SPAM frauds, fakes, and other MALWARE deliveries...

Spear Phishing Emails increase 56% ...

FYI...

Spear Phishing Emails increase 56% ...
- http://blog.fireeye.com/research/2012/09/top-20-words-used-in-spear-phishing-emails.html
2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
• File names relating to shipping grew from 19.20% to 26.35%.
• Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
• Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."

* http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf

:mad:
 
IRS SPAM - 3 different versions ...

FYI...

IRS SPAM - 3 different versions ...
- http://blog.dynamoo.com/2012/09/irs-spam-1howtobecomeabostoniancom-and.html
26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
Date: Wed, 26 Sep 2012 20:44:47 +0530
From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Hello,
Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
For detail information, please refer to:
https ://www.irs .gov/Login.aspx?u=E8710D9E9
Email address: [redacted]
Sincerely yours,
Barry Griffin
IRS Customer Service representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 11:09:45 -0400
From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Dear business owners,
Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
For the details please refer to:
https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
Email address: [redacted]
Sincerely yours,
Damon Abbott
Internal Revenue Service Representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 19:53:28 +0400
From: Internal Revenue Service [weirdpr6@polysto.com]
To: [[redacted]]
Subject: IRS report of not approved tax bank transfer
Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
Rejected Tax transaction
Tax Transaction ID: 52007291963155
Reason ID See details in the report below
State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV

Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."

:mad:
 
Fake iPhone emails/sales sites ...

FYI...

Fake iPhone sales emails/sites ...
- http://blog.webroot.com/2012/09/27/from-russia-with-iphone-selling-affiliate-networks/
Sep 27, 2012 - "... cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns... a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants... It all starts with a spam campaign offering brand new iPhones for a decent price in an attempt by one of the network participants to acquire traffic which will ultimately convert into sales.
Sample spamvertised email offering cheap and easy-to-obtain iPhones"
> https://webrootblog.files.wordpress.com/2012/09/spam_iphone_russian_affiliate_network.png
... an example of an affiliate network participant targeting English-speaking users, even though the actual web site is targeting Russian-speaking users...
Sample screenshot of the entry page for the iPhone selling affiliate network:
> https://webrootblog.files.wordpress.com/2012/09/iphone_sale_affiliate_network.png
(More samples available at the blog.webroot URL above)...
We advise bargain hunters to avoid clicking on links found in spam emails, avoid entering their credit card details on sites found in spam emails, and to avoid purchasing -any- kind of item promoted in these emails."

:mad:
 
SPAM leads to malware - 2012.10.01...

FYI... multiple entries:

Intuit SPAM - Shipment / art-london .net
- http://blog.dynamoo.com/2012/10/intuit-shipment-spam-art-londonnet.html
1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware...
Date: Mon, 1 Oct 2012 21:31:57 +0430
From: "Intuit Customer Service" [battingiy760@clickz.com]
To: [redacted]
Subject: Intuit Shipment Confirmation
Dear [redacted],
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
ORDER DETAILS
Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
Quantity Item
1 Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
Shipment Information:
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Email: [redacted]
Questions about your order? Please visit Customer Service.
Return Policy and Instructions
Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...

The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless."
___

Fake Intuit order confirmation
- http://security.intuit.com/alert.php?a=59
10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
Below is a copy of the email people are receiving:
> http://security.intuit.com/images/yourintuitorder.jpg
... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
___

Sendspace SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/sendspace-spam-onlinebayunatorru.html
1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator .ru:
Date: Mon, 1 Oct 2012 10:40:29 +0300
From: Twitter
To: [redacted]
Subject: You have been sent a file (Filename: [redacted]-9038870.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...

The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 84.22.96.0/19 ) as this attack* earlier today.
* http://blog.dynamoo.com/2012/10/nacha-spam-onlinebayunatorru.html
___

Evolution1 SPAM / 69.194.194.221
- http://blog.dynamoo.com/2012/10/evolution1-spam-69194194221.html
1 Oct 2012 - "I haven't seen this spam before, it leads to malware on 69.194.194.221:
Date: Mon, 01 Oct 2012 15:44:59 +0200
From: "INTUIT" [D6531193@familyhealthplans.com]
Subject: Information regarding Employer Contribution
INTUIT
Attn: Account Holder
You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
http ://intuithealthemployer .lh1ondemand .com
Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
Intuit Health Debit Card Powered by Evolution1 Employer Services..."

The malicious payload is on 69.194.194.221 (Solar VPS, US) ..."
___

NACHA SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/nacha-spam-onlinebayunatorru.html
1 Oct 2012 - "This fake NACHA spam leads to malware on onlinebayunator.ru:
Date: Mon, 1 Oct 2012 04:16:46 -0500
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: ACH Transfer rejected
The ACH debit transfer, initiated from your bank account, was canceled.
Canceled transaction:
Transfer ID: FE-764029897226US
Transaction Report: View
Valentino Dickey
NACHA - The Electronic Payment Association
f0c34915-3e624bbb...

The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
Of note, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection."

:mad: :mad: :mad:
 
Last edited:
SPAM fakes 4 U ... 2012.10.02

FYI... multiple entries:

Fake ecard - unsolicited secret admirers via Email
- http://community.websense.com/blogs...02/unsolicited-secret-admirers-via-email.aspx
02 Oct 2012 - "... an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer... The messages, sent from various Yahoo .com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard":
> http://community.websense.com/cfs-f...ecuritylabs/7776.emailbody.png_2D00_550x0.png
... a valid short Facebook URL is used which, in this case, -redirects- ... a basic JavaScript is delivered... The victim's browser is then directed to a fake ecard site hxxp ://readyourecard .com/viewmessage/?a=vip36
> http://community.websense.com/cfs-f...es.securitylabs/6303.ecard.png_2D00_550x0.png
... At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder .com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative... This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites..."
___

Fake Fax Email notifications ...
- http://www.gfi.com/blog/beware-fake-fax-email-notifications-in-circulation/
Oct 2, 2012 - "In the last few days we’ve seen this fake fax email doing the rounds, offering up a “2013 recruitment plan”:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/faxmalware1.jpg
... INCOMING FAX REPORT
*********************************************************
Date/Time: 09/28/2012 07:01:41 AM
Speed: 14400 bps
Connection time: 01:02
Pages: 2
Resolution: Normal
Remote ID: 0420950504
Line number: 2
DTMF/DID:
Description: 2013 Recruitment plan
Click here to view the file online ..."
... Clicking the link would take the user from a (dot)de domain to an IP associated with a Malware run currently taking place... currently leads to a "page not found":
> http://www.gfi.com/blog/wp-content/uploads/2012/10/faxnotfound.jpg
... varied subject lines in this particular spam campaign – everything from recruitment plans to employment contributions and transaction reports – indicate a definite lean towards business targets rather than home users. Of course, whether at home or in the workplace you’re still potentially at risk should you click any of the links going out in this spamrun..."

:mad:
 
SPAM leading to malware ...

FYI...

Fake Quickbooks emails lead to malware
- http://www.gfi.com/blog/fake-quickbooks-emails-lead-to-malware-shenanigans/?
Oct 3, 2012 - "We have some more rogue emails following the familiar pattern of the last few days – this time around, a fake Quickbooks themed email which promises “free shipping for Quickbooks customers”:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/quickbooksspam.jpg
It points to a website that shows the end-user a “connecting to server” message, eventually redirecting to an IP address that has been / is still associated with Blackhole Exploit Kit and Java exploits.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/quickbooksspam2.jpg
... it’s a bad time to be randomly opening dubious emails..."

Fake QB/IRS order forms emails
- http://security.intuit.com/alert.php?a=62
10/03/2012
> http://security.intuit.com/images/phish63.jpg
___

Something evil on 66.45.251.224/29 and 199.71.233.226
- http://blog.dynamoo.com/2012/10/something-evil-on-664525122429-and.html
3 Oct 2012 - "The IP address 199.71.233.226 (Netrouting, US) and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted... The domains listed below are on those IP addresses, all appear to be disributing malware (see example*) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat..."
Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here**).
(More info at the blog.dynamoo URL above.)

* http://www.google.com/safebrowsing/diagnostic?site=juniorppv.info
"Site is listed as suspicious... Malicious software includes 8 trojan(s)..."

** http://wepawet.iseclab.org/view.php?hash=d5821ee7ba6fd7c95f6bf07137aee3b9&t=1349259972&type=js
___

Friendster SPAM / sonatanamore .ru
- http://blog.dynamoo.com/2012/10/friendster-spam-sonatanamoreru.html
2 Oct 2012 - "Friendster.. remember that? Before Facebook.. before Myspace.. there was Friendster. This spam email is -not- from Friendster though and leads to malware on sonatanamore .ru:
Date: Tue, 2 Oct 2012 05:39:54 -0500
From: Friendster Games [friendstergames@friendster.com]
Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
Copyright ? 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
To manage your notification preferences, go here
To stop receiving emails from us, you can unsubscribe here

The malicious payload is at [donotclick]sonatanamore .ru:8080/forum/links/column.php hosted on:
70.38.31.71 (iWeb, Canada)
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (Myren, Malaysia)
Plain list of IPs and domains on those IPs for copy-and-pasting.
70.38.31.71, 202.3.245.13, 203.80.16.81 ..."
(More listed at the blog.dynamoo URL above.)

:mad:
 
Last edited:
SPAM leads to malware - 'just keeps coming 2012.10.04

FYI...

Fake "Corporate eFax message" SPAM / 184.164.136.147
- http://blog.dynamoo.com/2012/10/corporate-efax-message-spam-184164136147.html
4 Oct 2012 - "These fake fax messages lead to malware on 184.164.136.147:
Date: Thu, 04 Oct 2012 19:00:16 +0200
From: "eFax.Alert" [E988D6C @vida .org.pt]
Subject: Corporate eFax message - 09 pages
Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
* The reference number for this fax is min1_20121004190016.8673161.
View this fax using your PDF reader.
Click here to view this message
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

... The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:City:Manilla ...
It might be worth blocking 184.164.136.128/27 to be on the safe side."

- http://www.google.com/safebrowsing/diagnostic?site=AS:20454
"... over the past 90 days, 244 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2012-10-04..."
- http://www.google.com/safebrowsing/diagnostic?site=AS:32164
"... the last time suspicious content was found was on 2012-10-03... we found 1 site(s) on this network... that appeared to function as intermediaries for the infection of 14 other site(s)..."
___

Verizon Wireless SPAM / strangernaturallanguage .net
- http://blog.dynamoo.com/2012/10/verizon-wireless-spam.html
4 Oct 2012 - "This fake Verizon wireless spam leads to malware on strangernaturallanguage .net:
From: AccountNotify whitheringj @spcollege .edu
Date: 4 October 2012 18:52
Subject: Recent Notification in My Verizon
SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
Your informational letter is available.
Your account # ending: XXX8 XXXX4
Our Valued Client
For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
Please check your acknowledgment letter for all the information relating to your new transaction.
View Approval Message
In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
Thank you for joining us .
My Verizon is also accessible 24 hours 7 days a week to assist you with:
Usage details
Updating your tariff
Add Account Users
Pay your invoice
And much, much more...
© 2012 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
We respect your privacy. Please review our privacy policy for more details

The malicious payload is at [donotclick]strangernaturallanguage .net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji)..."

:buried:
 
Fake inTuit / UPS SPAM leads to malware...

FYI...

Intuit "GoPayment" SPAM / simplerkwiks .net
- http://blog.dynamoo.com/2012/10/intuit-gopayment-spam-simplerkwiksnet.html
5 Oct 2012 - "This fake "Intuit GoPayment" spam leads to malware on simplerkwiks .net:
Date: Fri, 5 Oct 2012 15:54:26 +0100
From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.: XXXXXXXXXXXXXX16
Email Address: [redacted]
NOTE : Additional charges for this service may now apply.
Next step: Confirm your User ID
This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify UserID
Get started:
Step 1: If you have not still, download the Intuit application.
Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
Easy Manage Your GoPayment System
The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.

The malicious payload is at [donotclick]simplerkwiks .net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy .net
officerscouldexecute .org
simplerkwiks .net
strangernaturallanguage .net
buzziskin .net
art-london .net "
___

UPS SPAM / minus.preciseenginewarehouse .com
- http://blog.dynamoo.com/2012/10/ups-spam-minuspreciseenginewarehousecom.html
5 Oct 2012 - "This fake UPS spam leads to malware on minus.preciseenginewarehouse .com:
From: "UPSBillingCenter" [512A03797@songburi.com]
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
Please visit the UPS Billing Center to view and pay your invoice.
Discover more about UPS:
Visit ups .com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The malicious payload is at [donotclick]minus.preciseenginewarehouse .com/links/assure_numb_engineers.php hosted on 174.140.165.112 ... To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent."

:mad: :mad:
 
Injection attacks from 5.9.188.54 ...

FYI...

Something evil on 5.9.188.54
- http://blog.dynamoo.com/2012/10/something-evil-on-5918854.html
7 Oct 2012 - "Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw .pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw .pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw .pl
lgrfuqfwz.qlvyeviexqzrukyo.waw .pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw .pl
qxggipnnfmnihkic .ru
mvuvchtcxxibeubd .ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE ...
address: 125252 Moscow
address: RUSSIAN FEDERATION
... You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can."

- http://centralops.net/co/DomainDossier.aspx
5.9.188.54
address: 125252 Moscow
address: RUSSIAN FEDERATION...
origin: AS24940

- http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 5865 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2012-10-07... we found 998 site(s)... that appeared to function as intermediaries for the infection of 12809 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1752 site(s)... that infected 18780 other site(s)."

:mad:
 
Last edited:
Skype users targeted with Ransomware and Click Fraud

FYI...

Skype users targeted with Ransomware and Click Fraud
- http://www.gfi.com/blog/skype-users-targeted-with-ransomware-and-click-fraud/
Oct 8, 2012 - "The infection* that’s still spreading across users of Skype has taken an interesting twist: ransomware and click fraud. Skype users tempted to follow the latest set of infection links will end up with a zipfile on their PC. Here’s an example of the rogue links still being pinged around:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/skypevirus41.jpg
Clicking the link will download a zipfile, and running the executable inside will see the infected PC making waves with network traffic that wasn’t present when we tested the last executable...
> http://www.gfi.com/blog/wp-content/uploads/2012/10/RansomWare_EncryptionScare4-300x152.jpg
After a while, a Java exploit will call down some fire from the sky (in the form of BlackHole 2.0) and the end-user will be horrified to see this:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/RansomWare_EncryptionScare1.jpg
... a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides. Ransomware is currently a big deal and not something an end-user really wants to have on their computer. Meanwhile, behind the scenes we have what looks like attempts at click fraud taking place behind the locked computer screen... in the space of 10 minutes, we recorded 2,259 transmissions(!)... to infect the computer, you’ll need to manually click the download link, open the zip and run the executable. On top of that, anybody trying to open the file who hasn’t switched off file security warnings will be told that “The publisher could not be verified, are you sure you want to run this software” so there’s plenty of chances to dodge this bullet..."
* http://www.gfi.com/blog/infection-spreads-profile-pic-messages-to-skype-users/

:mad:
 
Skype SPAM voicemail leads to Blackhole / Zeus attacks

FYI...

Skype SPAM voicemail leads to Blackhole / Zeus attacks
- http://www.gfi.com/blog/skype-voicemail-spam-leads-to-blackhole-zeus-attacks/
Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/skypevoicemailscam.png
It reads as follows:
Hi there,
You have a new voicemail
Sign in to Skype to listen to the message.
If you no longer want to receive email alerts about new voicemails, unsubscribe now.
Talk soon,
The people at Skype

It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."

- http://pandalabs.pandasecurity.com/...a-worm-spreading-through-skype-and-messenger/
10/10/12
___

Skype Messages Spreading DORKBOT Variants
- http://blog.trendmicro.com/trendlab...ce/skype-messages-spreading-dorkbot-variants/
Oct 9, 2012

- http://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/
Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."

- http://blog.spiderlabs.com/2012/10/worm-propagates-through-skype-messages.html
12 Oct 2012
___

Rampaging Squirrel + Boyband = Twitter SPAM
- http://www.gfi.com/blog/rampaging-squirrel-boyband-twitter-spam/
Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/1dirspam.jpg
Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/2dirspam.jpg
“Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/3dirspam.jpg
... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
* http://www.wandsworthguardian.co.uk...iciously_attacked_by_Battersea_Park_squirrel/
___

Fake job offers - union-trans .com employment scam
- http://blog.dynamoo.com/2012/10/union-transcom-employment-scam.html
10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."

Sprint SPAM / 1.starkresidential .net
- http://blog.dynamoo.com/2012/10/sprint-spam-1starkresidentialnet.html
9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."

"Biweekly payroll" SPAM / editdvsyourself .net
- http://blog.dynamoo.com/2012/10/biweekly-payroll-spam-editdvsyourselfnet.html
9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
___

Facebook Scam SPAM
- https://isc.sans.edu/diary.html?storyid=14281
Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
> https://isc.sans.edu/diaryimages/Diary14281-Costco-Scam-Spam.png
If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."

:fear: :fear: :mad:
 
Last edited:
Malicious Presidential SPAM campaign has started...

FYI...

Malicious Presidential SPAM campaign has started...
- http://community.websense.com/blogs...s-usa-presidential-spam-campaign-started.aspx
10 Oct 2012 - "... Websense... has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
> http://community.websense.com/cfs-f...ecuritylabs/6371.ssshot001.png_2D00_550x0.png
... we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
> http://community.websense.com/cfs-f...ts.WeblogFiles/securitylabs/4530.sshot002.png
The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
> http://community.websense.com/cfs-f...ts.WeblogFiles/securitylabs/1106.sshot004.PNG
The links found in the spam emails usually has this kind of content:
> http://community.websense.com/cfs-f...ts.WeblogFiles/securitylabs/2438.sshot005.PNG
The purpose of this flow as usual is to install malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
PDF - MD5: 69e51d3794250e3f1478404a72c7a309
JAR file - MD5: 03373056bb050c65c41196d3f2d68077
about.exe - MD5: 9223b428b28c7b8033edbb588968eaea ...
Each URL... contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code..."

- http://blog.trendmicro.com/trendlabs-security-intelligence/obama-vs-romney-political-online-threats/
Update as of Oct 11, 2012 - "... email is supposedly from CNN and contains news stories about the election:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/cnn-spam.png
... instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit..."

- http://blog.trendmicro.com/trendlabs-security-intelligence/obama-vs-romney-political-online-threats/
Oct 10, 2012 - "... This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices."

:mad:
 
Last edited:
LinkedIn SPAM and more SPAM...

FYI... Multiple entries:

LinkedIn SPAM / inklingads .biz
- http://blog.dynamoo.com/2012/10/linkedin-spam-inklingadsbiz.html
11 Oct 2012 - "The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High
LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)
PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately...

The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)"
___

ADP SPAM / 198.143.159.108
- http://blog.dynamoo.com/2012/10/adp-spam-198143159108.html
12 Oct 2012 - "Yet -more- fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108 /links/rules_familiar-occurred.php (Singlehop, US).
Avoid."
___

ADP SPAM / 4.wapin .in and 173.224.209.165:
- http://blog.dynamoo.com/2012/10/adp-spam-4wapinin.html
11 Oct 2012 - "This fake ADP spam leads to malware on 4.wapin .in:
From: ADP.Security [mailto:5BC4F06B@act4kids.net]
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
----
Digital Certificate About to Expire...

The malicious payload is on [donotclick]4.wapin .in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)"
___

ADP SPAM / 108.61.57.66
- http://blog.dynamoo.com/2012/10/adp-spam-108615766.html
11 Oct 2012 - "There's masses of ADP-themed spam today. Here is another one:
Date: Thu, 11 Oct 2012 14:53:17 -0200
From: "ADP.Message" [986E3877@dixys.com]
Subject: ADP Generated Message
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate ...

In this case the malicious payload is at [donotclick]108.61.57.66 /links/assure_numb_ engineers .php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side."
___

Blackhole sites to block ...
- http://blog.dynamoo.com/2012/10/blackhole-sites-to-block-111012.html
11 Oct 2012 - "A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads .biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
___

"Copies of Policies" SPAM / windowsmobilever .ru
- http://blog.dynamoo.com/2012/10/copies-of-policies-spam.html
11 Oct 2012 - "This slightly odd spam leads to malware on windowsmobilever .ru:
Date: Thu, 11 Oct 2012 10:55:37 -0500
From: "Amazon.com" [account-update@amazon.com]
Subject: RE: DONNIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DONNIE LOCKWOOD,
==========
Date: Thu, 11 Oct 2012 12:26:25 -0300
From: accounting@[redacted]
Subject: RE: MARGURITE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARGURITE Moss

Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever .ru:8080/forum/links/column.php - hosted on:
68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)
These two IPs are currently involved in several malicious spam runs and should be blocked if you can."
___

eFax SPAM / 173.255.223.77 and chase .swf
- http://blog.dynamoo.com/2012/10/efax-spam-17325522377-and-chaseswf.html
11 Oct 2012 - "Two different eFax spam runs seem to be going on at the same time:
' From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax...'

' From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax...'

One leads to a malicious landing page at [donotclick]173.255.223.77 /links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44* which is -not- good..."
* https://www.virustotal.com/file/5db...eacc2c49b8f666ac62ff338154402597784/analysis/
File name: chase.swf-QrUTmm
Detection ratio: 1/40
Analysis date: 2012-10-11 13:04:39 UTC...

:mad::mad:
 
Last edited:
Vodafone SPAM - emails serve malware

FYI...

Vodafone SPAM - emails serve malware
- http://blog.webroot.com/2012/10/15/vodafone-europe-your-account-balance-themed-emails-serve-malware/
Oct 15, 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Vodafone Europe, in an attempt to trick their customers into executing the malicious file attachment found in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/09/vodafone_europe_spam_email_malware.png
Detection rate: Vodafone_Account_Balance.pdf.exe – MD5: 8601ece8b0c79ec3d4396f07319bbff1 * ... Trojan-Ransom.Win32.PornoAsset.xen; Worm:Win32/Gamarue.F..."
* https://www.virustotal.com/file/2d6...17e977ed40bbfd333a9c470e/analysis/1349008562/
File name: Your_Friend_New_photos-updates.jpeg.exe
Detection ratio: 36/43
Analysis date: 2012-09-30 15:01:54 UTC
___

Fake UPS emails - client-side exploits and malware
- http://blog.webroot.com/2012/10/15/...e-ups-serve-client-side-exploits-and-malware/
Oct 15, 2012 - "... cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the BlackHole Exploit kit, which ultimately drops malware on the affected host.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...l_exploits_malware_black_hole_exploit_kit.png
... Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb * ... Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh
* https://www.virustotal.com/file/37d...34ffb63faf61052c0263b658ca227b9a453/analysis/
File name: java.jar
Detection ratio: 26/43
Analysis date: 2012-10-15
... currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98
... Related malicious domains part of the campaign’s infrastructure:
rumyniaonline .ru – 84.22.100.108
denegnashete .ru – 84.22.100.108
dimabilanch .ru – 84.22.100.108
ioponeslal .ru – 84.22.100.108
moskowpulkavo .ru – 84.22.100.108
omahabeachs .ru – 84.22.100.108
uzoshkins .ru – 84.22.100.108
sectantes-x .ru – 84.22.100.108
... Name servers part of the campaign’s infrastructure:
ns1.denegnashete .ru – 62.76.190.50
ns2.denegnashete .ru – 87.120.41.155
ns3.denegnashete .ru – 132.248.49.112
ns4.denegnashete .ru – 91.194.122.8
ns5.denegnashete .ru – 62.76.188.246
ns6.denegnashete .ru – 178.63.51.54 ..."
___

Rogue Bad Piggies ...
- http://blog.trendmicro.com/trendlab...velopers-released-rogue-bad-piggies-versions/
Oct 15, 2012 - "... Right after reports of malicious Bad Piggies on Google Chrome webstore circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app. On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are -not- affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges... During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d .ru, which appears as an app download page.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/roguebadpiggies_website.jpg
... site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize... ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult... Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space... To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure. Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains... an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email. To prevent downloading a fake (or worse, a malware disguised as an app) users should stick to legitimate app stores like Google Play..."
___

eBay phishers update branding...
- http://www.gfi.com/blog/ebay-phishers-update-their-branding/
Oct 15, 2012 - "... be aware that not only have eBay updated their logo for the first time since 1995, some scammers have also been quick out of the blocks to rejig their phishing scams and paste in the new logo accordingly. Here’s a scammer who hasn’t quite grasped the concept of “You’re horribly outdated” yet:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/fakebay_new2.jpg
... here’s a scammer who clearly keeps up with the news and probably owns a gold plated yacht and maybe a Unicorn as a result:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/fakebay_new1.jpg
... It probably won’t be long before most (if not all) phishers start using the new logo, but for the time being at least some phish attempts will be a little easier to spot for the average end-user. Of course, avid eBay users can also visit their Security Center* and keep up to date with all the latest shenanigans."
* http://pages.ebay.com/securitycenter/index.html ..."

:fear::fear: :mad:
 
Last edited:
SPAM, SPAM, and more SPAM ...

FYI...

Wire Transfer SPAM / hotsecrete .net
- http://blog.dynamoo.com/2012/10/wire-transfer-spam-hotsecretenet.html
16 Oct 2012 - "This fake wire transfer spam leads to malware on hotsecrete .net:
From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted
We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________
If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
*********************************************
Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001 Federal Reserve Bank.

The malicious payload is found at [donotclick]hotsecrete .net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block."
___

LinkedIn SPAM / 74.91.112.86
- http://blog.dynamoo.com/2012/10/linkedin-spam-749111286.html
16 Oct 2012 - "This fake LinkedIn spam leads to malware on 74.91.112.86:
From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response
Hi [redacted],
David sent you an invitation to connect 13 days ago. How would you like to respond?
Accept Ignore Privately
Hilton Suarez
Precision Castparts (Distributor Sales Manager EMEA)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is on [donotclick]74.91.112.86 /links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there)."
___

Facebook SPAM / o.anygutterkings .com
- http://blog.dynamoo.com/2012/10/facebook-spam-oanygutterkingscom.html
15 Oct 2012 - "This fake Facebook spam leads to malware on o.anygutterkings .com:
Date: Mon, 15 Oct 2012 20:02:21 +0200
From: "FB Account"
Subject: Facebook account
facebook
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,
The Facebook Team
Sign in to Facebook and start connecting ...
Please use the link below to resume your account ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Other subjects are: "Account blocked" and "Account activated"
The payload is at [donotclick]o.anygutterkings .com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)..."

- http://www.gfi.com/blog/this-spam-gives-recipients-a-second-chance/
Oct 16, 2012 - "... another Blackhole-Zeus-related threat... ignore and delete this Facebook spam..."
> http://www.gfi.com/blog/wp-content/uploads/2012/10/FB_1015.png
___

Intuit SPAM / navisiteseparation .net
- http://blog.dynamoo.com/2012/10/intuit-spam-navisiteseparationnet.html
15 Oct 2012 - "This fake Intuit spam leads to malware on navisiteseparation .net:
Date: Mon, 15 Oct 2012 15:20:13 -0300
From: "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject: Welcome - you're accepted for Intuit GoPayment
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number: XXXXXXXXXXXXXX55
Email Address: [redacted]
PLEASE NOTE : Associated charges for this service may be applied now.
Next step: View or confirm your Access ID
This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify Access ID
Get started:
Step 1: If you have not still, download the Intuit software.
Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
Easy Manage Your Intuit GoPayment Account
The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.

... Sample subjects:
Congrats - you're accepted for Intuit GoPayment Merchant
Congratulations - you're approved for Intuit Merchant
Congrats - you're approved for GoPayment Merchant
Welcome - you're accepted for Intuit GoPayment
The malicious payload is at [donotclick]navisiteseparation .net/detects/processing-details_requested.php hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can."
___

Copies of Policies SPAM / linkrdin .ru
- http://blog.dynamoo.com/2012/10/copies-of-policies-spam-linkrdinru.html
15 Oct 2012 - "Another "Copies of Policies" spam, this time leading to malware on linkrdin .ru:
From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.

The malicious payload is on [donotclick]linkrdin .ru:8080/forum/links/column.php ... hosted on the same IPs as this spam:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia) ..."

:mad::mad: :fear:
 
Last edited:
Fake AA, Amazon emails serve BlackHole Exploit kit

FYI...

Fake American Airlines emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/17/...ed-emails-lead-to-the-black-hole-exploit-kit/
Oct 17, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating American Airlines in an attempt to trick its customers into clicking on a malicious link found in the mail. Upon clicking on the link, users are exposed to the client-side exploits served by the BlackHole Exploit Kit v2.0...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...l_exploits_malware_black_hole_exploit_kit.png
Spamvertised compromised URL: hxxp ://malorita-hotel .by/wp-config.htm
Detection rate for a sample Java script redirection: American_Airlines.html – MD5: 7b23a4c26b031bef76acff28163a39c5* ...JS/Exploit-Blacole.gc; JS:Blacole-CF [Expl]
Sample client-side exploits serving URL: hxxp ://omahabeachs .ru:8080/forum/links/column.php
We’ve already seen the same malicious email used in the previously profiled “Cybercriminals impersonate -UPS-, serve client-side exploits and malware” campaign, clearly indicating that these campaigns are launched by the same cybercriminal/gang of cybercriminals..."
* https://www.virustotal.com/file/68d...aa10354986c8fe45ca6bfb48/analysis/1349016199/
File name: American_Airlines.html
Detection ratio: 9/42
Analysis date: 2012-09-30
___

Fake Amazon emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/16/...mails-serve-client-side-exploits-and-malware/
Oct 16, 2012 - "... cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses. Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_malware_exploits_black_hole_exploit_kit.png
... Second screenshot of the spamvertised email impersonating Amazon.com Inc:
> https://webrootblog.files.wordpress...alware_exploits_black_hole_exploit_kit_01.png
Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress...alware_exploits_black_hole_exploit_kit_02.png
Sample subjects used in the spamvertised emails:
Re: HD TV Waiting on delivery Few hours ago;
Your HDTV Delivered Now;
Re: HDTV Processed Yesterday;
Re: Order Processed Today;
Your Order Approved Few hours ago ...
Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830* ... JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
Once a successful client-side exploitation takes place, the BlackHole Exploit kit drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab* that’s exploiting the CVE-2010-0188 vulnerability."
* https://www.virustotal.com/file/474...30a65bc5d9e251bdf7c5c353/analysis/1349014600/
File name: Amazon.html
Detection ratio: 20/43
Analysis date: 2012-09-30
___

Spoofed WebEx, PayPal Emails lead to Rogue Flash Update
- http://blog.trendmicro.com/trendlab...bex-paypal-emails-lead-to-rogue-flash-update/
Oct 16, 2012 - "... Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are led to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/FakeWebex_email.jpg
The second sample, on the other hand, is a spoofed PayPal email that features transaction details.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/PayPal_phishingemail.jpg
Curious users who click these details are then directed to the webpage hosting the rogue Flash update file... Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price... The use of WebEx in these spoofed emails is also fishy (phishy?). WebEx is a popular business conference/meeting technology in the corporate world... We believe that the perpetrators of this threat are likely targeting businesses and employees...
Update... We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants... expect that such spam runs won’t be fading soon... these attacks are continuing at full speed... users are advised to be continuously extra careful with clicking links on email messages."

:mad::mad:
 
Last edited:
Fake Traffic Ticket SPAM - and more...

FYI...

NY Traffic Ticket SPAM / kennedyana .ru
- http://blog.dynamoo.com/2012/10/ny-traffic-ticket-spam-kennedyanaru.html
18 Oct 2012 - "This fake Traffic Ticket spam leads to malware on kennedyana .ru:
Date: Wed, 17 Oct 2012 03:59:44 +0600
From: sales1@[redacted]
To: [redacted]
Subject: Fwd: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 5:16 AM
Date of Offense: 21/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM

The malicious payload is on [donotclick]kennedyana .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia) ..."
___

Fake Intuit 'Payroll Confirmation inquiry’ emails lead to the BlackHole exploit kit
- http://blog.webroot.com/2012/10/18/...ed-emails-lead-to-the-black-hole-exploit-kit/
Oct 18, 2012 - "...two consecutive massive email campaigns, impersonating Intuit Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails. Upon clicking on -any- of links found in the emails, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the first spamvertised campaign:
> https://webrootblog.files.wordpress.com/2012/10/intuit_spam_exploits_black_hole_exploit_kit.png
Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
> https://webrootblog.files.wordpress.com/2012/10/intuit_spam_exploits_black_hole_exploit_kit_01.png
Screenshots of the second spamvertised campaign:
> https://webrootblog.files.wordpress.com/2012/10/intuit_spam_exploits_black_hole_exploit_kit_02.png
... Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs... Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f * ... Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c ** ... Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B..."
* https://www.virustotal.com/file/64e...c36d7cfea2f5bc46dcf56d03f280f024bb3/analysis/
File name: contacts.exe
Detection ratio: 17/43
Analysis date: 2012-09-29
** https://www.virustotal.com/file/ee3...9eec04532d3054e76102dd6750ef132d907/analysis/
File name: virussign.com_06c6544f554ea892e86b6c2cb6a1700c.exe
Detection ratio: 33/43
Analysis date: 2012-10-19
___

Adbobe CS4 SPAM / leprasmotra .ru
- http://blog.dynamoo.com/2012/10/adbobe-cs4-spam-leprasmotraru.html
18 Oct 2012 - "This fake Adobe spam leads to malware on leprasmotra.ru:
Date: Thu, 18 Oct 2012 10:00:26 -0300
From: "service@paypal.com" [service@paypal.com]
Subject: Order N04833
Good morning,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated

The malicious payload is at [donotclick]leprasmotra .ru:8080/forum/links/column.php hosted on:
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Blocking access to those IPs is recommended."
___

LinkedIn SPAM / 64.111.24.162
- http://blog.dynamoo.com/2012/10/linkedin-spam-6411124162.html
17 Oct 2012 - "This fake LinkedIn spam leads to malware on 64.111.24.162:
From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Alexis Padilla
C.H. Robinson Worldwide (Sales Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]64.111.24.162 /links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
... Blocking the IP (and possibly the /27 block) is probably wise.
___

Amazon.com SPAM / sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info
- http://blog.dynamoo.com/2012/10/amazoncom-spam-sdqhfckuriddnsinfo.html
17 Oct 2012 - "This fake Amazon.com spam leads to malware on sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info:
From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High
Gift Cards
| Your Orders
| Amazon.com
Shipping Confirmation
Order #272-3140048-4213404
Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Tuesday, October 9, 2012
Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
Shipment Details
Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com) $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

The malicious payload is at [donotclick]sdqhfckuri .ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh .ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either..."
___

Take a critical look at DNS blocking...
- http://h-online.com/-1731993
18 Oct 2012

:mad::mad:
 
Last edited:
Fake Facebook direct messages - malware campaign

FYI...

Fake Facebook direct messages - malware campaign ...
- http://blog.webroot.com/2012/10/19/...facebook-direct-messages-spotted-in-the-wild/
Oct 19, 2012 - "... one of my Facebook friends sent me a direct message indicating that his host has been compromised, and is currently being used to send links to a malicious .zip archive through direct messages to to all of his Facebook friends...
Sample screenshot of the spamvertised direct download link:
> https://webrootblog.files.wordpress.com/2012/10/facebook_direct_message_malware_campaign.png
... All of these redirect to hxxp://74.208.231.61 :81/l.php – tomascloud .com – AS8560... user is exposed to a direct download link of Picture15 .JPG .zip.
Detection rate: MD5: dfe23ad3d50c1cf45ff222842c7551ae * ... Trojan.Win32.Bublik.iez; Worm:Win32/Slenfbot..."
* https://www.virustotal.com/file/a6a...b7e07393745af89bcc41dc59/analysis/1349355521/
File name: Picture15-JPG.scr
Detection ratio: 20/43
Analysis date: 2012-10-04 ..."
___

LinkedIn SPAM / cowonhorse .co
- http://blog.dynamoo.com/2012/10/linkedin-spam-cowonhorseco.html
19 Oct 2012 - "This fake LinkedIn spam leads to malware on cowonhorse .co:
From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Estelle Garrison
Interpublic Group (Executive Director Marketing PPS)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation
Hi [redacted],
User sent you an invitation to connect 14 days ago. How would you like to respond?
Accept Ignore Privately
Carol Parks
Automatic Data Processing (Divisional Finance Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Rupert Nielsen
O'Reilly Automotive (Head of Non-Processing Infrastructure)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is on [donotclick]cowonhorse .co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before..."
___

Fake Friendster emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/10/19/...themed-emails-lead-to-black-hole-exploit-kit/
19 Oct 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...g_malware_exploits_black_hole_exploit_kit.png
... sonatanamore .ru used to respond to the following IPs – 70.38.31.71; 202.3.245.13; 203.80.16.81; 213.251.162.65 ... Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef * ... Exploit.JS.Blacole; Trojan.JS.Iframe.acn
Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40** on the affected host... Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 95.142.167.193 :8080/mx/5/A/in..."
* https://www.virustotal.com/file/2d9...0feac0655fa2ff27301c8be1/analysis/1349356588/
File name: Friendster.html
Detection ratio: 12/43
Analysis date: 2012-10-04
** https://www.virustotal.com/file/94f...63fedc372b0239f30ede9503b5df35a690d/analysis/
File name: 8fa93035ba01238dd7a55c378d1
Detection ratio: 27/43
Analysis date: 2012-10-05
___

Cisco - Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - October 19, 2012
Fake Shipment Notification E-mail Messages - October 19, 2012
Fake Product Quote Request E-mail Messages - October 19, 2012
Fake Changelog E-mail Messages- October 19, 2012
Fake Xerox Scan Attachment E-mail Messages - October 19, 2012
Fake Bill Statement E-mail Messages - October 19, 2012
Fake Bank Transfer Receipt E-mail Messages - October 19, 2012
Fake Payment Slip E-mail Messages - October 19, 2012
Fake Money Transfer Receipt E-mail Messages - October 19, 2012
Fake Purchase Order Confirmation E-mail Messages - October 19, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 19, 2012
Fake Portuguese Health Alert Notification E-mail Messages - October 19, 2012
Fake Payment Slip Confirmation E-mail Message - October 19, 2012 ...

:mad:
 
Last edited:
SCAM-SPAM-and PHISH ...

FYI... multiple entries - SCAM-SPAM-and PHISH:

SCAM - worthless domain names: tsnetint .com and tsnetint .org
- http://blog.dynamoo.com/2012/10/scam-tsnetintcom-and-tsnetintorg.html
22 Oct 2012 - "Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.
The domains quoted are tsnetint .com and tsnetint .org and the originating IP is 117.27.141.168, all hosted in deepest China.
From: bertram @tsnetint .com
Date: 22 October 2012 06:02
Subject: Confirmation of Registration
(Letter to the President or Brand Owner, thanks)
Dear President,
We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October 19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.
Best Regards,
Bertram Hong
Registration Dept.
Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China ..."
___

SPAM with .gov URLs
- http://www.symantec.com/connect/blogs/spam-gov-urls
22 Oct 2012 Updated - "Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
> https://www.symantec.com/connect/sites/default/files/images/govURL 1.png
Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.
The answer is on this webpage:
1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.
... While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers. By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.
Using the above example:
[http ://]1.usa .gov/[REMOVED]/Rxpfn9
leads to
[http ://]labor.vermont .gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo
which leads to
[http ://]workforprofit .net/[REMOVED]/?wwvxo
The final spam page is a work-at-home scam website that has been designed to look like a financial news network website:
https://www.symantec.com/connect/sites/default/files/images/govURL 2.png
To add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles (not shown in the above picture), actually lead to the financial news website that it is spoofing. However, the links in the article all lead to a different website where the spammer tries to make the sale:
> https://www.symantec.com/connect/sites/default/files/images/govURL 3.article thumbnail.png
USA.gov provides data created any time anyone clicks on a 1.usa.gov URL (link available on this webpage). Analysis of data from the last seven days shows that this trend began on October 12. As of October 18, 43,049 clicks were made through 1.usa.gov shortened URLs to these spam domains:
consumeroption .net
consumerbiz .net
workforprofit .net
consumeroptions .net
consumerlifenet .net
consumerbailout .net
consumerlifetoday .net
consumerneeds .net
consumerstoday .net
consumerlivestoday .net
> https://www.symantec.com/connect/sites/default/files/images/govURL 4.png
... This chart shows the number of spam clicks made on a daily basis:
> https://www.symantec.com/connect/sites/default/files/images/govURL 5.png
While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL."
___

Phish for regular Webmail Accounts
- https://isc.sans.edu/diary.html?storyid=14356
Last Updated: 2012-10-22 - "I was looking through my spam folder today and saw an interesting phish. The phishing email is looking for email account information. Nothing new about that, except this one seemed to have a broad target range. Normally, these types of phishes are sent to .edu addresses not those outside of academia. From the email headers, this one was sent to the Handlers email which is a .org. A non-technical user, like many of my relatives, would probably respond to this. I could see this being successful against regular webmail users of Gmail, Hotmail, etc. especially if the verbiage was changed slightly. It could also be targeting those who may be enrolled in online universities... I have included the email below:

From: University Webmaster <university.m @usa .com>
Date: Fri, Oct 19, 2012 at 9:34 PM
Subject: Webmail Account Owner
To:
Dear Webmail Account Owner,
This message is from the University Webmail Messaging Center to all email account owners.
We are currently carrying out scheduled maintenance,upgrade of our web mail service and we are changing our mail host server,as a result your original password will be reset.
We are sorry for any inconvenience caused.
To complete your webmail email account upgrade, you must reply to this email immediately and provide the information requested below.
---
CONFIRM YOUR EMAIL IDENTITY NOW
E-mail Address:
User Name/ID:
Password:
Re-type Password:
---
Failure to do this will immediately render your email address deactivated from the University Webmail..."
___

"Copies of Policies" SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/copies-of-policies-spam-fidelocastrooru.html
22 Oct 2012 - "This spam leads to malware on fidelocastroo .ru:
Date: Mon, 22 Oct 2012 08:05:10 -0500
From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject: RE: Charley - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Charley HEALY,

The malicious payload is on [donotclick]fidelocastroo .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
Blocking these IPs should prevent any other attacks on the same server."

:mad:
 
Last edited:
Fake PayPal-NACHA-inTuit emails serve malware

FYI...

Fake PayPal emails serve malware
- http://blog.webroot.com/2012/10/23/...payment-received-themed-emails-serve-malware/
Oct 23, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick its users into downloading and executing the malicious attachment found in the legitimate looking email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/paypal_spam_email_malware.png
Detection rate for the malicious archive: MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ... Backdoor.Win32.Androm.fm. Once executed, the sample opens a backdoor on the infected host, allowing cybercriminals to gain complete control over the infected host..."
* https://www.virustotal.com/file/1f5...6523b44536c9b7385c07d67a/analysis/1350578639/
File name: Notification_payment_08_15_2012.exe
Detection ratio: 39/43
Analysis date: 2012-10-18
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake PayPal Account Verification E-mail Messages - October 22, 2012
Fake Payment Confirmation E-mail Messages - October 22, 2012
Fake Picture Link E-mail Messages- October 22, 2012
Fake Portuguese Loan Approval E-mail Messages - October 22, 2012
Malicious Personal Photograph Attachment E-mail Messages - October 22, 2012
Fake UPS Payment Document Attachment E-mail Messages - October 22, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 22, 2012
Fake Changelog E-mail Messages - Updated October 22, 2012
Fake Purchase Order Confirmation E-mail Messages - October 22, 2012...
___

NACHA SPAM / bwdlpjvehrka.ddns .info
- http://blog.dynamoo.com/2012/10/nacha-spam-bwdlpjvehrkaddnsinfo.html
23 Oct 2012 - "This fake NACHA spam leads to malware on bwdlpjvehrka.ddns .info:
Date: Tue, 23 Oct 2012 05:44:05 +0200
From: "noreply@direct.nacha.org"
Subject: Notification about the rejected Direct Deposit payment
Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Please contact your financial institution to acquire the new version of the software.
Sincerely yours
ACH Network Rules Department
NACHA | The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996

The malicious payload is at [donotclick]bwdlpjvehrka.ddns .info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move."
___

Intuit SPAM / montrealhotpropertyguide .com
- http://blog.dynamoo.com/2012/10/intuit-spam-montrealhotpropertyguidecom.html
23 Oct 2012 - "This fake Intuit spam leads to malware on montrealhotpropertyguide .com:
Date: Tue, 23 Oct 2012 14:45:14 +0200
From: "Intuit QuickBooks Customer Service" [35378B458 @aubergedesbichonnieres .com]
Subject: Intuit QuickBooks Order
Dear [redacted],
Thank you for placing an order with Intuit QuickBooks!
We have received your payment information and it is currently being processed.
ORDER INFORMATION
Order #: 366948851674
Order Date: Oct 22, 2012
[ View order ]
Qty Item Price
1 Intuit QuickBooks Pro Download 2 2012 $183.96***
Subtotal:
Sales Tax:
Total for this Order: $183.96 $0.00 $183.96
*Appropriate credit will be applied to your account.
Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
NEED HELP?
Questions about your order? Please visit Customer Service.
Join Us On Facebook
Close More Sales
Save Time
Privacy | Legal | Contact Us | About Intuit
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof @intuit .com. Please visit http ://security.intuit .com/ for additional security information.
Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
� 2012 Intuit Inc. or its affiliates. All rights reserved.

The malicious payload is on [donotclick]montrealhotpropertyguide .com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US)."

:mad:
 
Last edited:
You must log in or register to reply here.
Back
Top