Something evil on 188.120.198.1 ...
FYI...
Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo.com/2014/07/something-evil-on-1881201981-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:
188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia"
* http://blog.dynamoo.com/2014/07/something-evil-on-3718714057-ovh-france.html
** http://urlquery.net/report.php?id=1405937345878
*** 188.120.198.1: https://www.virustotal.com/en-gb/ip-address/188.120.198.1/information/
___
Facebook video scam leaves unamusing Trojan
- http://net-security.org/malware_news.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___
Bank of America - Activity Alert Spam
- http://threattrack.tumblr.com/post/92440887228/bank-of-america-activity-alert-spam
July 21, 2014 - "Subjects Seen:
Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Malicious File Name and MD5:
report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)
Screenshot: https://gs1.wac.edgecastcdn.net/801...7e6090d69/tumblr_inline_n92lonNlop1r6pupn.png
Tagged: Bank of America, Upatre
- http://myonlinesecurity.co.uk/activity-alert-check-exceeded-requested-alert-limit-fake-pdf-malware/
21 July 2014
> https://www.virustotal.com/en/file/...d1fb7e89e6edfe085f8a71f7/analysis/1405960609/
___
Bitly API key and MSNBC unvalidated redirects
- http://community.websense.com/blogs...-api-key-and-msnbc-unvalidated-redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.websense.com/cfs-f...tylabs/4011.fake-news-site.jpg_2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.websense.com/cfs-f...itylabs/1263.google-groups.jpg_2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.websense.com/cfs-f...ritylabs/2821.yahoo-groups.jpg_2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing. Kudos to them.
>> http://community.websense.com/cfs-f...labs/7206.blocked-by-bitly.jpg_2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com/best_practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."
:fear:
FYI...
Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo.com/2014/07/something-evil-on-1881201981-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:
188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia"
* http://blog.dynamoo.com/2014/07/something-evil-on-3718714057-ovh-france.html
** http://urlquery.net/report.php?id=1405937345878
*** 188.120.198.1: https://www.virustotal.com/en-gb/ip-address/188.120.198.1/information/
___
Facebook video scam leaves unamusing Trojan
- http://net-security.org/malware_news.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___
Bank of America - Activity Alert Spam
- http://threattrack.tumblr.com/post/92440887228/bank-of-america-activity-alert-spam
July 21, 2014 - "Subjects Seen:
Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Malicious File Name and MD5:
report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)
Screenshot: https://gs1.wac.edgecastcdn.net/801...7e6090d69/tumblr_inline_n92lonNlop1r6pupn.png
Tagged: Bank of America, Upatre
- http://myonlinesecurity.co.uk/activity-alert-check-exceeded-requested-alert-limit-fake-pdf-malware/
21 July 2014
> https://www.virustotal.com/en/file/...d1fb7e89e6edfe085f8a71f7/analysis/1405960609/
___
Bitly API key and MSNBC unvalidated redirects
- http://community.websense.com/blogs...-api-key-and-msnbc-unvalidated-redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.websense.com/cfs-f...tylabs/4011.fake-news-site.jpg_2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.websense.com/cfs-f...itylabs/1263.google-groups.jpg_2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.websense.com/cfs-f...ritylabs/2821.yahoo-groups.jpg_2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing. Kudos to them.
>> http://community.websense.com/cfs-f...labs/7206.blocked-by-bitly.jpg_2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com/best_practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."
:fear:
Last edited: