SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Something still evil on 66.96.223.192/27

FYI...

Something still evil on 66.96.223.192/27
- http://blog.dynamoo.com/2014/04/something-still-evil-on-669622319227.html
16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
66.96.223.192/27
andracia .net ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2014/04/something-evil-on-669622319227.html

** http://pastebin.com/RQfE69hn
___

Netflix-themed tech support SCAM ...
- http://blog.malwarebytes.org/fraud-...h-support-scam-comes-back-with-more-copycats/
April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/blurred_netflix.png
... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/bingad1.png
... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."

:fear:

 

[AplusWebMaster]

Fake Facebook Chat Verification used for SPAM

FYI...

Fake Facebook Chat Verification used for SPAM
- http://blog.trendmicro.com/trendlab...ake-facebook-chat-verification-used-for-spam/
Apr 17, 2014 - "Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”. The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/04/FB-chat-spam1.jpg
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer). Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users... From the get-go, users should know that there is -no- product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced* that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site. Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning** notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things”..."
* http://mashable.com/2014/04/09/facebook-requiring-messenger/

** https://www.facebook.com/selfxss
___

Zeus with your coffee ...
- https://www.securelist.com/en/blog/8207/Would_you_like_some_Zeus_with_your_coffee
Apr 16, 2014 - "Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on -fake- messages supposedly from coffee chain Starbucks combined the two.
> https://www.securelist.com/en/images/vlweblog/blog_vergelis_starbucks.jpg
The detected distribution claimed... a recipient's friend made an order for him to celebrate a special occasion in a Starbucks coffee shop. That mysterious friend wished to remain anonymous, enjoying the intrigue he was creating, but was sending out invitations with details of a special menu, which is available in the attachment. In the end they wished the recipient an awesome evening. All the messages were sent out with high importance. Besides, the addresses, created on the Gmail and Yahoo! free mail services, changed from letter to letter and seemed to be randomly generated combinations like incubationg46@, mendaciousker0@ and so on. The attachment was a .exe file and the cybercriminals made no effort to mask it with an archive or double filename extension. They seemed to be sure a happy recipient would open the attachment without any suspicion. Kaspersky Lab detects the attached file as Rootkit.Win32.Zbot.sapu - a modification of one of the most notorious spyware family Zbot (ZeuS). These applications are used by cybercriminals to steal confidential information. This version of Zbot is able to install a rootkit Rootkit.Win32.Necurs or Rootkit.Win64.Necurs, which disrupts the functioning of antiviruses or other security solutions."
___

Google patches Android icon Hijacking vuln
- http://www.securityweek.com/google-patches-android-icon-hijacking-vulnerability
Apr 15, 2014 - "Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites. According to FireEye*, the issue allows a malicious app with 'normal' protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners..."
* http://www.fireeye.com/blog/technical/2014/04/occupy_your_icons_silently_on_android.html
Apr 14, 2014

- https://atlas.arbor.net/briefs/index#-561580891
Elevated Severity
17 Apr 2014

:fear:

 

[AplusWebMaster]

Fake Santander Bank SPAM – word doc malware

FYI...

Fake Santander Bank SPAM – word doc malware
- http://myonlinesecurity.co.uk/santander-bank-march-invoice-fake-word-doc-malware/
Apr 22, 2014 - "March Invoice pretending to be from Santander bank with a sender address of Sarah Gandolfo [sgand0395@ aol.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 271201 Account No 56024641.
Thanks very much
Sarah

22April 2014: March invoice 5291.zip ( 10kb) Extracts to March invoice 8912.exe
Current Virus total detections: 1/51* . This March Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...685da9d942fdf9c1ff7ae4b88be17075fbe/analysis/
___

Visa Card phish ...
- http://www.hoax-slayer.com/visa-card-status-notification-phishing-scam.shtml
Apr 22, 2014 - "... email purporting to be from Visa claims that the recipient's card access has been limited because 'unusual activity' has been detected... The email is -not- from Visa. It is a -scam- designed to steal the recipient's credit card data. A link in the email opens a -fake- website that asks for the user's credit card number, and other information pertaining to the recipient's Visa account...
Example:
Subject: Access to your Visa card has been blocked
Visa Card Status Notification
We are contacting you to Inform you that our Visa Card security department identified some unusual activity in your card. In accordance with Visa Card User Agreement and to ensure that your Visa Card has not been accessed from fraudulent locations, access to your Visa Card has been limited. Your Visa Card access will remain limited until this issue has been resolved please Click My Visa Card Activity to continue.
My Visa Card Activity
We take your online safety seriously, which is why we use state of the art notification systems to identify unusual activity and a challenge process to validate your details.
Thanks for banking with Visa.
Customer Finance Department
© Visa & Co, 2014.

Screenshot: http://www.hoax-slayer.com/images/visa-card-status-notification-phishing-scam-1.jpg

The message invites users to -click- a link to resolve the issue and restore access... the message is -not- from Visa and the claim that the account has been limited is a lie... the email is a typical phishing scam designed to extract financial information from users. The email's links open a -bogus- website created to closely mirror the look and feel of a genuine Visa webpage. The fake page will include a 'verification form' that requests users to supply their credit card number and other account details. After supplying the requested information, users will be taken to a second fake page that informs them that the problem has been resolved and restrictions have been removed... of course, there was no problem with the card to begin with..."
___

Fake 'Paintball Booking' SPAM ...
- http://blog.mxlab.eu/2014/04/22/pai...-email-will-infect-your-computer-with-trojan/
Apr 22, 2014 - "... new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”. This email is sent from the spoofed address “”ipguk52@ paintballbookingoffice .com” <ipguk@ paintballbookingoffice .com>” and has the following body:
Dear client,
Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
Please view the attached booking confirmation, map and important game day documents prior to attending.
Kind regards,
Leigh Anderson
Event Co-ordinator...

The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe. The trojan is known as Win32ropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen. At the time of writing, 4/51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe "
* https://www.virustotal.com/en/file/...685da9d942fdf9c1ff7ae4b88be17075fbe/analysis/

** https://malwr.com/analysis/YmI4MmFlNDQ4ZmYzNDczNzlmZjNiYWU1ODMyMmMyZGQ/

:fear:

 

[AplusWebMaster]

Massive cyber wire fraud attacks on US Companies

FYI...

Massive cyber wire fraud attacks on US Companies
- https://www.trustedsec.com/april-2014/red-alert-massive-cyber-wire-fraud-attacks-us-companies/
April 25, 2014 - "... a number of US companies have been impacted, and unfortunately, a number of companies that are still unaware they were victim of this attack. A major offensive is currently happening on a number of United States based companies, mostly involving those that have international components. TrustedSec notified law enforcement that multiple companies are affected, and these attacks are aimed at extracting money from the companies. An ongoing and active case is in progress working with the companies affected and investigating the incidents... high success rate. They appear to have different escalation models and ways to force organizations to perform the transfer without triggering suspicion. They use a combination of social-engineering (both email and phone), compromising trusted partners/third parties, and spoofing email addresses in order to accomplish their goals...
What you can do:
1. Notify your financial and accounts payable departments of these attacks and the techniques.
2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
3. Provide enhanced education and awareness of these types of attacks.
4. If you have fallen victim to this attack, notify your local FBI office immediately...
Measures should be taken right -now- in order to educate your finance and accounts payable departments as well as an emphasize in controls in place for your third party partners and vendors."
(More detail at the trustedsec URL above.)

:fear:

 

[AplusWebMaster]

Something evil on 146.185.213.69 ...

FYI...

Something evil on 146.185.213.69 ...
- http://blog.dynamoo.com/2014/05/something-evil-on-14618521369-and.html
1 May 2014 - "146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious... you can probably assume that all those domains are malicious (even without the ads. prefix)... The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past*, and I tend to lean towards blocking them... frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it..." [146.185.213.*]
* http://blog.dynamoo.com/2011/10/some-tdltdss-rootkit-sites-to-block.html
(More detail at the dynamoo URL above.)
___

Fake Malwarebytes 2.0 ...
- http://blog.malwarebytes.org/security-threat/2014/05/fake-malwarebytes-anti-malware-2-0-abound/
May 1, 2014 - "... we already started seeing fake executable files purporting to be free versions of our product being hosted on unfamiliar sites.
A small sample of rogue files we found in the wild:
> http://blog.malwarebytes.org/wp-content/uploads/2014/04/samples.png
One of the many sites that host MBAM PUPs:
> http://blog.malwarebytes.org/wp-content/uploads/2014/04/fake-site.png
... we found that these files have common behaviours: they all enable themselves to run whenever Windows is restarted or the system is turned on and they’re capable of accessing private information that browsers store whenever we go online, such as data pertaining to cookies, browsing history, and list of restricted sites... Several of these samples also create entries to IE’s restricted sites zone, consequently blocking users from accessing specific domains...
Sample of MBAM Installation GUI (taken from malwr.com):
> http://blog.malwarebytes.org/wp-content/uploads/2014/05/MWB-sample.png
For anyone interested in trying out MBAM 2.0, the wisest thing to do is still to go to our official download site*..."
* https://www.malwarebytes.org/downloads/

:fear:

 

[AplusWebMaster]

Android Police-Locker ransomware, BoA SPAM ...

FYI...

Android "Police Locker" ransomware ...
- http://net-security.org/malware_news.php?id=2759
5.05.2014 - "Android users might soon become victims of "Police Locker" ransomware, if they haven't already, warns the researcher behind the Malware don't need Coffee blog*. "The 'Reveton team' has diversified its locking activity," he informs us. "The advert is old (2014-02-18) but i decided to write about it today as I found a Traffic Distribution System (TDS) using almost all features proposed by this affiliate including the Android locker." Other options for malware delivery include system lockers, fake AV, fake codecs, and Browlock ransomware. The researcher discovered a threat actor that uses a TDS that employs almost all features: if you land on a malicious site using Internet Explorer, a variant of the Winlock ransomware is served. If you land with with another browser on Windows, Linux or Mac, you'll get Brownlock. Finally, if you land on it with Android, you will be redirected to a fake adult website that will automatically push the download of a malicious APK file masquerading as a video downloader app (and using the icon of the legitimate BaDoink Video Downloader). The good news is that the user must approve the installation... The 'fine' US users are asked to pay in order to get their phones unlocked is $300, payable via Money Pak... The malware is detected... as Trojan Koler**, and the researcher has already spotted another threat actor delivering it. In this case, the malicious APK masquerades as the popular BSPlayer video player for Android."
* http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

** https://www.virustotal.com/en/file/...2a7aa7318cd5b1a160b8517d/analysis/1399286001/
Detection ratio: 4/52
___

Bank of America CashPro Spam
- http://threattrack.tumblr.com/post/84831159013/bank-of-america-cashpro-spam
May 5, 2014 - "Subjects Seen:
FW: Important account documents
Typical e-mail details:
Please scan attached document and fax it to +1 (888) 589-1001.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Vince Blue

Malicious File Name and MD5:
Account_Documents.zip (40E7BB684935A7B86E5D8E480974F691)
Account Documents.scr (6E40CD3BB6F1F531CDCE113A8C684B08)

Screenshot: https://gs1.wac.edgecastcdn.net/801...39178a449/tumblr_inline_n53y3hEgvd1r6pupn.png

Tagged: Bank of America, Upatre
___

Encrypting Ransomware ...
- http://www.webroot.com/blog/2014/05/05/evolution-encrypting-ransomware/
May 5, 2014 - "... big change in the encrypting ransomware family... For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.
Cryptolocker:
> https://www.webroot.com/blog/wp-content/uploads/2014/05/cryptolocker5.png
(Other samples at the first webroot URL above.)
In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Crytpolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.
CryptoDefense:
> https://www.webroot.com/blog/wp-content/uploads/2014/05/cryptolocker7.png
(Other samples at the first webroot URL above.)
In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.
DirCrypt:
> https://www.webroot.com/blog/wp-content/uploads/2014/05/dircrypt.png
In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or webpage once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues..."

:fear:

 

[AplusWebMaster]

Hacked WordPress site, BT Digital File SPAM, Fake MMS message, Payment error SPAM

FYI...

Hacked WordPress site - ccccooa .org
- http://blog.dynamoo.com/2014/05/ccccooaorg-another-hacked-wordpress-site.html
6 May 2014 - "ccccooa .org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got -82- of these all at the same time..
From: Linkedln Email Confirmation [emailing@ compumundo .info]
Reply-To: emailing@ compumundo .info
To: topsailes@ gmail .com
Date: 6 May 2014 13:41
Subject: Please confirm your email address
Linkedln
Click here to confirm your email address.
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using Linkedln!
--The Linkedln Team
This email was intended for [redacted]. Learn why we included this...

One example landing URL is [donotclick]www.ccccooa .org/buyphentermine/ which leads to a sort of intermediary landing page..
> https://3.bp.blogspot.com/-yHYRE10WZKE/U2iyLsDXtXI/AAAAAAAAC9Q/sX68XuZLzYw/s1600/fake-rx-1.png
This is turn goes to a -redirected- at [donotclick]stylespanel .com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online .com/search.html?q=phentermine which is a -fake- pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina. Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date."
___

BT Digital File - SPAM
- http://blog.dynamoo.com/2014/05/important-bt-digital-file-spam.html
6 May 2014 - "This -fake- BT spam comes with a malicious attachment:
Date: Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
From: Santiago Biggs [Santiago.Biggs@ bt .com]
Subject: Important - BT Digital File
BT Digital Vault BT
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt .com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.
Thank you for choosing BT Digital Vault.
Kind regards,
BT Digital Vault Team ...
Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address...

Screenshot: https://2.bp.blogspot.com/-3lQPEJML0rA/U2i3EZQnyXI/AAAAAAAAC9c/eTXtmThsu-Q/s1600/bt.png

Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52*. Automated analysis tools... show that this malware downloads additional components from the following locations:
[donotclick]realtech-international .com/css/0605UKdp.rar
[donotclick]biz-ventures .net/scripts/0605UKdp.rar
Blocking those URLs or monitoring for them may help to prevent further infection."
* https://www.virustotal.com/en/file/...d2b08e374b12da5149ba690f/analysis/1399371324/
___

Fake MMS message – jpg malware
- http://myonlinesecurity.co.uk/new-mms-message-fake-jpg-malware/
6 May 2014 - "... message pretending to come from 01552521415@ mmsreply.t-mobile .co .uk [NBdnO_0K0Cb8VYiYEpV8ozYauXw7swqpIiIs6nK3@ mmsreply.t-mobile .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
our message:
Guess what I forgot *handoverface*, see attached pic
Sending a reply:
You can reply by email to this mobile number within the next 7 days.
The total message size should not exceed 300kb.
You can only reply once, and it must be within 7 days of receiving this message...

Todays Date: PIC000444182547.zip (53 kb) Extracts to PIC000983339211.jpeg.exe
Current Virus total detections: 6/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is... look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/...46967b63b25ce1d0987ebc1ee87e8bc47fd/analysis/
___

Fake Payment error SPAM – malware
- http://myonlinesecurity.co.uk/payment-error-25393592410-malware/
6 May 2014 - "Payment error #25393592410 pretending to come from Orville Creasy [payment@ rachelwarne .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like :
This e-mail has been sent to you to inform you that we were unable to process your most recent payment #570475658997219860277606
Please check attached file for more detailed information on this transaction.
Pay To Account Number: 8843867223806343
Date: 2014-05-05 15:19:19 UTC.
Transaction ID: 25393592410
Amount Due: £ 1060.45
Orville Creasy,
+07957419543

The number on the email subject is different in every email as are the transaction numbers, the pay to account number, the amount due and alleged sender and his/her phone number. The email senders are all different and the only thing in common is that they all pretend to be sent from payment @ some random named but real company. The companies have not been hacked. They just use the name of a company from a long list... unless you have “show known file extensions enabled“, will look like a file with an icon of a £ sign pretending to be a specialised invoice instead of the .exe file it really is..."

:fear::fear:

 

[AplusWebMaster]

Fake invoice, Fake Lloyds Banking BACs SPAM, Google+ phish

FYI...

Fake invoice file attachment SPAM
- http://blog.dynamoo.com/2014/05/this-email-contains-invoice-file.html
7 May 2014 - "Another case of a very terse spam with a malicious email attachment:
Date: Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From: Accounts Dept [menopausaln54@ jaygee .co .uk]
Subject: Email invoice: 1888443
This email contains an invoice file attachment

... The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52*. Automated analysis tools of this binary... shows that it downloads a further component... This "111.exe" binary has an even lower VirusTotal detection rate of 3/51**. Automated analysis of this... shows the malware installs itself deeply into the target system. There is a further dowload of a malicious binary from files.karamellasa .gr/tvcs_russia/2.exe which has a detection rate of 5/50*** and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...60ee47d9b2ea1d5b2714fc90/analysis/1399448792/

** https://www.virustotal.com/en-gb/fi...f7fcf7837e3dba89fcd10384/analysis/1399450008/

*** https://www.virustotal.com/en-gb/fi...67a44760a4aabec03d499819/analysis/1399450683/
___

Fake Lloyds Banking BACs – fake PDF malware
- http://myonlinesecurity.co.uk/lloyds-commercial-banking-important-bacs-fake-pdf-malware/
7 May 2014 - "Lloyds Commercial Banking Important BACs pretending to be from Lloyds Commercial Banking [Ora.Hutchison@ lloydsbank .com]is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
Important account documents
Reference: C96 Case number: 0746481
Please review attached BACs documents and fax it to +44 (0) 845 600 9454.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Adrienne Mcdermott Senior Manager, Lloyds Commercial Banking ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/lloyds-Important-BACs.png

7 May 2014 : LloydsCase-8948231.zip ( 11kb) Extracts to LloydsCase-07052014.scr
Current Virus total detections: 3/51*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is... make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/...3b52fd484509588b4bcc0d97f5f831156c3/analysis/
___

Fake "TNT UK Limited" SPAM
- http://blog.dynamoo.com/2014/05/tnt-uk-limited-spam.html
7 May 2014 - "This -fake- TNT spam has a malicious attachment:
Date: Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From: TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject: TNT UK Limited - Package tracking 236406937389
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: GB5766211
Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.
Connote # : 236406937389
Service Type : Export Non Documents - Intl
Shipped on : 07 Apr 13 00:00
Order No : 5766211
Status : Driver's Return Description : Wrong Postcode ...

The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52*. Automated analysis tools... show a UDP connection to wavetmc .com and a further binary download from demo.providenthousing .com/wp-content/uploads/2014/05/b01.exe . This second executable has a VirusTotal detection rate of 20/51**. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).
Recommended blocklist:
83.172.8.59
wavetmc .com
demo.providenthousing .com"
* https://www.virustotal.com/en-gb/fi...9588b4bcc0d97f5f831156c3/analysis/1399452001/

** https://www.virustotal.com/en-gb/fi...7f3f98ccf28b4293bf6196d1/analysis/1399452578/
___

More PUPs - using Instagram as Lure
- http://blog.malwarebytes.org/security-threat/2014/05/more-pups-sighted-using-instagram-as-lure/
May 7, 2014 - "... In the case of Instagram, what we’ve seen out there could pose greater risk than, say, your average phishing site. Doing a Google search surely yields sites where one can download several programs involving Instagram. Some of which can either be classed as “image viewers” or “image and video downloaders” publicly-accessible accounts. Most of the files I sampled below belong to the latter:
> http://blog.malwarebytes.org/wp-content/uploads/2014/05/instagram.png
Since Instagram can be visited via Web browsers, we can easily say that these downloads target any Windows computer user who just want to keep copies of photos and videos that are likely not their own. We ran these potentially unwanted programs (PUPs) on VirusTotal and got the following...
1) https://www.virustotal.com/en/file/...1b21d857d0955378336d4c84/analysis/1398865443/
2) https://www.virustotal.com/en/file/...1b21d857d0955378336d4c84/analysis/1398865443/
3) https://www.virustotal.com/en/file/...5085d04137d07b4a794830ba/analysis/1398864970/
(More listed at the malwarebytes URL at the top.)
... Internet slowdown, unwanted redirection to sites and possible installation of other programs without the user’s consent are just some of the obvious signs users may experience once these programs are installed. Like what we always advise our blog readers, please avoid downloading such programs onto your system as doing so will increase its security risks..."
___

Fake Google+ Survey - Phish ...
- http://www.hoax-slayer.com/fraudulent-verification-survey-phishing-scam.shtml
May 7, 2014 - "Email purporting to be from the 'All Domain Mail Team' at Google+ asks recipients to participate in a 'spam and fraudulent verification survey'. The email is -not- from Google+ or anybody else at Google. It is a phishing scam designed to trick users into giving their Google account login details to criminals...

Screenshot: http://www.hoax-slayer.com/images/fraudulent-verification-survey-phishing-scam-1.jpg

... claims to be from the 'All Domain Mail Team' at Google's social network Google+. It claims that the team is running a 'spam and fraudulent verification survey' and asks users to click a link to participate. It warns that if the verification survey is 'not gotten' within 24 hours, the team will assume that the recipient is a 'fraulent user' and his or her email account will be shut down... These login details will be collected by criminals and used to hijack the Google accounts belonging to the victims. The one set of login credentials can be used to access many different Google services. Thus, the criminals may be able to steal private information stored in various Google applications as well as use Gmail and Google+ accounts to launch further spam and scam campaigns..."

:fear:

 

[AplusWebMaster]

Infected malformed PDF, Ransomware on Android ...

FYI...

Infected malformed PDF attachments to emails
- http://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
8 May 2014 - "We are now seeing lots of infected -malformed- PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are -malformed- and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser. They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader. They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit... It is vital that you make sure Adobe PDF reader is updated to the latest version 11.0.6* and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe... these malformed PDFs do -not- preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser... it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out..."
* https://helpx.adobe.com/security/products/reader/apsb14-01.html
___

Koler Trojan or other ransomware on Android
- http://blog.malwarebytes.org/mobile...-koler-trojan-or-other-ransomware-on-android/
May 7, 2014 - "A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app. Uncovered by security researcher Kafeine*, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device. Traced back to the team that brought us the Reverton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/akoler04b.jpg
While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window. Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds. This causes removal problems because you don’t have enough time to uninstall through normal methods. Removal: The good news is you don’t have to pay the ransom to remove. First off, Malwarebytes Anti-Malware Mobile** detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device. However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed... Safe Mode: The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove..."
(See the Complete procedure at the malwarebytes URL above.)
* http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

** https://www.malwarebytes.org/mobile/

Related: http://www.webroot.com/blog/2014/05/07/android-koler-android-based-ransomware/
May 7, 2014
- http://blog.kaspersky.com/new-ransomware-for-android/
May 8, 2014

:fear:

 

[AplusWebMaster]

Fake HMRC, Fake Trusteer SPAM

FYI...

Fake HMRC SPAM / VAT0781569.zip
- http://blog.dynamoo.com/2014/05/hmrc-spam-vat0781569zip.html
9 May 2014 - "This -fake- HMRC spam comes with a malicious attachment:
Date: Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
Subject: Successful Receipt of Online Submission for Reference 0781569
Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52*. This is part one of the infection chain. Automated analysis... shows that components are then downloaded from the following locations:
[donotclick]bmclines .com/0905UKdp.rar
[donotclick]gamesofwar .net/img/icons/0905UKdp.rar
[donotclick]entslc .com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas .com/css/b01.exe
The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52**. Automated analysis... shows that this makes a connection to a server at 94.23.32.170 (OVH, France). The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52***. Analysis of this shows... that it attempts to connect to several different email services, presumably to send out spam."
* https://www.virustotal.com/en-gb/fi...f2aaac1a03e402f9a8404b6c/analysis/1399629443/

** https://www.virustotal.com/en-gb/fi...541eca81c60fe2b9798e0850/analysis/1399629644/

*** https://www.virustotal.com/en-gb/fi...6d6db48fd20fb17a34ebdc0c/analysis/1399629683/
___

Fake Trusteer Security Update – PDF malware
- http://myonlinesecurity.co.uk/trusteer-important-security-update-fake-pdf-malware/
9 May 2014 - "... pretending to be from Trusteer Support is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
Customer Number: 4086477
Important Security Update
Online Banking Protection Software Update from Trusteer
— THIS IS AN AUTOMATED RESPONSE. NO REPLY IS NECESSARY —
Please be sure to restart your computer after installing the new update
Sincerely, Trusteer Technical Support
Your internet banking account is valuable to fraudsters. That’s why criminals are always looking for new ways to get your online banking details and penetrate your account. Anti-virus and firewalls can’t detect the latest attacks, leaving you vulnerable.
To protect you against online fraud, please take a moment to Update Rapport – dedicated online banking security software from the experts at Trusteer. It only takes a few minutes to download and install, and there’s no need to restart your computer...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/Trusteer_Important-Security-Update.png

9 May 2014: derek_RaportUpdate.zip (24 kb) Extracts to Trusteer Update Now.scr
Current Virus total detections: 8/52* ...
This Important Security Update is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a3a96e6195bbc7a96a20ef954cf57632aff/analysis/

- http://threattrack.tumblr.com/post/85215426458/trusteer-spam
May 9, 2014
Tagged: Trusteer, Upatre

:fear::fear:

 

[AplusWebMaster]

Fake PayPal, BBB SPAM ...

FYI...

Fake PayPal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal-notification-payment-received-fake-pdf-malware/
12 May 2014 - "PayPal Notification of payment received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. These emails are absolutely identical to the genuine emails that you receive from PayPal when someone sends you money, especially after selling something on eBay . The difference is the link to the transaction goes to a fake site that tries to download a malware file to your computer, that appears to be a PDF...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/paypal_new_funds.png

12 May 2014: PP_detalis_726716942049.pdf.exe ( 485 kb)
Current Virus total detections: 0/51*
This PayPal Notification of payment received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...aace186e09a3dd80f865389d867c31e265f/analysis/
___

BBB SPAM - Washington Metro Area ...
- http://threattrack.tumblr.com/post/85542924523/better-business-bureau-of-washington-metro-area-spam
12 May 2014 - "Subjects Seen:
RE:Case #2475314
Typical e-mail details:
Owner/Manager
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
We look forward to your prompt attention to this matter.
Sincerely, BBB of Metropolitan Washington DC and Eastern Pennsylvania

Malicious File Name and MD5:
Complaint.zip (F72C05A0A0C4C188B07ECE7806CC0F44)
ComplaintToManager.scr (F89D06A787094FE2DC1AF6B2C0914C17)

Screenshot: https://gs1.wac.edgecastcdn.net/801...521c93446/tumblr_inline_n5h4knHQFX1r6pupn.png

Tagged: bbb, Upatre

- http://myonlinesecurity.co.uk/better-business-bureau-complaint-fake-pdf-malware/
12 May 2014 - "Better Business Bureau Complaint with subject of RE:Case #8396880 pretending to come from Refugio Ratliff [Refugio_Ratliff@ bbb .org] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
May 12, 2014
Owner/Manager
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
We look forward to your prompt attention to this matter.
Sincerely,
BBB of Metropolitan Washington DC and Eastern Pennsylvania

12 May 2014 : Complaint.zip ( 7kb) Extracts to ComplaintToManager.scr
Current Virus total detections: 2/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...bbd35dd9ef8608874e94107564b12012998/analysis/
___

“Your Photos Are being Used” Phish
- http://blog.malwarebytes.org/fraud-scam/2014/05/your-photos-are-being-used-phishing-lure/
May 12, 2014 - "We’re seeing some reports that an old favourite of scammers everywhere is currently in circulation on social media sites such as Tumblr. If you receive a message from a friend which says:
OMG YOUR PHOTOS ARE BEING USED ON THIS SITE
then be very careful should you happen to click the link, because you may well be sent to a fake login page. In this case, the scammers use some Javascript to bounce the victim from a Tumblr spam blog to a fake Facebook login which they’ll need to use to see the supposed photos. Anybody filling in their details and hitting enter will of course have their username and password sent to the attacker.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/tumblr.png
...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/phish-fb.png
This sort of scam is often seen on Twitter, and regularly puts in a guest appearance or twelve on other sites. Any urgent-sounding messages sent your way which suggest imminent personal embarrassment of some description should be treated with healthy skepticism until you’ve confirmed that a) the message is genuine and b) it really was worth saving up for a one way ticket to the Sahara desert all those years ago. It’s very likely you’re going to be fine – however, you won’t be able to say the same for accounts being handed over to a scammer using a little shock and awe (but mostly shock) as a bait to spirit away some logins."
___

- http://blog.trendmicro.com/trendlab...ast-wider-net-now-asking-for-multiple-emails/
May 12, 2014 - "... Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones..."

:fear::fear:

 

[AplusWebMaster]

Paypal Phish Flood, Fake invoice malware ...

FYI...

Paypal Phish Flood
- http://blog.malwarebytes.org/fraud-scam/2014/05/paypal-phishing-flood/
May 13, 2014 - "... noticed a trend in phishing scams over the last week, namely that a specific style of PayPal phish e-mail has been flooding potential victims. The text of the phishing e-mail includes:
Dear Member,
Recently, there's been activity in your PayPal account that seems unusual compared to your normal account activities. Pleaselog in to PayPal to confirm your identity and update your password and security questions.
To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds,remove any bank accounts, or remove credit cards.
Click here to login <- Phishing Page
What's going on?
We're concerned that someone is using your PayPal account without your knowledge. Recent activity on your account seems tohave occurred from a suspicious location or under circumstances that may be different than usual.
What to do
Log in to your PayPal account as soon as possible. We may ask you to confirm information you provided when you created your account to make sure you're the account holder. We'll then ask you to change your password and security questions...

They then advise to wait until PayPal responds within 72 hours after all tasks are complete, however we know that by that time, any credit or accounts associated with your PayPal login are likely to be compromised. We have seen a massive amount of domains being employed to host the actual phishing page, which looks like this:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/imgmediatortimes.com_-_PayPal_Phish.png
In addition to the many locations this -scam- is being hosted, the amount of observed IP addresses sending the phishing attack is so far over 500. So keep an eye out for any such scam. In addition, there seems something oddly ‘phishy’ about the pattern of these attacks and as we uncover more we will update this post..."
___

Fake Computer Support Services invoice – PDF malware
- http://myonlinesecurity.co.uk/computer-support-services-fake-invoice-fake-pdf-malware/
13 May 2014 - "Computer Support Services fake invoice with subject of Computer Support Services JJBCL0104291 pretending to come from Computer Support Services [Bishop.j@ blackjj .co .uk] < random names @ blacjj .co .uk > is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... email looks like
Dear Carole We have created a new invoice for you. To view your statement including a pdf of this invoice please download the attachment.
Invoice Details
Invoice Number:
Description: 1/4/14 – 30/4/14
Amount: £67.80
Payment Details
Account Number: 01706454
Sort Code: 400822
Account Name: Computer Support Services
Kind Regards, Jennifer Eden Computer Support Services T: 0161 8505080 F: 0161 929 0049 W: www. blackjj .co .uk

13 May 2014 Report_ID30D74D9365D2AC998DC.zip (63 kb) : Extracts to invoice_65476859394857_pdf.exe
Current Virus total detections: 0/52*
This Computer Support Services fake invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a65931eab1ba70734ba1f06cb4056cb56e7/analysis/
___

Citibank Commercial Banking Form Spam
- http://threattrack.tumblr.com/post/85731142878/citibank-commercial-banking-form-spam
May 14, 2014 - "Subjects Seen:
Important - Commercial Form
Typical e-mail details:
Please scan attached document and fax it to +1 800-285-6016 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-0106 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Yours faithfully
Lilly Mccann
Commercial Banking
Citibank N.A
Lilly.Mccann@ citibank .com

Malicious File Name and MD5:
CommercialForm.zip (5881899D33E80B0B33139BBDED43D9BB)
CommercialForm.scr (F7F5269B1031FF35B8F4DF1000CBCBBB)

Screenshot: https://gs1.wac.edgecastcdn.net/801...c63542d9f/tumblr_inline_n5koqnxVdL1r6pupn.png

Tagged: Citibank, Upatre
___

Microsoft Exchange Voice mail Spam
- http://threattrack.tumblr.com/post/85725818528/microsoft-exhange-voice-mail-spam
May 14, 2014 - "Subjects Seen:
You have received a voice mail
Typical e-mail details:
You received a voice mail : VOICE933-947-8474.wav (24 KB)
Caller-Id: 933-947-8474
Message-Id: XA6TL3
Email-Id: <email address>
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

Malicious File Name and MD5:
VoiceMail.zip (B41AF487FC1D362DF736EAC5E14CF5FF)
VoiceMail.scr (DDBA4AD13DE7D5AE604729405C180D65)

Screenshot: https://gs1.wac.edgecastcdn.net/801...92a5e21d9/tumblr_inline_n5kl642QEg1r6pupn.png

Tagged: Voicemail, Upatre

:fear::fear:

 

[AplusWebMaster]

Fake NatWest, 401K Fund SPAM ...

FYI...

Fake NatWest SPAM ...
- http://myonlinesecurity.co.uk/natwest-statement/
15 May 2014 - "NatWest Statement is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
View Your April 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It’s available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/natwest-statement.png

15 may 2014 : Statement-pdf.zip (14 kb) : Extracts to Statement-pdf.scr
Current Virus total detections: 7/53*
This NatWest Statement is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3c31c28ab60163ba91f63aede8aca271030/analysis/

- http://blog.dynamoo.com/2014/05/natwest-statement-spam-contains-bitly.html
15 May 2014 - "This -fake- NatWest spam sends victims to a malicious download via a bit.ly link... The link in the email goes to [donotclick]bit .ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53*...
* https://www.virustotal.com/en-gb/fi...163ba91f63aede8aca271030/analysis/1400164292/
___

Fake 401K Fund Spam
- http://threattrack.tumblr.com/post/85822053523/401k-fund-performance-spam
May 15, 2014 - "Subjects Seen:
401k April 2014 Fund Performance and Participant Communication
Typical e-mail details:
Co-op 401k Plan Participants
Attached you will find the April 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
Please contact me if you have any questions.
Elsie Mosley
Employee Benefits/Plan Administrator...

Malicious File Name and MD5:
April-2014-401k-Fund.zip (B5B2231F7110B15F70DB7968134A5A98)
April-2014-401k-Fund.scr (81928270710BAD7443BDBCAA253E4094)

Screenshot: https://31.media.tumblr.com/eb6512d56ecfd85bd1d1f26c8cd7e181/tumblr_inline_n5mfb6Pc4p1r6pupn.png

Tagged: 401K, Upatre
___

Fake justice .co.uk - REMINDER NOTICE ...
- http://myonlinesecurity.co.uk/fake-justice-co-uk-reminder-notice-ignore/
15 May 2014 - "Fake justice .co.uk REMINDER NOTICE DO NOT IGNORE is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... a spurious parking ticket, hoping to extort a large sum of money from you...

UK central Police svc notice: http://www.actionfraud.police.uk/alert-beware-of-justice.gov.uk-scam-parking-fine-emails-mar14

Email looks like:
REMINDER NOTICE DO NOT IGNORE
To: submit@ thespykiller .co .uk Case: C5067787
Please print attached form and fax it to +44 020 4869 0219 Your vehicle was recorded parked on our Clients Private Property driveways on the 15.05.2014 and remained on site for 2 hour 28 min. A notice was sent to you on 10.04.2014 which gave 28 days to pay full PARKING CHARGE or challenge the issue. The amount of £78.00 is now due...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/REMINDER-NOTICE-DO-NOT-IGNORE.png

15 May 2014: Form-STD-Vehicle-150514.zip ( 11kb) Extracts to Form-STD-Vehicle-150514.scr
Current Virus total detections: 5/53*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...df8dc96b5a8515f171f16154f21d5705ce4/analysis/

:fear:

 

[AplusWebMaster]

Fake TT PAYMENT SPAM, High Fashion Scams ...

FYI...

Fake TT PAYMENT COPY - SPAM ...
- http://blog.dynamoo.com/2014/05/tt-payment-copy-spam.html
19 May 2014 - "This spam has a malicious attachment:
Date: Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject: Re TT PAYMENT COPY
please confirm the attachment payment Copy and get back to me?

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53*. Automated analysis tools... don't reveal what is happening, but you can guarantee it is nothing good."
* https://www.virustotal.com/en-gb/fi...00ac282b4050d96f1ecef463/analysis/1400507439/
___

High Fashion to High Risk ...
- http://blog.malwarebytes.org/fraud-scam/2014/05/from-high-fashion-to-high-risk/
May 19, 2014 - "... Suffice to say that several Fashion Weeks have come and gone since 2014 started... more runway events have been announced and are already scheduled to happen within the next two to three weeks... it’s highly likely that you may encounter the sites we’ve found these past few days. We have also noted that such sites have increased in number, with most of them carrying the brands Louis Vuitton, Chanel, Gucci, Hermes, and Oakley.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/fantasylouisvuitton.png
...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/guccioutlet.png
... What fantasylouisvuitton, guccioutlet, and fashionshop-usa have in common goes beyond not having an easy way for anyone to verify the products they say for authenticity. All these sites redirect to random JS (JavaScript) scripts hosted on js(dot)users(dot)51(dot)la, a site that has been associated with many -malicious- activities in the past*. Google Safe Browsing flags it as “suspicious”... Meanwhile, Tumblr users have been inundated with spam posts from users claiming to be students who have put up their own personal fashion site and wishing others to visit it. This is an old Tumblr scam designed to encourage the clicking of adverts, which is often against the Terms of Service (ToS) of many advertising networks and can be seen as a form of click fraud. In this case, scammers specifically looked for those interested in fashion... When it comes to dealing with scams and potentially risky websites, users are always at the losing end. Thus, avoiding such sites, in general, and sticking to visiting legitimate and/or official selling sites of popular brands are best practices to keep in mind."
* https://www.virustotal.com/en/domain/js.users.51.la/information/
___

Targeted Attack Trends - 2H 2013
- http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-trends-a-look-at-2h-2013/
May 19, 2014 - "Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.
Most commonly exploited vulnerabilities related to targeted attacks
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/tareport2.jpg
... Spear phishing* is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers. In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks... Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of. Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions..."
> http://about-threats.trendmicro.com...ds/report-threat-targets-diversify-in-2h-2013
... The latter half of 2013 also bore witness to a series of threat landscape updates that show the aggressive stance of present-day attackers... While bad actors prefer using tried-and-tested attack vectors-such as spear-pshing emails, vulnerabilities, and malware-research shows that they are on the move in terms of diversifying their victims all over the world..."
* http://searchsecurity.techtarget.com/definition/spear-phishing

- http://www.secureworks.com/resource...d-microsoft-word-vulnerability-cve-2014-1761/
May 16, 2014

- http://www.reuters.com/article/2014/05/19/us-cybercrime-usa-china-idUSBREA4I09420140519
May 19, 2014 - "The United States on Monday charged five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets, ratcheting up tensions between the two world powers over cyber espionage. China immediately denied the charges, saying in a strongly worded Foreign Ministry statement the U.S. grand jury indictment was "made up" and would damage trust between the two nations... Federal prosecutors said the suspects targeted companies including Alcoa Inc, Allegheny Technologies Inc, United States Steel Corp, Toshiba Corp unit Westinghouse Electric Co, the U.S. subsidiaries of SolarWorld AG, and a steel workers' union. Officials declined to estimate the size of the losses to the companies, but said they were "significant." The victims had all filed unfair trade claims against their Chinese rivals, helping Washington draw a link between the alleged hacking activity and its impact on international business. According to the indictment, Chinese state-owned companies "hired" Unit 61398 of the People's Liberation Army "to provide information technology services" including assembling a database of corporate intelligence..."
___

E-On Energy Bill Spam
- http://threattrack.tumblr.com/post/86208169148/e-on-energy-bill-spam
May 19, 2014 - "Subjects Seen:
Unable to process your most recent bill payment
Typical e-mail details:
Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.

Malicious File Name and MD5:
Eonenergy-Bill-29052014.zip (73C46BEB4997D121D88E4DA220EB8E75)
Eonenergy-Bill-29052014.scr (FE272CDACF8BB7C3A8B264BFDF3772FD)

Screenshot: https://gs1.wac.edgecastcdn.net/801...a1905cd2b/tumblr_inline_n5tos8wRJh1r6pupn.png

Tagged: eon, Upatre

- http://myonlinesecurity.co.uk/e-energy-unable-process-recent-bill-payment/
19 May 2014
> http://myonlinesecurity.co.uk/wp-co...-to-process-your-most-recent-bill-payment.png

* https://www.virustotal.com/en/file/...9d87b44c2138bee1d6c647272d8358c6675/analysis/

:fear:

 

[AplusWebMaster]

Fake Sage, LexisNexis Invoice SPAM ...

FYI...

Fake Sage Invoice SPAM leads to malware
- http://blog.dynamoo.com/2014/05/fake-sage-invoice-spam-leads-to-malware.html
20 May 2014 - "This -fake- Sage spam leads to malware:
Date: Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From: Sage [Wilbur.Contreras@ sage-mail .com]
Subject: FW: Invoice_6895366
Please see attached copy of the original invoice (Invoice_6895366).

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52*. The Malwr analysis** shows that it then goes on to download further components from [donotclick]protecca .com/fonts/2005UKdp.zip [108.163.165.122]..."
* https://www.virustotal.com/en-gb/fi...8181c8407700bac33a606c3c/analysis/1400575304/

** https://malwr.com/analysis/MWRiODI4NDBlYmFlNGNjOTgzNmYzMThjZDFlNzRkMDI/

- https://www.virustotal.com/en-gb/ip-address/108.163.165.122/information/

- http://myonlinesecurity.co.uk/fake-justice-co-uk-reminder-notice-ignore/
Updated 20 May 2014 - "... Another big run of these this morning. See the notice on Justice .co.uk* and Action Fraud** where they are asking you to report these to them..."
* https://www.justice.gov.uk/help/fraud

** http://www.actionfraud.police.uk/alert-beware-of-justice.gov.uk-scam-parking-fine-emails-mar14

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/REMINDER-NOTICE-DO-NOT-IGNORE.png

- http://threattrack.tumblr.com/post/86315391248/uk-ministry-of-justice-spam
May 20, 2014
Tagged: UK Ministry of Justice, Upatre
___

Fake LexisNexis Invoice – PDF malware
- http://myonlinesecurity.co.uk/lexisnexis-invoice-notification-may-2014-fake-pdf-malware/
20 May 2014 - "LexisNexis Invoice Notification for May 2014 pretending to come from LexisNexis [einvoice.notification@ lexisnexis .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
There was an invoice issued to your company: thespykiller .co.uk Please double click the PDF attachment to open or print your invoice.
To view full invoice details or for any Online Account Management options, download PDF attachment.
Account Number 278QCB
Invoice Number 195709944451
Invoice Date May 20, 2014
Invoice Amount $3.809.00
Account Balance $0.00
You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement...

Screenshot: http://myonlinesecurity.co.uk/wp-co...isNexis-Invoice-Notification-for-May-2014.png

20 May 2014 LexisNexis_Invoice_05202014.zip (12 KB) Extracts to
LexisNexis_Invoice_05202014.scr - Current Virus total detections: 0/52*
This LexisNexis Invoice Notification for May 2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...5fff4cfa12d24dad854e6fe7/analysis/1400601699/
___

SCAM: FIFA World Cup Tickets
- http://blog.trendmicro.com/trendlab...ing-scammed-with-2014-fifa-world-cup-tickets/
March 20, 2014 - "As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted -fake- FIFA websites selling game tickets... For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for 8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website. At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email... This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe... remember that -only- FIFA is authorized to sell tickets for the World Cup games..."
___

iBanking: Exploiting the Full Potential of Android Malware
- http://www.symantec.com/connect/blogs/ibanking-exploiting-full-potential-android-malware
20 May 2014 - "Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model... iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile -botnets- and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection... One of the most active iBanking users is the Neverquest* crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula**. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe... Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection. Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data..."

* http://malware.dontneedcoffee.com/2013/12/nitmo-no-just-ibanking-used-by-the.html

** http://www.symantec.com/security_response/writeup.jsp?docid=2013-112803-2524-99

:sad:

 

[AplusWebMaster]

Something evil on 93.171.173.173, FireEye confirms DOJ’s findings on APT ...

FYI...

Something evil on 93.171.173.173 ...
- http://blog.dynamoo.com/2014/05/something-evil-on-93171173173-sweet.html
21 May 2014 - "93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of -hijacked- GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites. For example [donotclick]www.f1fanatic .co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
[donotclick]adv.atlanticcity .house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp .biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way)... The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves... The EK page itself has a VirusTotal detection rate of 0/53*, although hopefully some of the components it installs will trigger a warning."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...888687a2b073288ebae607ba/analysis/1400664015/

93.171.173.173: https://www.virustotal.com/en-gb/ip-address/93.171.173.173/information/

- http://centralops.net/co/DomainDossier.aspx
93.171.173.173
inetnum: 93.171.172.0 - 93.171.175.255
country: RU ...
origin: AS29182

Diagnostic page for AS29182 (ISPSYSTEM-AS)
- https://www.google.com/safebrowsing/diagnostic?site=AS:29182
"Of the 16625 site(s) we tested on this network over the past 90 days, 264 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-05-22, and the last time suspicious content was found was on 2014-05-22... Over the past 90 days, we found 87 site(s) on this network... appeared to function as intermediaries for the infection of 393 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 260 site(s)... that infected 3562 other site(s)..."
___

FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity
- http://www.fireeye.com/blog/technic...dojs-findings-on-apt1-intrusion-activity.html
May 20, 2014 - "Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the -same- unit that Mandiant publicly unmasked last year in the APT1 report*. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property... Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are... "
(More detail at the fireeye URL above.)
* http://intelreport.mandiant.com/
___

“Amazoon” Phishing
- http://blog.malwarebytes.org/fraud-scam/2014/05/watch-out-for-amazoon-phishing/
May 21, 2014 - "Be warned that there are some typo happy phishers looking out for login credentials... take a trip down the Amazoon:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/amazoon1.jpg
It reads:
Verify your Amazoon account
Dear Amazon user,
We need to confirm your account information,
you must confirm your amazon account before we close it.
Click the link below to confirm your account information using our secure server.

Clicking the “Manage” link will take victims to a page asking for username and password information:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/amazoon2.jpg
After this, they’re faced with a page asking for personal information (name, address, phone number and so on):
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/amazoon3.jpg
The page after this one is broken – looks like the host has taken it down mid-blog so hopefully nobody else will be scammed by this one. Typically the pattern for this kind of thing would be login details, personal information then card data. While we can’t say for sure what lay in wait at step 3, we can say to be on your guard for any more emails from “Amazoon” and -never- hand over personal data such as card details in response to emails you’ve been sent."

>> http://www.dilbert.com/2014-05-19/
___

Fake Contrat Commercant SPAM – PDF malware
- http://myonlinesecurity.co.uk/contrat-commercant-n-9579514-fake-pdf-malware/
21 May 2014 - "Contrat Commercant N: 9579514 pretending to come from Rick Goddard [Rick.Goddard@ credit-agricole .fr] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This is written entirely in French...
Email looks like :
Bonjour,
Enchante d’avoir fait votre connaissance. Je vous confirme que j’ai bien recupere les documents..
Pouvez-vous me dire si vous souhaitez conserver le contrat commercant n°9579514 ? En effet, sans action de notre part, il sera automatiquement resilie le 22 mai 2014.
Pour eviter automatiquement resilie accorder 2 minutes au service Credit Agricole en remplissant le formulaire ci-joint.
Rick Goddard ...

21 May 2014: Contrat_9579514.zip ( 8kb) Extracts to Contrat_210514.scr
Current Virus total detections: 0/52* ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...5f064bca38460c9591f5585e24754a4bc09/analysis/
___

PrimeAspire (primeaspire .com) spam
- http://blog.dynamoo.com/2014/05/primeaspire-primeaspirecom-spam.html
21 May 2014 - "Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
From: Team@ primeaspire .com
To: donotemail@ wearespammers .com
Date: 20 May 2014 13:32
Subject: PrimeAspire - The Freelance Platform
Hello,
Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.
The platform is completely free and used by talented people looking for freelance projects.
Learn more
Thanks,
The PrimeAspire team ...

Screenshot: http://4.bp.blogspot.com/-a2q8a983zhc/U3vdzEHjMDI/AAAAAAAADB4/frl26R0YCVk/s1600/primeaspire.png

.. CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service... Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239... promoting your startup through spam is always a very bad move..."

:fear:

 

[AplusWebMaster]

Browlock -redirects- via Google Image Search ...

FYI...

Browlock -redirects- via Google Image Search
- http://blog.malwarebytes.org/fraud-scam/2014/05/browlock-redirects-via-google-image-search/
May 22, 2014 - "We saw a website offering up a downloadable version of what they claim is Telltale’s Back to the Future game. The site had apparently been -hacked- allowing those who compromised it to add redirect code onto the website. As a side effect of this, clicking on their image via the initial returned results from a Google image search while using Chrome will mean your browser is redirected to a Browlock scam page, complete with dire warnings placed on top of the preview image which is now adrift in a sea of fakery:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/locksearch1.png
... we’re looking at a typical “Your PC has been encrypted, pay us money to return your files” message – the translation of which can be seen over on the F-Secure website* – and depending on your browser set up, you may have a few problems getting rid of the page. For example:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/locksearch2.jpg
Once the box is on the screen, there is no way to open another tab or indeed navigate to one that is already open. For similar reasons, you won’t be able to close the browser either. The browser is trapped in a loop of confirmation pop-up boxes and our old friend CTRL+ALT+DEL will be required to kill the browser in Task Manager. The end-user isn’t under too much risk here – the scam page is simply -pretending- that the PC has had all files encrypted, and wants them to pay up to get their hands back on valuable personal data. There have been instances in the past where Fake AV has taken advantage of image search and caused problems for Mac users, and here’s a Youtube video** of the Windows equivalent. In this case, if you’re ever able to get the popup out of the way AND close the image AND open up the vanilla website AND read the Russian text…you should close the browser via the wonder of Task Manager and go do something else anyway. Your data is safe, no need to hand over cash to scammers!"
* http://www.f-secure.com/weblog/archives/00002698.html

** http://www.youtube.com/watch?v=1oxAK4TP6Uk
___

Malvertising ads on popular site leads to Silverlight exploit, Zeus Trojan
- http://blog.malwarebytes.org/exploi...ite-leads-to-silverlight-exploit-zeus-trojan/
May 22, 2014 - "Malicious ads displayed on legitimate websites (malvertising) are something we see a lot of these days... third-party content is always a bit iffy because you just can’t control it. Case in point, a popular website recently suffered a malvertising attack. Our honeypots detected the malicious redirection from a compromised ad in the wee hours of last Friday morning. We contacted both the site owners and the advertising agency and the malicious traffic stopped shortly after. Over the course of the weekend and the beginning of the week, we exchanged some further emails to get a better understanding about the attack, which turned out to be an Ad server compromise... the advertising agency had suffered a server compromise themselves. I managed to talk to them and they were willing to share information about the attack that affected them and in turn their customers. After browsing their log files they noticed a peculiar IP address that had logged in through SSH and had connected to their email server. But interestingly the attacker waited patiently before doing anything nefarious. It appears the attacker was reading their emails and simply waiting for something valuable to come up. Finally, a new ad campaign with a high volume website was started and details were shared via email. Almost immediately after, the attacker redirected the tracking for the ad server to his own malicious site (rotator)... The goal of this malvertising attack is to -redirect- unsuspecting users to an exploit kit landing page in order to infect their computers... Drive-by download through Angler exploit kit: The exploit kit landing page is heavily obfuscated to make detection harder... Following successful exploitation of the machine, a payload is dropped. This one is none other than the infamous Zeus/Zbot banking Trojan... The best defence is a layered one and it starts with browser protection. To stop the Silverlight exploit you need to be running the latest version of the software*... also another notable external connection to an IP (37.57.26.167) based in the Ukraine... good Anti-Malware protection running in the background can also protect you against the threat, either by blocking the malicious site or the dropped payload... Thanks to the advertising agency for sharing some of the details on their compromise. Hopefully this will be helpful to other website owners."
(More detail at the malwarebytes URL above.)
* http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

- http://atlas.arbor.net/briefs/
Elevated Severity
May 23, 2014
Microsoft Silverlight vulnerabilities were recently targeted in a malvertising campaign redirecting victims to exploit kits.
Analysis: Malicious ads in the AppNexus network redirected victims to malicious sites hosting the Angler Exploit Kit containing Silverlight exploits. Angler EK has shown a significant increase in attacks against Silverlight since late April... Like many other exploit kits, Angler EK makes use of disclosed, patched vulnerabilities rather than zero-days. The two Silverlight vulnerabilities exploited in this campaign, CVE-2013-0074 and CVE-2013-3896, both have available patches and published exploit code... Angler EK also contains exploits for other applications including Java and Flash, whose security issues are frequently discussed. Given the widespread and growing usage of Silverlight, including by popular video streaming site Netflix, it is likely that Silverlight will continue to be targeted. Users who have Silverlight installed should ensure that it is up-to-date.

:fear:

 

[AplusWebMaster]

Targeted attacks, Malware via Dropbox ...

FYI...

Targeted attacks against Taiwan gov't agencies
- http://blog.trendmicro.com/trendlab...acks-against-taiwanese-government-agencies-2/
May 23, 2014 - "... We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware. The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable. In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference... We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks... We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012."
(More detail at the trendmicro URL above.)
___

Fake NatWest email downloads malware via Dropbox
- http://blog.dynamoo.com/2014/05/fake-natwest-email-downloads-malware.html
May 23, 2014 - "This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.
From: NatWest .co.uk [noreply@ natwest .co.uk]
Date: 23 May 2014 11:36
Subject: NatWest Statement
View Your May 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience.
Thank you for managing your account online.
Sincerely,
NatWest Bank ...

The link in the email goes to [donotclick]dl.dropboxusercontent .com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52*. Automated analysis tools... show that it downloads a component from [donotclick]accessdi .com/wp-content/uploads/2014/04/2305UKmw.zip ... The Malwr analysis shows that it then downloads some additional EXE files:
ibep.exe (VT 2/52, Malwr report)
kuten.exe (VT 3/52, Malwr report)
sohal.exe (VT 2/52. Malwr report)
As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot."
(More detail and links at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...d6138da4bece9cdf89e8efeb/analysis/1400846756/
___

Fake eBay Customer List is Bitcoin Bait
- http://krebsonsecurity.com/2014/05/expert-fake-ebay-customer-list-is-bitcoin-bait/
May 22, 2014 - "... an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds... There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five... the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it..."

:fear::fear:

 

[AplusWebMaster]

Fake Voice Msg – PDF malware ...

FYI...

Fake Voice Msg – PDF malware
- http://myonlinesecurity.co.uk/voice-message-fake-pdf-malware/
26 May 2014 - "Voice Message from < random number> pretending to come from message @ <random email address> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Today we are seeing a mass run of the common voice message malware theme. 2 different versions of these so far today. Loads of slightly different subjects
Voice Message from +07720-160332
Voice message transmission report: 2014.05.26_4B10694078
Incoming voice message [2014_05_26_9E57221633]
Incoming Voice Message [+07457706455]
They all come via one of the bots and have an alleged sender of message@any name you can think of .com/co.uk/net etc. Emails look like:
You have a new Voice Message!
Sender: +07457706455
Date: 2014-05-24 13:19:26 UTC
ID: 2014-05-26_0D87942690

26 May 2014: voice_message_2014-05-26_75555857A9.zip Extracts to voice_message_2014-05-26_3C51847781.exe
Current Virus total detections: 2/53* . This Voice Message from is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...4c0435cbe66dbf20bcf62ef6/analysis/1401119086/

- https://www.virustotal.com/en/file/...e25870c639b5d0613c31c6fead72f0b1e96/analysis/

:fear:

 

[AplusWebMaster]

eBay phish, Mobile ransomware, iPhone hijacks? ...

FYI...

eBay phish ...
- http://myonlinesecurity.co.uk/ebay-phishing/
27 May 2014 - "... Today we started to receive eBay phishing emails that aren’t connected with the password reset that eBay are requesting all users to do, but a more typical -phish- with a message saying an eBay member has left you a message regarding item no #2389452906... always -ignore- the links in these emails and log in to your eBay account manually and check the My Messages link inside eBay. That is the -only- way to be guaranteed that it is the correct site. This one is quite well crafted and until you look very closely at the web address, you could quite easily believe that you are on the genuine eBay site.... Email looks like:
Question about Item #2389452906- Respond Now
eBay sent this message on behalf of an eBay member through My Messages.
Dear member,
eBay member timeautoparts has left you a message regarding item #2389452906
Click here to view the message
Regards,
eBay

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/ebay-phish-email.png
If you follow the links in the email, you end up on a page looking like this:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/ebay_phish_site.png
... after giving your details are sent to a confirmation page that looks like this asking to conform your email address and email password. The phishers want 2 bites at the cherry and not only want your eBay account log in details but also your email account log in details so they can use that to spread their spam and malware:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/ebay_phish_confirm_email.png
... That then bounces you to the genuine eBay site where you don’t realise that you have given your details to a phishing site..."

- http://www.hoax-slayer.com/ebay-password-reset-notifications.shtml
May 27, 2014 - "... the genuine eBay notification does -not- ask you to click a link. Instead, it asks that you go to eBay in your usual way and login to change your password..."
___

Aussie Apple devices, including the iPhone, are being hijacked
- http://www.theage.com.au/digital-li...s-hijacked-held-to-ransom-20140527-zrpbj.html
May 27, 2014 - "Owners of Apple devices across Australia are having them digitally held for ransom by hackers demanding payment before they will relinquish control. iPad, iPhone and Mac owners in Queensland, NSW, Western Australia, South Australia and Victoria have reported having their devices held hostage. One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud "lost phone" message that said "Oleg Pliss" had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked... It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle. A similar name is listed on LinkedIN as a banking professional in Ukraine, while there are others in Russia. Affected users in Australia have been discussing the issue on Twitter and Apple's own support forum*."
* https://discussions.apple.com/thread/6270410?start=0&tstart=0

How to defend against... iCloud attack
> http://blogs.computerworld.com/cybe...efend-against-apples-oleg-pliss-icloud-attack
May 27, 2014 - "... If you have a passcode for your device, then you don't have a problem -- just use the passcode to get into your device again, and change your iCloud password. Find My iPhone can only set its own code if you have not created your own passcode for the device... Some reports claim the following steps may help locked out users regain control of their device..."
(More detail at the computerworld URL above.)

- http://www.f-secure.com/weblog/archives/00002707.html
May 27, 2014

- http://www.databreaches.net/iphone-owners-hit-by-ransomware-hack-demanding-money-for-their-phones/
May 27, 2014
___

Ransomware Moves to Mobile
- http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-moves-to-mobile/
May 26, 2014 - "Ransomware continues to make waves... it is now targeting mobile devices... cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware. This is detected as ANDROIDOS_LOCKER.A ... The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI. It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content. The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions... To -avoid- these threats, we strongly suggest that you -disable- your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy. This setting can be found under Security in the system settings of Android devices..."

:fear: