Fake 'Scan', 'bank transactions' SPAM, SWIFT security, Dropbox hacked
FYI...
Fake 'Scan' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/sent...-own-email-address-leads-to-locky-ransomware/
31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
From: Bertha <Bertha34@ your own email domain>
Date: Wed 31/08/2016 06:14
Subject: FW: [Scan] 2016-08-13 15:49:12
Attachment: 2016-08-30 436 663 415.zip
From: “Bertha” <Bertha34@[REDACTED]>
Sent: 2016-08-13 15:49:12
To: [REDACTED]
Subject: [Scan] 2016-08-13 15:49:12
Sent with Genius Scan for iOS ...
31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...96d8f3248e8d5533732af3d7/analysis/1472620428/
** https://www.reverse.it/sample/15cf2...3e596d8f3248e8d5533732af3d7?environmentId=100
Contacted Hosts
210.157.28.18
80.150.6.138
195.208.0.137
95.85.19.195
188.127.249.32
58.158.177.102
*** https://www.virustotal.com/en/file/...239a318586a56e10b7a89571/analysis/1472623964/
___
Fake 'bank transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/atta...any-during-last-month-malspam-delivers-locky/
31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
Date: Wed 31/08/2016 07:35
Subject: bank transactions
Attachment: b231f370cf0.zip
Good morning gold.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Marlene Carrillo
31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3bcd59c1ccc5cac41c2d3086/analysis/1472629007/
** https://malwr.com/analysis/ZDI1NjIzZDZjODUxNDRkY2E2ZDMwZjc4OGI3NTk5MzU/
Hosts
62.42.230.17
86.65.123.70
195.91.160.34
45.59.114.100
158.69.147.88
*** https://www.virustotal.com/en/file/...e0a60ed44c3fbc2d90287be9/analysis/1472629326/
4] https://www.hybrid-analysis.com/sam...ac03bcd59c1ccc5cac41c2d3086?environmentId=100
Contacted Hosts
62.42.230.17
86.65.123.70
95.85.19.195
188.127.249.203
138.201.191.196
188.127.249.32
91.223.180.66
- http://blog.dynamoo.com/2016/08/malware-spam-bank-transactions.html
31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Rueben Vazquez
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/analysis/YzQyYzA2NDRlMTU4NDU0Mzg4ZTZkODk0ZmVmZjE5Mzg/
2] https://malwr.com/analysis/YTVhMjg2NGZhMGEyNDIzZDk0YTUyM2RmNWEwZDFjY2E/
3] https://malwr.com/analysis/ZjM5YTNhOTZmMGQ3NGViZTlkODdjMDViOWM4YTNmOTQ/
___
Fake 'flight tickets' SPAM - delievers Locky
- https://myonlinesecurity.co.uk/i-am...nce-abroad-next-month-malspam-delivers-locky/
31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
From: Wallace Hampton <Hampton.7365@writers-india.com>
Date: Wed 31/08/2016 18:37
Subject: flight tickets
Attachment: 4e0302044044.zip
Good evening admin.
I am sending you the flight tickets for your business conference abroad next month.
Please see the attached and note the date and time.
Respectfully,
Wallace Hampton
31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...dddcfcc94ee6aa42c1c6ee77/analysis/1472665164/
** https://malwr.com/analysis/Y2U2MmYxOTY0ZWUxNGFjYmE4NWM3M2Q2OWU2N2VmOGQ/
Hosts
158.69.147.88
208.71.106.61
195.78.215.76
86.65.123.70
*** https://www.virustotal.com/en/file/...dd36d5e6e27dcfdfab049233/analysis/1472665518/
4] https://www.hybrid-analysis.com/sam...a6edddcfcc94ee6aa42c1c6ee77?environmentId=100
Contacted Hosts
192.99.111.28
208.71.106.61
95.85.19.195
138.201.191.196
188.127.249.203
188.127.249.32
91.223.180.66
69.195.129.70
___
SWIFT discloses more cyber thefts, pressures banks on security
- http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C
Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
___
Hacks steal account details for 60M Dropbox Users
- https://it.slashdot.org/story/16/08...unt-details-for-over-60-million-dropbox-users
Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
* https://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts
:fear::fear:
FYI...
Fake 'Scan' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/sent...-own-email-address-leads-to-locky-ransomware/
31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
From: Bertha <Bertha34@ your own email domain>
Date: Wed 31/08/2016 06:14
Subject: FW: [Scan] 2016-08-13 15:49:12
Attachment: 2016-08-30 436 663 415.zip
From: “Bertha” <Bertha34@[REDACTED]>
Sent: 2016-08-13 15:49:12
To: [REDACTED]
Subject: [Scan] 2016-08-13 15:49:12
Sent with Genius Scan for iOS ...
31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...96d8f3248e8d5533732af3d7/analysis/1472620428/
** https://www.reverse.it/sample/15cf2...3e596d8f3248e8d5533732af3d7?environmentId=100
Contacted Hosts
210.157.28.18
80.150.6.138
195.208.0.137
95.85.19.195
188.127.249.32
58.158.177.102
*** https://www.virustotal.com/en/file/...239a318586a56e10b7a89571/analysis/1472623964/
___
Fake 'bank transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/atta...any-during-last-month-malspam-delivers-locky/
31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
Date: Wed 31/08/2016 07:35
Subject: bank transactions
Attachment: b231f370cf0.zip
Good morning gold.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Marlene Carrillo
31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3bcd59c1ccc5cac41c2d3086/analysis/1472629007/
** https://malwr.com/analysis/ZDI1NjIzZDZjODUxNDRkY2E2ZDMwZjc4OGI3NTk5MzU/
Hosts
62.42.230.17
86.65.123.70
195.91.160.34
45.59.114.100
158.69.147.88
*** https://www.virustotal.com/en/file/...e0a60ed44c3fbc2d90287be9/analysis/1472629326/
4] https://www.hybrid-analysis.com/sam...ac03bcd59c1ccc5cac41c2d3086?environmentId=100
Contacted Hosts
62.42.230.17
86.65.123.70
95.85.19.195
188.127.249.203
138.201.191.196
188.127.249.32
91.223.180.66
- http://blog.dynamoo.com/2016/08/malware-spam-bank-transactions.html
31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Rueben Vazquez
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/analysis/YzQyYzA2NDRlMTU4NDU0Mzg4ZTZkODk0ZmVmZjE5Mzg/
2] https://malwr.com/analysis/YTVhMjg2NGZhMGEyNDIzZDk0YTUyM2RmNWEwZDFjY2E/
3] https://malwr.com/analysis/ZjM5YTNhOTZmMGQ3NGViZTlkODdjMDViOWM4YTNmOTQ/
___
Fake 'flight tickets' SPAM - delievers Locky
- https://myonlinesecurity.co.uk/i-am...nce-abroad-next-month-malspam-delivers-locky/
31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
From: Wallace Hampton <Hampton.7365@writers-india.com>
Date: Wed 31/08/2016 18:37
Subject: flight tickets
Attachment: 4e0302044044.zip
Good evening admin.
I am sending you the flight tickets for your business conference abroad next month.
Please see the attached and note the date and time.
Respectfully,
Wallace Hampton
31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...dddcfcc94ee6aa42c1c6ee77/analysis/1472665164/
** https://malwr.com/analysis/Y2U2MmYxOTY0ZWUxNGFjYmE4NWM3M2Q2OWU2N2VmOGQ/
Hosts
158.69.147.88
208.71.106.61
195.78.215.76
86.65.123.70
*** https://www.virustotal.com/en/file/...dd36d5e6e27dcfdfab049233/analysis/1472665518/
4] https://www.hybrid-analysis.com/sam...a6edddcfcc94ee6aa42c1c6ee77?environmentId=100
Contacted Hosts
192.99.111.28
208.71.106.61
95.85.19.195
138.201.191.196
188.127.249.203
188.127.249.32
91.223.180.66
69.195.129.70
___
SWIFT discloses more cyber thefts, pressures banks on security
- http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C
Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
___
Hacks steal account details for 60M Dropbox Users
- https://it.slashdot.org/story/16/08...unt-details-for-over-60-million-dropbox-users
Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
* https://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts
:fear::fear:
Last edited:
ocuments Requested