPal with a malicious attachment:
Date: Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-716-097-521-587
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-D503YC19DXP3
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks, PayPal...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47*, and automated analysis... shows an attempted connection to trc-sd .com which is the same domain seen in this attack**."
* https://www.virustotal.com/en-gb/fi...e937fe320222a7812c904d16/analysis/1384185446/

** http://blog.dynamoo.com/2013/11/to-all-employees-confidential-message.html
___

American Express Suspicious Activity Report Spam
- http://threattrack.tumblr.com/post/66684841364/american-express-suspicious-activity-report-spam
Nov 11, 2013 - "Subjects Seen:
Recent Activity Report - Incident #6U7X67B05H6NGET
Typical e-mail details:
As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
Please review the “Suspicious Activity Report” document attached to this email.
Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress .com/phishing
Thank you for your Cardmembership.
Sincerely,
Lindsey_Oneal
Tier III Support
American Express Account Security
Fraud Prevention and Detection Network

Malicious File Name and MD5:
Incident#<random>.zip(14F92A367A01C5AD8F0C4A7062000FE6)
Incident#.exe (77F23BC4F0ECB244FAA61163B07EAEC7)

Screenshot: https://gs1.wac.edgecastcdn.net/801...769f322e8/tumblr_inline_mw3y824fCm1r6pupn.png

Tagged:
American Express: http://threattrack.tumblr.com/tagged/American-Express
Upatre: http://threattrack.tumblr.com/tagged/Upatre

:mad: :fear:
 
Last edited:
Fake HMRC, Outlook SPAM, Dynamic DNS sites you might want to block ...

FYI...

Dynamic DNS sites you might want to block ...
- http://blog.dynamoo.com/2013/11/dynamic-dns-sites-you-might-want-to.html
12 Nov 2013 - "These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is -abused- by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following... listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL*. The links go to the Google diagnostic page."
(Long list at the dynamoo URL above.)
* http://www.surbl.org/lists
___

Fake HMRC SPAM - HMRC_Message.zip and qualitysolicitors .com
- http://blog.dynamoo.com/2013/11/you-have-received-new-messages-from.html
12 Nov 2013 - "This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors .com:
Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system.
2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices...

... there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47*. Automated analysis tools... show that it attempts to communicate with alibra .co .uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
[donotclick]synchawards .com/a1.exe
[donotclick]itcbadnera .org/images/dot.exe
a1.exe has a detection rate of 16/47**, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23 /forum/viewtopic.php
[donotclick]new.data.valinformatique .net/5GmVjT.exe
[donotclick]hargobindtravels .com/38emc.exe
[donotclick]bonway-onza .com/d9c9.exe
[donotclick]friseur-freisinger .at/t5krH.exe
dot.exe has a much lower detection rate of 6/47***... various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47***, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus."
Recommended blocklist:
59.106.185.23 ..."
(More URLS listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...a7833005c2a01b58881dbbf9/analysis/1384264864/

** https://www.virustotal.com/en-gb/fi...e78171459306681dd8b04a50/analysis/1384265605/

*** https://www.virustotal.com/en-gb/fi...6923bd6c49f23bb13c130a86/analysis/1384266070/
___

Fake "Outlook Settings" SPAM - Outlook.zip
- http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html
12 Nov 2013 - "This spam email has a malicious attachment:
Date: Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From: Undisclosed Recipients
Subject: Important - New Outlook Settings
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that). Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.
Screenshot: https://lh3.ggpht.com/-uZyweXA5n_g/UoJOXnVIA-I/AAAAAAAACPY/tKqQ0Ksz0To/s1600/outlook-icon.png
The detection rate at VirusTotal is 5/45*. Automated analysis tools... show an attempted connection to dchamt .com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean."
* https://www.virustotal.com/en-gb/fi...b1d8f42f4d1fb146a9132acf/analysis/1384270918/

- https://www.virustotal.com/en-gb/ip-address/216.157.85.173/information/

- http://threattrack.tumblr.com/post/66784403820/new-outlook-settings-spam
Nov 12, 2013 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at <sender e-mail address> and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

Malicious File Name and MD5:
Outlook.zip (4D0A70E1DD207785CB7067189D175679)
Outlook.exe (C8D22FA0EAA491235FA578857CE443DC)

Screenshot: https://gs1.wac.edgecastcdn.net/801...5cc9ad5a2/tumblr_inline_mw5rx8vTYV1r6pupn.png
___

Fake Tax/Accountant SPAM / tax 2012-2013.exe
- http://blog.dynamoo.com/2013/11/2012-and-2013-tax-documents-accountants.html
12 Nov 2013 - "This -fake- tax spam comes with a malicious attachment:
Date: Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: FW: 2012 and 2013 Tax Documents; Accountant's Letter
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.
This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.

Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-4dRp1ML5c40/UoKNNvkL9pI/AAAAAAAACPo/3PTjlVby9Z8/s1600/tax-icon.png
VirusTotal detection rates are 17/47*. Automated analysis tools... show an attempted connection to nishantmultistate .com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack**, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea."
* https://www.virustotal.com/en-gb/fi...3427519492be080b9be128e0/analysis/1384287261/

** http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html
___

Department of Treasury Outstanding Obligation Spam
- http://threattrack.tumblr.com/post/66792822412/department-of-treasury-outstanding-obligation-spam
Nov 12, 2013 - "Subjects Seen:
Department of Treasury Notice of Outstanding Obligation - Case <random>
Typical e-mail details:
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
FMS-Case-<random>.zip (55D31D613A6A5A57C07D496976129068)
FMS-Case-{_Case_DIG}.zip.exe (B807F603C69AEA97E900E59EC99315B5)

Screenshot: https://gs1.wac.edgecastcdn.net/801...2f39e1f04/tumblr_inline_mw5xr3YMit1r6pupn.png

:mad: :fear::fear:
 
Last edited:
Fake PayPal, CareerBuilder, Facebook SPAM ...

FYI...

Fake PayPal "Identity Issue" SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/this-fake-paypal-or-is-it-quickbooks.html
13 Nov 2013 - "This -fake- PayPal (or is it Quickbooks?) spam has a malicious attachment:
Date: Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-679-223-724-838
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-TEBY66KNZPMU
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks,
PayPal ...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-sx8_WjDsH10/UoNeT2WY8MI/AAAAAAAACP8/9ov_y4ZOpJI/s1600/identity-form.png
The detection rate for this at VirusTotal is 9/47*, automated analysis tools... shows an attempted connection to signsaheadgalway .com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack**, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP."
* https://www.virustotal.com/en-gb/fi...6b3200abf7b51a0a55e31188/analysis/1384340556/

** http://blog.dynamoo.com/2013/11/you-have-received-new-messages-from.html
___

CareerBuilder Notification Spam
- http://threattrack.tumblr.com/post/66872856439/careerbuilder-notification-spam
Nov 13, 2013 - "Subjects Seen:
CareerBuilder Notification
Typical e-mail details:
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: adobe.com
Best wishes in your job search !
Savannah_Moyer
Careerbuilder Customer Service Team

Malicious File Name and MD5:
CB_Offer_<random>.zip (B61D44F18092458F7B545A16D2FF77D6)
CB_Offer_<random>.exe (40AB8B0050E496FB00F499212B600DDB)

Screenshot: https://gs1.wac.edgecastcdn.net/801...953c45753/tumblr_inline_mw7h9fdQrQ1r6pupn.png

Tagged:
CareerBuilder: http://threattrack.tumblr.com/tagged/CareerBuilder
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___

Facebook Password Request Spam
- http://threattrack.tumblr.com/post/66873997398/facebook-password-request-spam
Nov 13, 2013 - "Subjects Seen:
You requested a new Facebook password!
Typical e-mail details:
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Malicious File Name and MD5:
Facebook-SecureMessage.zip (FE3AB674A321959B3EA83CF54666A763)
Transaction_{_tracking}.exe (95191C75EF4A87CBFA46C0818009312E)

Screenshot: https://gs1.wac.edgecastcdn.net/801...ca90912df/tumblr_inline_mw7iewKvP31r6pupn.png

Tagged:
Facebook: http://threattrack.tumblr.com/tagged/Facebook
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___

EXE-in-ZIP SPAM storm continues
- http://blog.dynamoo.com/2013/11/the-exe-in-zip-spam-storm-continues.html
13 Nov 2013 - "Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46* which calls home... to amandas-designs .com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a -fake- Wells Fargo spam similar to this:
We have received this documents from your bank, please review attached documents.
Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47** and calls home... to kidgrandy .com on 184.154.15.190 (Singlehop, US). Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter."
* https://www.virustotal.com/en-gb/fi...3d7d4334c439caf98f8c0979/analysis/1384377409/

** https://www.virustotal.com/en-gb/fi...b7c548056041f81660d0d667/analysis/1384377605/

- https://www.virustotal.com/en/ip-address/80.179.141.8/information/

- https://www.virustotal.com/en/ip-address/184.154.15.190/information/

:mad: :fear:
 
Last edited:
Google Drive phish, Caphaw malware attack...

FYI...

Google Drive phish...
- http://www.threattracksecurity.com/it-blog/google-drive-phish-deploys-data-uri-technique/
Nov 14, 2013 - "... interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cheedrive1.jpg
The email is called “Document”... This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:
bashoomal(dot)com/redirect.html
The end-user will be presented with a -fake- Google Drive login page which asks them to fill in their email address / password.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cheedrive2.jpg
As you can see from the URL bar, this is another -phish- that tries to take advantage of the Data URI scheme... The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links..."

- https://isc.sans.edu/diary.html?storyid=17018
2013-11-13
___

Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-14112013-caphaw.html
14 Nov 2013 - "These domains and IPs appear to be involved in a Caphaw malware attack, such as this one*. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.
Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7696954

- http://www.virusradar.com/en/Win32_Caphaw.K/description

:mad::fear:
 
Last edited:
Fake BoA fax, Malware sites to block - (Caphaw)

FYI...

More Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-15112013-caphaw.html
15 Nov 2013 - "Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday* is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity). The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/11/malware-sites-to-block-14112013-caphaw.html

- https://www.virustotal.com/en/ip-address/199.68.199.178/information/

- http://www.virusradar.com/en/Win32_Caphaw/detail
___

Fake BoA fax message SPAM / 442074293440-1116-084755-242.zip
- http://blog.dynamoo.com/2013/11/ringcentral-bank-of-america-fax-message.html
15 Nov 2013 - "This -fake- fax message email has a malicious attachment:
Date: Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From: RingCentral [notify-us@ ringcentral .com]
Subject: New Fax Message on 11/15/2013 at 09:51:51 CST
You Have a New Fax Message
From
Bank of America
Received: 11/15/2013 at 09:51:51 CST
Pages: 5
To view this message, please open the attachment.
Thank you for using Ring Central .

Screenshot: https://lh3.ggpht.com/-bw4CETLVd5I/UoZep7qACkI/AAAAAAAACQg/hq_7rR1l0nc/s1600/ringcentral.png

There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to aspenhonda .com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been -hacked-, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box."
* https://www.virustotal.com/en-gb/fi...9084bc3a6fb1496b076c643d/analysis/1384537461/

- https://www.virustotal.com/en/ip-address/199.167.40.33/information/
___

Citigroup Secure Message Spam
- http://threattrack.tumblr.com/post/67060979477/citigroup-secure-message-spam
Nov 15, 2013 - "Subjects Seen:
You have a new encrypted message from Citigroup Inc.
Typical e-mail details:
You have received a secure e-mail message from Citigroup Inc..
We care about your privacy, Citigroup Inc. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
SecureMessage.zip (969AEFFE28BC771C8453BF849450BC6A)
SecureMessage.exe(C2CD447FD9B19B7F062A5A8CF6299600)

Screenshot: https://gs1.wac.edgecastcdn.net/801...97db4a0e7/tumblr_inline_mwb9gyugMb1r6pupn.png

Tagged: CitiGroup, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Authorization Form Email Messages - 2013 Nov 15
Fake Product Purchase Order Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Malicious Personal Pictures Attachment Email Messages - 2013 Nov 15
Fake Bank Payment Notification Email Messages - 2013 Nov 15
Fake Product Order Email Messages - 013 Nov 15
Fake Meeting Invitation Email Messages - 2013 Nov 15
Fake Payroll Invoice Notification Email Messages - 2013 Nov 15
Fake Product Quote Request Email Messages - 2013 Nov 15
Fake Shipping Order Information Email Messages - 2013 Nov 15
Fake Shipping Notification Email Messages - 2013 Nov 15
Fake Product Inquiry Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Fake Tax Document Email Messages - 2013 Nov 15
Fake Travel Information Email Messages - 2013 Nov 15
Email Messages with Malicious Attachments - 2013 Nov 15
(More detail and links at the cisco URL above.)

:mad: :fear:
 
Last edited:
Phone SCAM, Freenters breach, Survey Scams, Silverlight exploit ...

FYI...

Phone SCAM - (08445715179)
- http://blog.dynamoo.com/2013/11/0844-number-scam-08445715179.html
18 Nov 2013 - "This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:
ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here*), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill. Sadly, I don't know who is behind this scam, and in this case it was -illegally- sent to a TPS-registered number**. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO*** who may be able to take more serious action against these spammers."
* http://www.moneysavingexpert.com/ne...y-cost-dont-get-fleeced-by-premium-rate-calls

** http://www.tpsonline.org.uk/tps/number_type.html

*** http://www.ico.org.uk/complaints/marketing/2
___

Freenters Hit By Breach, Student Data Leaked
- http://www.threattracksecurity.com/it-blog/freenters-hit-breach-student-data/
Nov 18, 2013 - "If you’re a student who signed up to the Freenters free printing service, you may want to go and ensure your logins are safe and sound, as it appears they were compromised pretty badly.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/printpwn11.jpg
... Affected students were sent two separate emails which added to the confusion, with one stating “Passwords were secure” with a follow up advising them “we highly recommend you change your password for other accounts”... This might be a perfect time to ensure you’re not sharing passwords across sites and services, and think about using a password manager..."
___

PlayStation 4 and Xbox One Survey Scams ...
- http://blog.trendmicro.com/trendlab...ystation-4-and-xbox-one-survey-scams-spotted/
Nov 18, 2013 - "... We found a Facebook page that advertised a PS4 raffle. Users were supposed to visit the advertised site, as seen below:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-1.jpg
The site urges users to “like” or “follow” the page, and then share it on social media sites. This could be a way for scammers to gain a wider audience or appear more reputable.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-2.jpg
Afterwards, users are required to enter their name and email address. Instead of a raffle, they are led to a survey scam:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-3.jpg
... Scams are also using the Xbox One as bait. However, the site in this currently inaccessible. Since the Xbox One has yet to be released, scammers could be waiting for the official launch before making the site live.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/xbox1.jpg
The scams were not limited to Facebook. We spotted a site that advertised a Xbox One giveaway. Like the PS4 scam, users are encouraged to promote the giveaway through social media. Once they click the “proceed” button, they are led to a site that contains a text file they need for the raffle. But like other scams, this simply leads to a survey site.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/xbox2.jpg
... Product launches have become a tried-and-tested social engineering bait. Earlier in the year, we saw scams that used Google Glass as a way to trick users. Early last year, the launch of the iPad 3 became the subject of many scams and spam. Users should always be cautious when it comes to online raffles and giveaways, especially from unknown or unfamiliar websites. If the deal seems too good to be true, it probably is..."
___

Netflix on your PC - Beware of Silverlight exploit
- http://blog.malwarebytes.org/exploi...lix-on-your-pc-beware-of-silverlight-exploit/
Nov 15, 2013 - "A vulnerability affecting Microsoft Silverlight 5 is being used in the wild to infect PCs that visit compromised or malicious websites... The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074*) on March 12, 2013. The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/screenshot_2013-11-13_016.png
... those that already have an older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk. Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/silverlight.png "

* http://technet.microsoft.com/en-us/security/bulletin/ms13-022
___

IRS Tax Payment Rejection Spam
- http://threattrack.tumblr.com/post/67401200848/irs-tax-payment-rejection-spam
Nov 18, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : 6LHIRS930292818 ) was Rejected
Typical e-mail details:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 6LHIRS930292818), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 6LHIRS930292818
Payment Amount: $ 2373.00
Transaction status: Rejected
ACH Trace Number: 268976180630733
Transaction Type: ACH Debit Payment-DDA

Malicious File Name and MD5:
FED TAX payment.zip (661649A0CA9F13B06056B53B9BC3CBA7)
FED TAX payment.exe (157BBC283245BBE5AB2947C446857FC9)

Screenshot: https://gs1.wac.edgecastcdn.net/801...4d85937b7/tumblr_inline_mwhbufHbhC1r6pupn.png

Tagged: IRS, Upatre

:mad: :fear:
 
Last edited:
You must log in or register to reply here.
Back
Top