Fake Apple email Phish Scam-SPAM ...
FYI...
Fake Apple Account 'Update to New SSL Servers' Phishing Scam/SPAM
- http://www.hoax-slayer.com/apple-new-ssl-servers-phishing-scam.shtml
Jan 21, 2014 - "Email purporting to be from Apple claims that the user's online access has been blocked because customers are required to update their information in order to use new ssl servers... The email is not from Apple. It is a phishing scam designed to trick recipients into giving their Apple account details and other personal and financial information to Internet criminals.
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-1.jpg
... According to an email that -appears- to come from Apple, the recipient's Apple account has been blocked until account information is updated. The email claims that Apple is implementing new SSL servers to increase customer protection and therefore all customers need to update their details or risk suspension of their accounts. The email includes a link to the "account update process". However, the message is -not- from Apple and the claim that users must update their details is a lie. Instead, the email is a phishing scam designed to steal Apple ID's and a large amount of other personal and financial information. Those who fall for the trick and click the update link in the email will be taken to a fake Apple login page as shown in the following screenshot:
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-3.jpg
... be wary of any message purporting to be from Apple that claims there is an issue with your account that needs to be rectified or you are required to perform an account update..."
... as in: DELETE.
___
Data-stealing malware targets Mac users in "undelivered courier item" attack
- http://nakedsecurity.sophos.com/201...mac-users-in-undelivered-courier-item-attack/
Jan 21, 2014 - "... you receive an email that claims to be a courier company that is having trouble delivering your article. In the email is a link to, or an attachment containing, what purports to be a tracking note for the item. You are invited to review the relevant document and respond so that delivery can be completed. We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website... Here's what the emails looked like in this attack, with some details changed or redacted for safety:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-email-500.png?w=500&h=446
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone... The link, of course, doesn't really lead to fedex .com .ch, but instead takes you to a domain name that is controlled by the attackers... If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware. But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file. By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an -empty- Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-pdf-appears-500.png?w=500&h=376
Clicking on the download button shows you what -looks- like a PDF file... There is no PDF file, as a visit to the Terminal windows quickly reveals. Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon... the temptation is to click on what looks like a PDF file to see what it contains. OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file... prevention is better than cure. And that "undelivered courier item" almost certainly doesn't exist."
___
Something evil on 5.254.96.240 and 185.5.55.75
- http://blog.dynamoo.com/2014/01/something-evil-on-525496240-and-18555575.html
21 Jan 2014 - "This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I -do- have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank. URLquery shows one such download in this example*, the victim has been directed to [donotclick]gf-58 .ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48**.
> https://lh3.ggpht.com/-icNtor0_pdM/Ut6DaRXAgGI/AAAAAAAACb4/XqfuRAlLjFU/s1600/telekom.png
The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server according to URLquery*** and VirusTotal****... The Anubis report and ThreatExpert report show that the malware calls home to dshfyyst .ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below). All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.
Recommended blocklist:
5.254.96.240
gf-58 .ru
uiuim .ru
okkurp .ru
gdevseesti .ru
goodwebtut .ru
mnogovsegotut .ru
185.5.55.75
gossldirect .ru
dshfyyst .ru ..."
* http://urlquery.net/report.php?id=8907792
** https://www.virustotal.com/en-gb/fi...fe0e69364ce53e90dadbfabc/analysis/1390310958/
*** http://urlquery.net/search.php?q=5.254.96.240&type=string&start=2014-01-06&end=2014-01-21&max=50
**** https://www.virustotal.com/en-gb/ip-address/5.254.96.240/information/
Update: this appears to be Cridex aka Feodo: http://www.abuse.ch/?p=6713
:fear:
FYI...
Fake Apple Account 'Update to New SSL Servers' Phishing Scam/SPAM
- http://www.hoax-slayer.com/apple-new-ssl-servers-phishing-scam.shtml
Jan 21, 2014 - "Email purporting to be from Apple claims that the user's online access has been blocked because customers are required to update their information in order to use new ssl servers... The email is not from Apple. It is a phishing scam designed to trick recipients into giving their Apple account details and other personal and financial information to Internet criminals.
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-1.jpg
... According to an email that -appears- to come from Apple, the recipient's Apple account has been blocked until account information is updated. The email claims that Apple is implementing new SSL servers to increase customer protection and therefore all customers need to update their details or risk suspension of their accounts. The email includes a link to the "account update process". However, the message is -not- from Apple and the claim that users must update their details is a lie. Instead, the email is a phishing scam designed to steal Apple ID's and a large amount of other personal and financial information. Those who fall for the trick and click the update link in the email will be taken to a fake Apple login page as shown in the following screenshot:
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-3.jpg
... be wary of any message purporting to be from Apple that claims there is an issue with your account that needs to be rectified or you are required to perform an account update..."
... as in: DELETE.
___
Data-stealing malware targets Mac users in "undelivered courier item" attack
- http://nakedsecurity.sophos.com/201...mac-users-in-undelivered-courier-item-attack/
Jan 21, 2014 - "... you receive an email that claims to be a courier company that is having trouble delivering your article. In the email is a link to, or an attachment containing, what purports to be a tracking note for the item. You are invited to review the relevant document and respond so that delivery can be completed. We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website... Here's what the emails looked like in this attack, with some details changed or redacted for safety:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-email-500.png?w=500&h=446
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone... The link, of course, doesn't really lead to fedex .com .ch, but instead takes you to a domain name that is controlled by the attackers... If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware. But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file. By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an -empty- Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-pdf-appears-500.png?w=500&h=376
Clicking on the download button shows you what -looks- like a PDF file... There is no PDF file, as a visit to the Terminal windows quickly reveals. Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon... the temptation is to click on what looks like a PDF file to see what it contains. OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file... prevention is better than cure. And that "undelivered courier item" almost certainly doesn't exist."
___
Something evil on 5.254.96.240 and 185.5.55.75
- http://blog.dynamoo.com/2014/01/something-evil-on-525496240-and-18555575.html
21 Jan 2014 - "This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I -do- have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank. URLquery shows one such download in this example*, the victim has been directed to [donotclick]gf-58 .ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48**.
> https://lh3.ggpht.com/-icNtor0_pdM/Ut6DaRXAgGI/AAAAAAAACb4/XqfuRAlLjFU/s1600/telekom.png
The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server according to URLquery*** and VirusTotal****... The Anubis report and ThreatExpert report show that the malware calls home to dshfyyst .ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below). All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.
Recommended blocklist:
5.254.96.240
gf-58 .ru
uiuim .ru
okkurp .ru
gdevseesti .ru
goodwebtut .ru
mnogovsegotut .ru
185.5.55.75
gossldirect .ru
dshfyyst .ru ..."
* http://urlquery.net/report.php?id=8907792
** https://www.virustotal.com/en-gb/fi...fe0e69364ce53e90dadbfabc/analysis/1390310958/
*** http://urlquery.net/search.php?q=5.254.96.240&type=string&start=2014-01-06&end=2014-01-21&max=50
**** https://www.virustotal.com/en-gb/ip-address/5.254.96.240/information/
Update: this appears to be Cridex aka Feodo: http://www.abuse.ch/?p=6713
:fear:
Last edited: