SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Random subject SPAM

FYI...

Random subject SPAM - download .lnk files to malware
- https://myonlinesecurity.co.uk/vari...sing-powershell-to-download-various-malwares/
1 Feb 2017 - "... numerous versions of the emails, but they all basically function in the same way. The email has a link to a compromised site that pretends to be a doc, image or PDF file but in reality will download a .lnk file (windows shortcut file) - these run powershell & contact another site to actually download the malware. These link files have a base64 encoded section with the download link...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/item_shipped.png

... other emails read and look like:
1] https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/booking-confirmation.png

2] https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/your-order-confirmed.png

- https://www.virustotal.com/en/file/...5123bec63e1c8af8cd1ce35472f9a28d127/analysis/
File name: confirm-purchase-ordernum-3TX0S8458483-JY.pdf
Detection ratio: 3/54
Analysis date: 2017-02-01

- https://www.hybrid-analysis.com/sam...3e1c8af8cd1ce35472f9a28d127?environmentId=100
Contacted Hosts
5.152.199.228

... different download locations, sometimes delivering exactly same malware from all locations and sometimes slightly different malware versions from each one... All these malicious emails are either designed to steal your Passwords, Bank, PayPal or other financial details along with your email or FTP (web space) log in credentials. Or they are -Ransomware- versions that encrypt your files and demand large sums of money to recover the files..."

:fear::fear:

 

[AplusWebMaster]

Fake 'eFax' SPAM, Identity fraud hits record high, Apple phish, Netgear updates

FYI...

Fake 'eFax' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoo...ax-from-516-6128936-delivers-unknown-malware/
2 Feb 2017 - "... an email with the subject of 'You received a new eFax from 516-6128936' (numbers are normally random) pretending to come from eFax <messaging@ efax .com> with a link-that-downloads a malicious word doc... Update: I am reliably informed* it downloads Hancitor & other associated malware...
* https://twitter.com/Techhelplistcom/status/827235660352323584

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/efax-from-5166128936.png

... The download link in the body of the email is:
http ://akatsuki-eng .co.jp/api/get.php?id=dmljdGltQGRvbWFpbi5jb20= where the base64 encoded section is the recipients email address...

2 February 2017: eFax_victim.doc - Current Virus total detections 3/54**. Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
** https://www.virustotal.com/en/file/...91247d99dd771dd34f53ae4d/analysis/1486056401/

*** https://www.hybrid-analysis.com/sam...5ec91247d99dd771dd34f53ae4d?environmentId=100

akatsuki-eng .co.jp: 157.7.107.124: https://www.virustotal.com/en/ip-address/157.7.107.124/information/
> https://www.virustotal.com/en/url/a...f39aa81f58f4f118547dd664c3289e4e687/analysis/

... Update: 3 February 2017: Today’s version has a .lnk file inside-a-zip as an attachment
(VirusTotal 3/56[1]) connects to & downloads analytics.activeadvisory .com/007.bin
but only from a Canadian IP range. The rest of the world appears blocked. (VirusTotal 6/56[2])
(Payload Security[3]). This one is delivering Urnsif banking Trojan...
1] https://www.virustotal.com/en/file/...48541afc4e160dd0ff1f8c26f031f6474ac/analysis/

2] https://www.virustotal.com/en/file/...1543c17c8c2929a22519e248/analysis/1486120969/

3] https://www.hybrid-analysis.com/sam...ce41543c17c8c2929a22519e248?environmentId=100
Contacted Hosts
208.67.222.222
185.77.128.246
85.17.94.33
172.86.121.117

analytics.activeadvisory .com: 149.56.201.88: https://www.virustotal.com/en/ip-address/149.56.201.88/information/
> https://www.virustotal.com/en/url/1...7c21d88530e1f9ca4738574f0730dfa7736/analysis/
___

Identity fraud hits record high
- https://www.helpnetsecurity.com/2017/02/02/identity-fraud-hits-record-high/
Feb 2, 2017 - "The number of identity fraud victims increased by sixteen percent (rising to 15.4 million U.S. consumers) in the last year, according to Javelin Strategy & Research*. Their study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one-billion-dollars to $16 billion..."
> https://www.helpnetsecurity.com/images/posts/javelin-022017-1.jpg

* https://www.javelinstrategy.com/pre...lion-us-victims-2016-16-percent-according-new
Feb 1, 2017

- https://krebsonsecurity.com/2017/01/shopping-for-w2s-tax-data-on-the-dark-web/
Jan 31, 2017 - "... Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS. Tax data can be -phished- directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately..."
___

Apple 'Security Measures' - phish
- https://myonlinesecurity.co.uk/apple-security-measures-phishing/
2 Feb 2017 - "... spam run apple phishing today. The bad spelling and grammar should be enough to warn anybody that it is a fake...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Apple-Security-Measures.png

The link-in-the-email goes to:
http ://www .interwurlitzer .com/mc.html which redirects you to
http ://www .bdic .ca/mardei/Itunes/apple/ where you see the typical Apple phishing page."

interwurlitzer .com: 87.229.45.133: https://www.virustotal.com/en/ip-address/87.229.45.133/information/
> https://www.virustotal.com/en/url/b...bbd5313113a4908796f68a58a61051ac7f8/analysis/
bdic .ca: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/
> https://www.virustotal.com/en/url/0...3dc12848e15caae36ac0ea093ef7b323e95/analysis/
___

Netgear addresses 'Password Bypass' vulns in 31 Router Models
- http://www.darkreading.com/vulnerab...pass-vulns-in-31-router-models/d/d-id/1328036
Feb 1, 2017
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521
Last revised: 01/23/2017
CVSS v3 Base Score: 8.1 High

> http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
"... Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions.."
Last Updated: 01/27/2017

:fear::fear:

 

[AplusWebMaster]

Fake 'notice to Appear' SPAM, Pastebin Malware

FYI...

Fake 'notice to Appear' SPAM - delivers Kovter/Locky
- https://myonlinesecurity.co.uk/spoofed-fake-new-notice-to-appear-in-court-delivers-locky-and-kovter/
5 Feb 2017 - "... start of a campaign using 'New notice to Appear in Court' as the email subject. The attachments are identical to the typical .JS, .WSF, .lnk file inside a double zip. All the sites seen so far today are the -same- sites used in the USPS, FedEx, UPS current campaigns*...
* https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The attachments all start with a zip named along the lines of Notice_00790613.zip which contain -another- zip Notice_00790613.doc.zip which in turn contains Notice_00790613.doc.js ... All of the sites are listed on THIS post**... All the sites contain the -same- Malware downloads of Kovter and Locky. They do get updated frequently during the day...
** https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/
... The infection process is described very well by this Microsoft blog post***...
*** https://blogs.technet.microsoft.com...iles-now-deliver-kovter-in-addition-to-locky/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-New-notice-to-Appear-in-Court.png

5 February 2017: Notice_00790613.doc.js - Current Virus total detections 11/54[4].
Payload Security[5]. Today’s eventual downloads: Locky (VirusTotal 6/56[6]). Kovter (VirusTotal 9/57[7])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
4] https://www.virustotal.com/en/file/...5418d7bf01d4e34d5e562df1/analysis/1486286066/

5] https://www.hybrid-analysis.com/sam...4ff5418d7bf01d4e34d5e562df1?environmentId=100
Contacted Hosts (176)
HTTP Traffic
97.74.144.118: https://www.virustotal.com/en/ip-address/97.74.144.118/information/

50.62.117.7: https://www.virustotal.com/en/ip-address/50.62.117.7/information/

107.181.187.77: https://www.virustotal.com/en/ip-address/107.181.187.77/information/

6] https://www.virustotal.com/en/file/...9697776000e3ca852e5d392e/analysis/1486287187/

7] https://www.virustotal.com/en/file/...23c545f29c9de0c863ba27d3/analysis/1486287513/
___

Many Malware Samples found on Pastebin
- https://isc.sans.edu/diary.html?storyid=22036
2017-02-05

:fear::fear:

 

[AplusWebMaster]

Fake 'To all employee’s', 'Shipping info' SPAM

FYI...

Fake 'To all employee’s' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fw-to-all-employees-malspam-delivers-dridex/
6 Feb 2017 - "... an email with the subject of 'FW: To all employee’s' pretending to come from Administrator <Administrator@ administrator .delivery> with a malicious word doc attachment... not 100% certain this is Dridex, Payload Security is unable to save to webservice on the Word Macro or the downloaded .exe file. The other samples doing that today are Dridex, so it looks like the Dridex gang have added some sort of anti-sandbox protection to itself...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/to-all-employees.png

6 February 2017: EmployeeConfidential.doc - Current Virus total detections 2/54*
Payload Security** was unable to 'save to webservice'. VirusTotal comments gave me the download location:
http ://fistnote .com/images/k6kkGcHpPi7m5iJprQPxPcoiVhmT7.exe (VirusTotal 11/55***). Payload Security again was unable to save to webservice Zip file attached... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...10cbccd7f035b407b662701e/analysis/1486399875/

** https://www.hybrid-analysis.com/sam...b5e10cbccd7f035b407b662701e?environmentId=100

*** https://www.virustotal.com/en/file/...8baf8452ac4068edfa1bd227/analysis/1486399137/

fistnote .com: 208.56.226.20: https://www.virustotal.com/en/ip-address/208.56.226.20/information/
> https://www.virustotal.com/en/url/1...92a587802cdad2e409cc003e25d9f9a957b/analysis/
___

Fake 'Shipping info' SPAM - delivers malware via macro word docs
- https://myonlinesecurity.co.uk/spoo...ncitor-and-other-malware-via-macro-word-docs/
6 Feb 2017 - "An email with the subject of 'Shipping information for parcel 3627458' pretending to come from USPS <shipping@ usps-service .com> with a malicious word doc attachment delivers hancitor which downloads Zloader and Pony which will download -more- malware... The email looks like:
From: USPS <shipping@ usps-service .com>
Date:
Subject: Shipping information for parcel 3627458
Attachment:
Our courrier was not able to deliver your parcel because nobody was present at your address.
Someone must always be present on the delivery day, to sign for receiving the parcel.
Shipping type: USPS Next Day Box size: Large Box ( 2-5kg ) Date : Feb 6th 2017
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
Another delivery can be arranged, by calling the number on the delivery invoice we left at your address and confirming the shipping information, including the address and tracking number.
A scanned copy of the delivery invoice can also be downloaded by visiting the USPS website:
https ://tools.usps .com/web/pages/view.invoice?id=3627458&dest=submit@...
In the exceptional case that a new delivery is not rescheduled in 24 hours, the shipment will be cancelled and the package will be returned to the sender.
Thanks for shipping with USPS ...

6 February 2017: USPS_invoice_submit.doc - Current Virus total detections 4/54*
Payload Security**... The download link-in-the-body of the email is:
http ://fam-life .jp/api/get.php?id=c3VibWl0QHRoZXNweWtpbGxlci5jby51aw== where the base64 encoded section is the recipients email address. The downloaded word doc is created by adding the recipients name, or at least the bit before the @ in the email address... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c73f91ea2ee57bdb2c06a49b/analysis/1486405685/

** https://www.hybrid-analysis.com/sam...c6ec73f91ea2ee57bdb2c06a49b?environmentId=100

fam-life .jp: 157.7.107.28: https://www.virustotal.com/en/ip-address/157.7.107.28/information/
> https://www.virustotal.com/en/url/8...804c2b6ccaec647d101a3461106805102da/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake sex lure, 'Your order Canceled' SPAM

FYI...

Fake sex lure SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/get-laid-tonight-sex-lure-malspam-delivers-ransomware/
7 Feb 2017 - "The sex lures in an email always work. Curiosity is just too much for some recipients... an email with the subject of 'get laid tonight' pretending to come from Alice Olsen <Alice.Olsen@ mail .com> with a very enticingly named zip attachment 'ourSexPhoto.zip' containing an .exe file with a definite sexy or pornographic lure 'byAliceforyouOurSexPhotosiwantyou .exe'... One of the emails looks like:
From: Alice Olsen <Alice.Olsen@ mail .com>
Date: Mon 06/02/2017 22:42
Subject: get laid tonight
Attachment: ourSexPhoto.zip
Iam Thinking Of You ! My photos after our party

7 February 2017: ourSexPhoto.zip: Extracts to: byAliceforyouOurSexPhotosiwantyou.exe
Current Virus total detections 8/56*. Payload Security**... VT is differing between Sage ransomware and generic malware detections. Payload Security is inconclusive. Returns from Anti-Virus submissions vary between Generic Ransomware and Yakes Trojan... we can pretty much assume it is -ransomware- but there is some doubt which one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...10ada1e38b83c8af5a09f0ca/analysis/1486431675/

** https://www.hybrid-analysis.com/sam...0a210ada1e38b83c8af5a09f0ca?environmentId=100
___

Fake 'Your order Canceled' SPAM - delivers sage ransomware
- https://myonlinesecurity.co.uk/your-order-canceled-fraud-malspam-delivers-sage-ransomware/
7 Feb 2017 - "... an email with the subject of 'Your order Canceled. fraud' pretending to come from Security Service <security-service@ mail .com> with a zip attachment containing an .exe file. The bad spelling should be enough to alert recipients... 'looks like a new version of Sage with updated decryption and what to do instructions... Drops a vbs file that gives -audio- alerts telling you that your files are encrypted:
“Attention! Attention! This is not a test!
All you documents, data bases and other important files were encrypted and Windows can not restore them without special software.User action is required as soon as possible to recover the file”
It also changes Bcdedit to prevent system recovery and of course deletes all shadow copies... One of the emails looks like:
From: Security Service <security-service@ mail .com>
Date: Tue 07/02/2017 18:19
Subject: Your order Canceled. fraud
Attachment:
Your order has been canceled.
Your credit card is invalid.
For an explanation of the reason you have 3 days.
By discharging is distributed 3 days, your card will be blocked.
All the details in the attached documents.

7 February 2017: Your.orderCanceled.fraud.zip Extracts to: Your.order10988322.Canceled. fraud.2017-01-15.exe
Current Virus total detections 9/57*. Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...565afde543a9524059b71d8d/analysis/1486490294/

** https://www.hybrid-analysis.com/sam...13d565afde543a9524059b71d8d?environmentId=100
Contacted Hosts
91.214.114.197

:fear::fear:

 

[AplusWebMaster]

Fake 'Confidential documents', 'Final payment' SPAM

FYI...

Fake 'Confidential documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/conf...ed-anz-bank-delivers-trickbot-banking-trojan/
9 Feb 2017 - "... An email with the subject of 'Confidential documents' pretending to come from random names @ anz .com with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Kathy.Hilton@ anz .com
Date: Thu 09/02/2017 01:45
Subject: Confidential documents
Attachment: ANZ_message00207.doc
Please review attached document.
Kathy.Hilton@ anz .com
Australia and New Zealand Bank
1800-575-892 office
1800-640-855 cell
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
CONFIDENTIAL NOTICE ...

9 February 2017: ANZ_message00207.doc - Current Virus total detections 6/54*
Payload Security**. Neither show anything definite, but searching around gave me these links to VirusTotal reports from the same campaign:
> https://virustotal.com/en/file/03f7...649cec8959dd3bca87b2de80e036d054461/analysis/
Behavioural information > TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
47.18.17.114: https://www.virustotal.com/en/ip-address/47.18.17.114/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
213.25.134.75: https://www.virustotal.com/en/ip-address/213.25.134.75/information/
> https://virustotal.com/en/file/8b90...a70ae149b1c79c869c7bded2e3f569946a5/analysis/
> https://virustotal.com/en/file/0456...81015762721a950fd56bb84c8bdafaf49d0/analysis/
Download sites appear to be:
- andiamoluggage .com/skin/frontend/holloway.png
- andiamoluggage .com/skin/frontend/fortis/ahjakacbakawda.png
- andiamoluggage .com/skin/install/not16.png
All of which are NOT png (image files) but renamed .exe files... Thanks to @Techhelplist[1]...
1] https://twitter.com/Techhelplistcom/status/829468826676899840
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3f1c1ac1f855e556d96fee13/analysis/1486618849/

** https://www.hybrid-analysis.com/sam...1813f1c1ac1f855e556d96fee13?environmentId=100

andiamoluggage .com: 173.254.28.82: https://www.virustotal.com/en/ip-address/173.254.28.82/information/
> https://www.virustotal.com/en/url/e...684f35155bf283c860df04a76deb17b9bd0/analysis/
___

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoo...delivers-something-looking-like-zbot-malware/
9 Feb 2017 - "An email with the subject of 'Final payment request' pretending to come from MatthewPeters@ hmrc.gsi .gov.uk with a malicious word doc attachment delivers what looks like a Zbot variant... The email looks like:
From: MatthewPeters@hmrc.gsi.gov.uk” <info@ nestpensions63 .top>
Date: Thu, 9 Feb 2017 13:24:00 +0100
Subject: Final payment request
Attachment: debt_93498438747.doc
Date of issue 09 February 2017
Reference K2135700006
Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
For more information and how to pay us please see attached statement.
We’ll continue to add interest to the original debt until you pay in full.
Debt Management ...

9 February 2017: debt_93498438747.doc - Current Virus total detections 7/53*
Payload Security** shows a download from http ://jsmkitchensandbedrooms .co.uk/explo.exe
(VirusTotal 4/57***) - Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...185f2d652f0e041ce766ff4f/analysis/1486645244/

** https://www.hybrid-analysis.com/sam...427185f2d652f0e041ce766ff4f?environmentId=100
94.199.185.21
172.227.109.213
185.162.9.59

*** https://www.virustotal.com/en/file/...92f6a04e57e2d69d7e00c5ef/analysis/1486642865/

4] https://www.hybrid-analysis.com/sam...fe092f6a04e57e2d69d7e00c5ef?environmentId=100
Contacted Hosts
104.85.50.185
178.77.110.129
185.162.9.59

jsmkitchensandbedrooms .co.uk: 94.199.185.21: https://www.virustotal.com/en/ip-address/94.199.185.21/information/
> https://www.virustotal.com/en/url/f...88049454facb77b9ec2ef2cbf48f001cd55/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Xpress Money', 'Secure Message' SPAM, Safeguard Account Update – phish

FYI...

Fake 'Xpress Money' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-xpress-money-compliant-report-malspam-delivers-java-adwind/
14 Feb 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... The email looks like:
From: elizabethst2.mel@ xpressmoney .com
Date: Mon 13/02/2017 23:45
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: XPRESS MONEY UPTHRONI DATA.zip (contains 2 identical although differently named java.jar files)
Dear Agent,
The attached Compliant report was issued yesterday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
Regards
Nasir Usuman
Regional Compliance Manager Pakistan & Afghanistan
Global Compliance, Xpress Money ...

14 February 2017: XPRESS MONEY REFERENCES FOLLOW UP.jar.jar (287 kb) - Current Virus total detections 8/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ffad3c67a91a639c100825af/analysis/1487047920/

** https://www.hybrid-analysis.com/sam...c62ffad3c67a91a639c100825af?environmentId=100
___

Fake 'Secure Message' SPAM - delivers malware
- https://myonlinesecurity.co.uk/rbc-royal-bank-secure-message-malspam-delivers-malware/
14 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from RBC Royal Bank but actually coming from a -fake- domain imitating the RBC <service@ rbcroyalbanksecuremessage .com> with a malicious word doc attachment delivers an unknown malware...
The domain in the email address rbcroyalbanksecuremessage .com was registered today by criminals using privacy protection by Godaddy and hosted on Rackspace...

rbcroyalbanksecuremessage .com: 104.130.159.40: https://www.virustotal.com/en/ip-address/104.130.159.40/information/
23.253.233.16: https://www.virustotal.com/en/ip-address/23.253.233.16/information/

The email looks like:
From: RBC Royal Bank <service@rbcroyalbanksecuremessage .com>
Date: Tue 14/02/2017 17:13
Subject: Secure Message
Attachment: SecureMessage.doc
Secure Message
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure...

14 February 2017: SecureMessage.doc - Current Virus total detections 4/55*
Payload Security**.. neither give any real indication what it downloads..
Update: Thanks to help from another researcher***.. It downloads
http ://sungkrorsang .com/jerohnimo.png which of course is -not- a png (image file) but a renamed .exe that the macro will rename & autorun. VirusTotal 10/59[4] | Payload Security[5]...
sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/a...4bd9a0486ba2c1d36145c37d4c4ff101b8e/analysis/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a04ed4aacd7e93fbe59fcfaa/analysis/1487094048/

** https://www.hybrid-analysis.com/sam...5b4a04ed4aacd7e93fbe59fcfaa?environmentId=100

*** https://twitter.com/GossiTheDog/status/831565160254996480

4] https://www.virustotal.com/en/file/...a0b3b45a7d76cf7d9a42e0e3/analysis/1487095755/

5] https://www.hybrid-analysis.com/sam...2b0a0b3b45a7d76cf7d9a42e0e3?environmentId=100
Contacted Hosts
78.47.139.102
47.18.17.114
213.25.134.75
219.93.24.2
192.189.25.143
___

Safeguard Account Update – phish
- https://myonlinesecurity.co.uk/hsbc-safeguard-account-update-phishing/
14 Feb 2017 - "Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http ://hsbc-verify .org.uk/ - which is a very plausible web address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc-safeguard-phishing-email.png

The link goes to http ://hsbc-verify .org.uk/ where you see a webpage like this*, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely:
* https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc_verify.png
... registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people..."

hsbc-verify .org.uk: 91.218.247.93: https://www.virustotal.com/en/ip-address/91.218.247.93/information/
> https://www.virustotal.com/en/url/7...058e88c3b61e507ea81d7842c425d7952f2/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Secure Message' SPAM, Hijacked domains

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-hmrc-secure-message-malspam-delivers-trickbot/
15 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from HM Revenue & Customs with a malicious word doc attachment delivers Trickbot banking Trojan... The sending domain for these malspam emails was hmrcgovsec .co.uk which was registered -today- by criminals via Godaddy. Godaddy have jumped on this very quickly & suspended the domain within a few minutes of the first batch being sent...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hmrc_secure_message_malspam-email.png

hmrcgovsec .co.uk: 172.99.114.9: https://www.virustotal.com/en/ip-address/172.99.114.9/information/

15 February 2017: SecureCommunication.doc - Current Virus total detections 4/55*
Payload Security**.. as usual nothing is showing the download location or what actual malware this is...
Update: I am reliably informed*** the download location is:
http ://fistnote .com/images/CV6amPf8jsgJeHVgLX.png which of course is renamed .exe and -not- an image file
(Payload Security[4]) (VirusTotal 9/56[5]) (VirusTotal 2/64[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a47ce5845b5ec3b338c0e190/analysis/1487167293/

** https://www.hybrid-analysis.com/sam...638a47ce5845b5ec3b338c0e190?environmentId=100

*** https://twitter.com/GossiTheDog/status/831871728112508928

4] https://www.hybrid-analysis.com/sam...9c664cca6a9db9f903f2dd3e3b3?environmentId=100
Contacted Hosts
78.47.139.102
47.18.17.114
213.25.134.75
219.93.24.2
192.189.25.143

5] https://www.virustotal.com/en/file/...64cca6a9db9f903f2dd3e3b3/analysis/1487168128/

6] https://www.virustotal.com/en/url/d...8e5dc9621fc19daecec8179e77882e692e5/analysis/

fistnote .com: 208.56.226.20: https://www.virustotal.com/en/ip-address/208.56.226.20/information/
> https://www.virustotal.com/en/url/d...8e5dc9621fc19daecec8179e77882e692e5/analysis/

- http://blog.dynamoo.com/2017/02/malware-spam-rbc-secure-message.html
15 Feb 2017 - "... Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings:
> https://1.bp.blogspot.com/-FqntNZLf...sZWCSA3s74gAqQ1LG3sCOACLcB/s1600/fake-rbc.png
... The domain rbc-secure-message .com is -fake- and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:
64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150
I recommend you block 64.91.248.128/27 at your email gateway to be sure."
___

Personaliazed SPAM - uses hijacked domains
- http://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html
15 Feb 2017 - "This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:
Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@ localpoolrepair .com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation
Dear Mr [redacted],
Thank you for placing an order with us.
For your reference your order number is G29804772-064.
Please note this is an automated email. Please do not reply to this email.
Get your order G29804772-064 details
Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.
Delivery Address [address redacted] [telephone number redacted]
Delivery Method: Standard Delivery
Your Order Information
Prices include VAT at 20%
Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive...

The data in the spam was identifiable as being a few -years- old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach. I was not able to extract the final payload, however the infection path is as follows:
http ://bebracelet .com/customerarea/notification-processing-G29804772-064.doc
--> http ://customer.abudusolicitors .com/customerarea/notification-processing-G29804772-064.doc
--> https ://customer.affiliate-labs .net/customerarea/notification-processing-G29804772-064.zip
... So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click-the-link?
Recommended blocklist (email)
188.214.88.0/24
Recommended blocklist (web)
5.152.199.228: https://www.virustotal.com/en/ip-address/5.152.199.228/information/
185.130.207.37: https://www.virustotal.com/en/ip-address/185.130.207.37/information/ - Country code - ZZ
185.141.165.204: https://www.virustotal.com/en/ip-address/185.141.165.204/information/ - Country code - ZZ "

:fear::fear:

 

[AplusWebMaster]

Fake 'Company Complaint' SPAM

FYI...

Fake 'Company Complaint' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...-company-complaint-malspam-delivers-trickbot/
16 Feb 2017 - "An email with the subject of 'ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint' pretending to come from Companies House <no-reply@ companieshousecomplaints .uk> with a malicious word doc attachment delivers Trickbot...

Screenshot: https://myonlinesecurity.co.uk/wp-c...e8bdc-f95f16f3-1b460259-Company-Complaint.png

If you open the word doc you see a screen looking like this*. DO NOT enable macros or content or enable editing, you -will- be infected:
* https://myonlinesecurity.co.uk/wp-c...companies-house-complaint-secure-document.png

16 February 2017: 8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 4/55*
Payload Security**.. Neither shows the download but it looks like the download location for the trickbot payload is
http ://www.sungkrorsang .com/hustonweare.png which is -not- an image file but a renamed .exe (VirusTotal 12/57***) (Payload Security[4])... As usual the domain sending these was registered by criminals today 16 February 2017 using Godaddy, with what are certain to be -fake- details:
canonical name: companieshousecomplaints .uk
addresses: 104.130.246.14
23.253.233.18
104.130.246.9 ..
104.239.201.9
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1b491b06cb9513980c97ccc2/analysis/1487245555/

** https://www.hybrid-analysis.com/sam...63c1b491b06cb9513980c97ccc2?environmentId=100

*** https://www.virustotal.com/en/file/...8f424a317f87d03aa9b1f665/analysis/1487246635/

4] https://www.hybrid-analysis.com/sam...8808f424a317f87d03aa9b1f665?environmentId=100
Contacted Hosts
78.47.139.102
58.52.155.163
217.29.220.255
200.120.214.150
77.222.42.240

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/4...956cbd563ed86ba13c0ede6b3c956b0bb92/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Urgent Compliance', 'Western Union', 'Secure Bank Documents' SPAM

FYI...

Fake 'Urgent Compliance' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoo...tus-of-transfer-malspam-delivers-java-adwind/
20 Feb 2017 - "... previously mentioned many of these HERE[1]... a slightly different subject and email content to previous ones. They can’t seem to decide if it should be Xpress money or Western Union, so they decided to have an email body with a Western Union Content but pretend to send from Xpress money. I am also getting some from Spoofed Western Union Addresses...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... The email looks like:
From: elizabethst2 .mel@ xpressmoney .com
Date: Mon 20/02/2017 00:47
Subject: Urgent Compliance, Status of transfer
Attachment: Details.zip
Dear agent,
Please kindly check the status of this transaction. The remitter
demands for the payment record, because the beneficiary denied the
payment that He didn’t receive this money.
So Please kindly check this transaction if it was paid,please arrange us the
receipt of transaction
Regards,
Senzo Dlamini
Regional Ops Executive
WesternUnion International ...

20 February 2017: Urgent Compliance.jar - Current Virus total detections 6/58*
Payload Security**.. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4ba8ce18bc538dbc76a26f1b/analysis/1487576150/

** https://www.hybrid-analysis.com/sam...d444ba8ce18bc538dbc76a26f1b?environmentId=100
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoo...ept-wupos-agent-upgrade-delivers-java-adwind/
20 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
... the email contains a genuine PDF file with an-embedded-link that downloads the java Adwind zip. The zip contains -2- different sized and named java files. The link in the pdf goes to:
http ://www.greavy .com/wp-includes/certificates/CERTIFICATE%20DETAILS%20AND%20WUPOS%20UPDATE%20MANUAL.zip
which extracts to -2- java.jar files hoping that if one fails the second will get you. Although both are detected as Java Adwind on Virus Total, the Payload Security reports does show different behaviour for each file...
New E-maual and updated payout procedures.jar (507kb) VirusTotal 6/58* | Payload Security**

WU certificate and agent updated branch details..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

The email looks like:
From: Western Union IT Dept. <wu.it-dept@ outlook .com>
Date: Mon 20/02/2017 02:37
Subject: WUPOS Agent Upgrade For All Branches.
Attachment: Details.zip
Dear All,
Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue.
Thanks & Regards, IT Department Western Union...

The pdf looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/wupos-update.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...faf1f77604f1a06996f678a2/analysis/1487577130/

** https://www.hybrid-analysis.com/sam...01efaf1f77604f1a06996f678a2?environmentId=100

*** https://www.virustotal.com/en/file/...1f140a120a0464beacdae303/analysis/1487577144/

4] https://www.hybrid-analysis.com/sam...9fc1f140a120a0464beacdae303?environmentId=100
Contacted Hosts
83.243.41.200

greavy .com: 180.240.134.105: https://www.virustotal.com/en/ip-address/180.240.134.105/information/
> https://www.virustotal.com/en/url/0...debe5e5c428f155f8c6bf9d69b3e3aa83b4/analysis/
___

Fake 'Secure Bank Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...nts-malspam-delivers-trickbot-banking-trojan/
20 Feb 2017 - "... an email with the subject of 'Important – Secure Bank Documents'... pretending to come from Lloyds Bank <no-reply@ lloydsbanksecuredocs .com> delivers Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/lloyds-bank-secure-documents.png

20 February 2017: BACs.doc - Current Virus total detections 7/55*
I am informed about 2 known download locations for the Trickbot malware:
www .sungkrorsang .com/hostelfrost.png and wp .pilbauer .com/wp-content/uploads/lordsofsteel.png
There probably are many more. VirusTotal 11/57*... The sending email Address lloydsbanksecuredocs .com was registered by criminals -today- using Godaddy and Privacy protection. It is -not- a genuine Lloyds bank web site or web address.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...84918010719a3ee0f0334743/analysis/1487606754/

** https://www.virustotal.com/en/file/...1b00cb996ba688cc6695f683/analysis/1487607471/

lloydsbanksecuredocs .com: 45.55.36.38
159.203.126.233
159.203.117.63
159.203.115.143
159.203.170.214

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/2...fa5d9625fa9e2a73bcf2e89e9fe32184e02/analysis/

pilbauer .com: 178.217.244.53: https://www.virustotal.com/en/ip-address/178.217.244.53/information/

:fear::fear:

 

[AplusWebMaster]

Rogue Chrome extension, Fake 'Western Union' SPAM, 'BoA', 'TurboTax' phish

FYI...

Rogue Chrome extension - tech support scam
- https://blog.malwarebytes.com/threa...ue-chrome-extension-pushes-tech-support-scam/
Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning:
> https://blog.malwarebytes.com/wp-content/uploads/2017/02/TSS1.png
... We detect and remove this one as Rogue.ForcedExtension.
IOCs:
Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-address/104.27.185.37/information/
104.27.184.37: https://www.virustotal.com/en/ip-address/104.27.184.37/information/
lfbmleejnobidmafhlihokngmlpbjfgo
Backend server (ad fraud/malvertising):
amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-address/104.31.70.128/information/
104.31.71.128: https://www.virustotal.com/en/ip-address/104.31.71.128/information/
qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-address/173.208.199.163/information/
Tech support scam:
microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-address/66.23.230.31/information/
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-spoofed-western-union-malspam-continues-to-deliver-java-adwind/
21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day...
1] https://myonlinesecurity.co.uk/?s=java+adwind
The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical.
2] https://myonlinesecurity.co.uk/spoo...ept-wupos-agent-upgrade-delivers-java-adwind/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Western-Union-rtra-rules.png

DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58*
Payload Security**

WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4]

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...faf1f77604f1a06996f678a2/analysis/1487577130/

** https://www.hybrid-analysis.com/sam...01efaf1f77604f1a06996f678a2?environmentId=100

*** https://www.virustotal.com/en/file/...1f140a120a0464beacdae303/analysis/1487577144/

4] https://www.hybrid-analysis.com/sam...9fc1f140a120a0464beacdae303?environmentId=100
Contacted Hosts
83.243.41.200
___

BoA 'Access Locked' - phish
- https://myonlinesecurity.co.uk/bank-america-phishing-scam/
21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual...

Screenshot: https://myonlinesecurity.co.uk/wp-c...-Your-Online-Access-is-Temporarily-Locked.png

The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm
where you see a site looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/BofA_FTP_signon.png "

121.170.178.35: https://www.virustotal.com/en/ip-address/121.170.178.35/information/
> https://www.virustotal.com/en/url/3...f8fe2254e7ee51abb1779a2954dd63e2497/analysis/
___

'TurboTax' - phish
- https://myonlinesecurity.co.uk/turbotax-important-notice-request-for-account-update-phishing/
21 Feb 2017 - "Another phishing scam, this time TurboTax:

Screenshot: https://myonlinesecurity.co.uk/wp-c...portant-Notice-Request-for-Account-Update.png

The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-phishing-page.png "

whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-address/205.204.89.214/information/
> https://www.virustotal.com/en/url/2...f5703a1646296e460b0ede687cdb8fd26d6/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Secure Bank Comm' SPAM, Dropbox phish

FYI...

Fake 'Secure Bank Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...ion-malspam-delivers-trickbot-banking-trojan/
22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/canada-revenue-agaency-secure-doc.png

22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2]
Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is
www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png
which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...f2944b2a225b36883c7a0b4a/analysis/1487783258/

2] https://www.virustotal.com/en/file/...a366ae9f4f45ea3a330beb39dbddecb072b/analysis/

1A] https://www.hybrid-analysis.com/sam...26ef2944b2a225b36883c7a0b4a?environmentId=100

2A] https://www.hybrid-analysis.com/sam...4f45ea3a330beb39dbddecb072b?environmentId=100

3] https://www.virustotal.com/en/file/...4e67dec8c864bc06a797183e9b898423427/analysis/

4] https://twitter.com/GossiTheDog/status/834453695299518464

TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-address/203.121.180.74/information/
> https://www.virustotal.com/en/url/8...f2266da858215f65b960ff1e1960a1ce0cb/analysis/

sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/
> https://www.virustotal.com/en/url/7...2002f0de997b3d2975fb071e258e1fda633/analysis/
___

Dropbox phish
- https://myonlinesecurity.co.uk/you-have-2-new-documents-dropbox-phishing/
22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter all your details, pretending that you can now sign into dropbox using your email address. After giving the details you get sent to the genuine DropBox site:

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing_email.png

The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites, there usually are with these scams) where you see a page looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing.png
Select -any- of the links and you get:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing1.png "

pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-address/192.185.217.111/information/
> https://www.virustotal.com/en/url/8...b6f1ee415ab0ccafc0188e1d05ae6a5552e/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'XpressMoney' SPAM

FYI...

Fake 'XpressMoney' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/more-spoofed-xpressmoney-compliant-report-delivers-java-adwind/
27 Feb 2017 - "We continue to be plagued daily by fake financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecurity.co.uk/?s=java+adwind
This appears to be a newish Java Adwind version in this email... The email looks like:
From: XM.accounts@ xpressmoney .com <aproc@ xpressmoney .com>
Date: Mon 27/02/2017 00:56
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: Details.zip
Dear Agent,
The attached Compliant report was issued on Thursday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
Regards
Nasir Usuman
Regional Compliance Manager Pakistan & Afghanistan
Global Compliance, Xpress Money ...

Email Headers: I have received -alot- of these early this morning in 2 waves. They are coming from 2 IP numbers/servers:
60.249.230.30: https://www.virustotal.com/en/ip-address/60.249.230.30/information/
Country: TW
83.243.41.200: https://www.virustotal.com/en/ip-address/83.243.41.200/information/
Country: DE
70.32.90.96: https://www.virustotal.com/en/ip-address/70.32.90.96/information/
Country: US
83.243.41.200: https://www.virustotal.com/en/ip-address/83.243.41.200/information/
Country: DE

hinet.net: Could not find an IP address for this domain name...

27 February 2017: REF.XPIN 742352XXXXXXXXX.jar (333kb) - Current Virus total detections 13/57*
Payload Security** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...6a293dbd334614605b5377f4/analysis/1488178107/

** https://www.hybrid-analysis.com/sam...0216a293dbd334614605b5377f4?environmentId=100

:fear::fear:

 

[AplusWebMaster]

Fake 'debit card' – Phish

FYI...

Fake 'debit card' – Phish
- https://myonlinesecurity.co.uk/disputed-debit-card-transactions-natwest-phishing/
2 Mar 2017 - "... many email clients, especially on a mobile phone or tablet, only show the NatWest and not the bit in <xxxx>. This one has a HTML page attachment, not even a link to the phishing site in the email body. The attachment has the -link- which goes to:
http ://www .immosouverain .be/css/supst.html which -redirects- you to the actual phishing site:
http ://planurday .in/css/WaL0eHW/4!@_1.php?s0=;87d929c328f8c62a231c1cc95057fb7087d929c328f8c62a231c1cc95057fb70

Screenshot: https://myonlinesecurity.co.uk/wp-c.../Disputed-debit-card-transactions-NatWest.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

immosouverain .be: 5.135.218.101: https://www.virustotal.com/en/ip-address/5.135.218.101/information/

planurday .in: 78.142.63.63: https://www.virustotal.com/en/ip-address/78.142.63.63/information/

:fear::fear:

 

[AplusWebMaster]

'Free' AV coupon, Fake 'IRS Urgent' SPAM

FYI...

'Free' AV coupon leads to tech support scam
- https://blog.malwarebytes.com/threat-analysis/2017/03/free-antivirus-coupon-leads-tech-support-scam/
Mar 3, 2017 - "... This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are -redirected- to this coupon page via a similar malvertising campaign. It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they -must- perform a final call to get it completed... This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the -bogus- technician will identify severe problems that need an immediate fix... Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400. Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway)...There are other scam domains also hosted on this IP (166.62.1.15)... Instantpccare .com is familiar and related to a previous investigation* where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us. As always, please stay vigilant online when you see 'free coupons' or other similar offers. They often are the gateway to a whole of trouble..."
* https://blog.malwarebytes.com/threat-analysis/criminals/2016/05/the-hunt-for-tech-support-scammers/

> https://blog.malwarebytes.com/tech-support-scams/

166.62.1.15: https://www.virustotal.com/en/ip-address/166.62.1.15/information/

Related:
166.62.1.1: https://www.virustotal.com/en/ip-address/166.62.1.1/information/
___

Fake 'IRS Urgent' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/spoofed-irs-urgent-notification-malspam-delivers-ransomware/
3 Mar 2017 - "... an email with the subject of 'IRS Urgent Notification' pretending to come from Dick Richardson who pretends to be an IRS Tax Officer. I have seen dozens of these and they all come from random email addresses. Dick Richardson changes his job in different emails. Sometimes he is a tax officer or a Tax Specialist or Tax department manager as well as an official representative...
Update: I am reliably informed[1] this is Shade/Troldesh ransomware...
1] https://id-ransomware.malwarehunter...case=2e0cd5425eae85fcdd94526e5ea894b2e24d5e47
Other subjects include:
Realty Tax Arrears – IRS
Please Note – IRS Urgent Message
IRS Urgent Message
Overdue on Realty Tax ...

One of the emails looks like:
From: Dick Richardson <electric@ oceanicresources .co.uk>
Date: Thu 01/09/2016 19:22
Subject: IRS Urgent Notification
Attachment: link-in-email
Dear Citizen,
My name is Dick Richardson, I am the official representative of the Internal Revenue Service, Realty Tax Department.
My office is responsible for notification of citizens, description of the tax system for them, supporting citizens on issues related to tax procedures, arrears, and payments, etc.
In the present case, I have to notify you that you have the considerable tax arrears pertaining to your property. More specifically, there is the tax debt for your realty – the realty tax. Generally, we make no actions in case of such delays for 4-6 months, but in your context, the overdue period comes to 7 months. Thereby, we must take relevant measures to remedy the situation.
Particularly for your convenience, our specialists have made the full and comprehensive report for you. It contains the full information regarding realty tax accrual, your debt (including the total amount), and the chart of overdue payments for each month of the arrears period.
Please download the report directly from the official server of the IRS, going to the link:
http ://radiotunes .co.uk/wp-content/plugins/simple-social-icons/index0.html
Please study the document at the earliest possible moment. Actually, after receiving this message, you have only 1 day to contact your taxmanager and provide them with the information you get in the report in order to resolve the problem. Differently, significant charges and fines may apply.
Best Regards,
Dick Richardson,
Realty Tax Division
Internal Revenue Service ...

Realty.tax.division.xls.zip: Extracts to: Realty.tax.division.xls.js - Current Virus total detections 5/56*
Payload Security** shows a download from
www .metropolisbangkok .com/assets/70958ae0/fonts/gcdf/templates/winscr.exe (VirusTotal 14/58***)...
There are loads of -other- sites in the body of alternative emails downloading the .js file...
The basic rule is NEVER open any attachment -or- link-in-an-email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3cf5a4903d92b54928439ff7/analysis/1488549054/

** https://www.hybrid-analysis.com/sam...1703cf5a4903d92b54928439ff7?environmentId=100
Contacted Hosts (15)

*** https://www.virustotal.com/en/file/...c609bebf5d939593e1eed4e8f1652e4efab/analysis/

radiotunes .co.uk: 192.138.189.151: https://www.virustotal.com/en/ip-address/192.138.189.151/information/
> https://www.virustotal.com/en/url/b...7f9d0beff857dcecd6e2f0052063adcf70f/analysis/

metropolisbangkok .com: 27.254.96.21: https://www.virustotal.com/en/ip-address/27.254.96.21/information/
> https://www.virustotal.com/en/url/2...702b20e1060198b05c3d80977fe8d2833c2/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake UPS, USPS, FedEx SPAM

FYI...

Fake UPS, USPS, FedEx SPAM - deliver Cerber ransomware
- https://myonlinesecurity.co.uk/lock...a-spoofed-cannot-deliver-your-parcel-malspam/
4 Mar 2017 - "... we are noticing that the 2 different malspammed versions of spoofed/faked 'UPS, USPS, FedEx failed to deliver your parcel' malspam are now distributing Cerber ransomware instead of Locky or Sage 2 along with Kovter... I am continuing to document the 2 versions... changes and different sites used to distribute them: HERE[a] and HERE...
a] https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/

b] https://myonlinesecurity.co.uk/spoo...rcel-malspam-now-delivering-multiple-malware/

The subjects all mention something about 'failing to deliver parcels' and includes:
Courier was not able to deliver your parcel (ID0000333437, FedEx)
Our UPS courier can not contact you (parcel #4633881)
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
New status of your UPS delivery (code: 6622630)
Please recheck your delivery address (UPS parcel 004360910)
Status of your USPS delivery ID: 158347377
FedEx Parcel: 1st Attempt Unsuccessful
Delivery Unsuccessful, Reason: No Answer
Express FedEx Parcel #614617064, Current Status: Delivery Failed
... basically identical in the body of the email (the delivery service changes and switches between FedEx, UPS, USPS) ... The attachment is a zip file with a second zip inside it that extracts to a .js file. These have names like UPS-Parcel-ID-4633881.zip that extracts to UPS-Parcel-ID-4633881.doc.zip that extracts to UPS-Parcel-ID-4633881.doc.js...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/usps_v1_cerber.png

... Examples of this version VirusTotal [1-4/56] [2-15/59] [3-7/59] Payload Security [4] [5] [6]...

Currently the format is < site from array.top >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file. and the actual download comes from site name.top /counter/exe1.exe Yesterday was Cerber. VirusTotal [7-3/55] [8-17/59]. Payload Security[9] and /counter/exe2.exe delivers Kovter (VirusTotal 10-10/59). Currently at the time of writing all the .top sites I have listed are down and not responding. As soon as the new set of emails arrive, I will post images of them with any changes."
1] https://www.virustotal.com/en/file/...2cda10985621c80df577b343/analysis/1488613659/
UPS-Parcel-ID-4633881.doc.js

2] https://www.virustotal.com/en/file/...fb0befeeb3b758cea23354b7/analysis/1488609050/
5d3fa709e29d.png

3] https://www.virustotal.com/en/file/...0917f501832d89aaa4804868/analysis/1488609063/
fe3be7902ac8.png

4] https://www.hybrid-analysis.com/sam...1422cda10985621c80df577b343?environmentId=100
UPS-Parcel-ID-4633881.doc.js
Contacted Hosts (1234)

5] https://www.hybrid-analysis.com/sam...2e60917f501832d89aaa4804868?environmentId=100
fe3be7902ac8.png
Contacted Hosts (1088)

6] https://www.hybrid-analysis.com/sam...317fb0befeeb3b758cea23354b7?environmentId=100
5d3fa709e29d.png
Contacted Hosts (382)

7] https://www.virustotal.com/en/file/...839edc702b775fee286cde4f/analysis/1488510919/
Delivery-Details.js

8] https://www.virustotal.com/en/file/...197b2a7c88858792cff3a8401aee308b651/analysis/
carved_1.exe

9] https://www.hybrid-analysis.com/sam...cd2839edc702b775fee286cde4f?environmentId=100
Contacted Hosts (1240)

10] https://www.virustotal.com/en/file/...46a910bdaa698e21c701a58f/analysis/1488526482/
exe2[1].exe

:fear::fear:

 

[AplusWebMaster]

Fake 'DVLA' SPAM

FYI...

Fake 'DVLA' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/spoo...rning-malspam-delivers-ursnif-banking-trojan/
6 Mar 2017 - "Following on from recent parking, speeding and companies investigations malspam delivering ursnif banking Trojan, todays example spoofs the DVLA and pretends to be a warning that you will be fined if you don’t report the change of keeper. They use email addresses and subjects that will scare, persuade or entice a user to read the email and open the attachment -or- follow the links-in-the-email... Following the link-in-the-email you get sent via a passthrough/redirect site where you eventually land on the fake/spoofed DVLA site...

Screenshot: https://myonlinesecurity.co.uk/wp-c...-Of-Notify-Change-of-Keeper-Final-Warning.png

Case_10133-4.js - Current Virus total detections 5/56*. Payload Security** shows a download from
http ://djphanton .de/Tatjanapolinski/wp-admin/network/MEJMhJDp/cs.pdf which is -not- a pdf but a renamed .exe file (VirusTotal 36/58***)... The basic rule is NEVER open any attachment -or- click-on-a-link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3cf5a4903d92b54928439ff7/analysis/1488549054/

** https://www.hybrid-analysis.com/sam...1703cf5a4903d92b54928439ff7?environmentId=100
Contacted Hosts
27.254.96.21
128.31.0.39
193.23.244.244
212.51.143.20
51.254.112.52
95.215.61.4
195.154.97.160
178.62.43.5
178.33.107.109
104.200.16.227
195.169.125.226
217.79.178.60
213.197.22.124
85.214.115.214

*** https://www.virustotal.com/en/file/...c609bebf5d939593e1eed4e8f1652e4efab/analysis/

djphanton .de: 85.214.35.155: https://www.virustotal.com/en/ip-address/85.214.35.155/information/
> https://www.virustotal.com/en/url/d...f8dbe0b2f4eae946ccfd91af5783a70bc39/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'BENEFICIARY' SPAM

FYI...

Fake 'BENEFICIARY' SPAM - delivers java malware
- https://myonlinesecurity.co.uk/spoo...remittance-confirmation-delivers-java-adwind/
7 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... we are seeing 2 slightly different delivery methods today both spoofing Orient Exchange Co. (L.L.C.)...
The 1st email looks like:
From: a.bouazza@ bkam .ma
Date: Tue 07/03/2017 09:34
Subject: BENEFICIARY REMITTANCE CONFIRMATION
Attachment: BENFICIARY REMITTANCE CONFIRMATION.zip
Body content:
Dear agent,
Please kindly Confirm the status of this transaction.
The remitter demands for the payment record, because the beneficiary has
filed a complaint against your remitting outlet.
So Please kindly check the attached complaint form and reference of
transaction if it was paid, Please report to us with receipt of
transaction to clear your name.
Thanking You,
Orient Exchange Co. (L.L.C.)...

Version 1 (the attached zip): BENFICIARY REMITTANCE CONFIRMATION.jar (274kb) is using a 1 week old version of java adwind Trojan Current Virus total detections 14/57*: Payload Security** ...

The second version is slightly more devious and has a genuine PDF attachment that contains-a-link to dropbox
( https ://www.dropbox .com/s/jws0fszxa48c3sx/COMPLAIN%20OF%20UNPAID%20REMITTANCE.zip?dl=0) to download the zip file that contains 2 different copies of the java jar files...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/orient-exchange-dropbox-pdf.png

Version 2 (the dropbox) contains 2 identical java.jar files
BENEFICIARY COMPLAINT FORM FILED AGAINST YOUR BRANCH.jar -and-
CONFIRMATION AND REFRENCE OF THIS TRANSACTION NEEDED.jar (323kb) VirusTotal 25/56*** | Payload Security[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...17e3d0d5b272644ee42383b9/analysis/1488354204/

** https://www.hybrid-analysis.com/sam...a9b17e3d0d5b272644ee42383b9?environmentId=100

*** https://www.virustotal.com/en/file/...3ed4ce3461aaaa8bf2cbc803/analysis/1488888491/

4] https://www.hybrid-analysis.com/sam...4aa3ed4ce3461aaaa8bf2cbc803?environmentId=100
Contacted Hosts
83.243.41.200: https://www.virustotal.com/en/ip-address/83.243.41.200/information/
> https://www.virustotal.com/en/url/f...ae7d283c9e1961b2af64883e79a5a6dc1d0/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'invoice' SPAM

FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/copy...franchise-com-delivers-dridex-banking-trojan/
8 Mar 2017 - "An email with the subject of 'copy invoice 581652' pretending to come from Wes gatewood <Wes@ onehotcookiefranchise .com> with a malicious word doc attachment delivers what looks like Dridex banking Trojan... The email looks like:
From: Wes gatewood <Wes@ onehotcookiefranchise .com>
Date: Wed 08/03/2017 12:47
Subject: copy invoice 581652
Attachment: inv-0928(copy).doc
Hi,
Please see attached copy invoice 581652
Wes gatewood
Direct Tel: 01787 658153
Fax: 01787 658153 ...

inv-0928(copy).doc - Current Virus total detections 5/57*: Payload Security** shows a download from http ://birchwoodplaza .com/54gf3f (VirusTotal 9/59***) which I am guessing is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...351b72ec72b5f231e5c648f6/analysis/1488977021/

** https://www.hybrid-analysis.com/sam...ae7351b72ec72b5f231e5c648f6?environmentId=100
Contacted Hosts
72.167.131.153
107.170.0.14
37.120.172.171
81.12.229.190

*** https://www.virustotal.com/en/file/...e8e396acf00555ac178c2306/analysis/1488970720/

birchwoodplaza .com: 72.167.131.153: https://www.virustotal.com/en/ip-address/72.167.131.153/information/
> https://www.virustotal.com/en/url/8...24463c96458a652e3c2bccb0fc4656b61cf/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Receipt' SPAM

FYI...

Fake 'Receipt' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/receipt-of-approved-purchase/
13 Mar 2017 - "... a password protected docx file as the malware attachment, spoofing https ://www.eway .com.au/ a well known Australian Credit card Payment/processing service. Without entering the password you cannot see the content of the word doc and that will -allow- it past antivirus checks... an email with the subject of 'Receipt of APPROVED purchase' pretending to come from customer@ ewaystore .info with a malicious word doc or Excel XLS spreadsheet attachment delivers what looks like some sort of Zeus/Zbot/ Panda banking Trojan... However ewaystore .info was registered on 12 March 2017 by criminals:
- https://whois.domaintools.com/ewaystore.info

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/eway-payment-spoofed-email.png

The word doc looks like:
- https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/eway-malicious-word-doc.png

... Other subjects in this series seen so far include, some with and some without various numbers of exclamation marks:
Receipt of APPROVED payment!
Receipt of APPROVED purchase!
Receipt of APPROVED purchase
Receipt of APPROVED purchase at eWAY!!
Receipt of APPROVED purchase!! ...

Order_326794.docx ... Luckily the contact who sent me this did manage to find the download which is
http ://earlychildhoodconsulting .com.au/flash.exe (VirusTotal 8/60*). Payload Security** which in turn downloads groupcreatedt .at/pav/32.bin (VirusTotal 0/54***) which is encrypted and will be either data or needs to be decrypted by the flash.exe or the original docx file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.com/en/file/e843...b25c07a2ffd8dd9beaa317f7487cb0e0420/analysis/

** https://www.hybrid-analysis.com/sam...ffd8dd9beaa317f7487cb0e0420?environmentId=100
Contacted Hosts
78.111.243.83
208.67.222.222

*** https://www.virustotal.com/en/file/...911c36e5dc8c5fb3e7921955/analysis/1481049239/

earlychildhoodconsulting .com.au: 192.185.163.104: https://www.virustotal.com/en/ip-address/192.185.163.104/information/
> https://www.virustotal.com/en/url/e...80da768be8b875646e86a7cdf4f55aaf87c/analysis/

groupcreatedt .at: 5.105.45.139
46.98.252.42
46.119.92.41
93.113.176.105
77.122.51.2
195.211.242.109
93.78.227.231
176.99.113.116
109.87.247.145
37.229.39.217

:fear::fear: