SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake Chrome updates / Changelog / inTuit SPAM...

FYI...

Fake Chrome updates return ...
- http://www.gfi.com/blog/fake-google-chrome-updates-return/
Jan 11, 2013 - "... fake Chrome update websites leading to Malware – has returned...
> http://www.gfi.com/blog/wp-content/uploads/2013/01/googchromefake1.jpg
The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”. If you attempt to download the file while using Chrome, the following prompt appears...
> http://www.gfi.com/blog/wp-content/uploads/2013/01/googchromefake2.jpg
The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal* as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog** (scroll down to the “data it tries to collect and steal”)... users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page***".
* https://www.virustotal.com/file/19d...e6ea6cdac2a55b4b14e9f28aec9c8902439/analysis/

** http://blog.shadowserver.org/2012/08/14/beware-the-trolls-secure-your-trackers/

*** https://support.google.com/chrome/bin/answer.py?hl=en&answer=95414
___

Fake Changelog SPAM / dimanakasono .ru
- http://blog.dynamoo.com/2013/01/changelog-spam-dimanakasonoru.html
11 Jan 2013 - "This fake "Changelog" spam leads to malware on dimanakasono .ru:
From: Ashley Madison [mailto:donotreply @ashleymadison .com]
Sent: 10 January 2013 08:25
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
changelog update - View
L. Cook

The malicious payload is at [donotclick]dimanakasono .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik .ru
demoralization .ru
dimanakasono .ru
bananamamor .ru
___

Fake Intuit SPAM / dmeiweilik .ru
- http://blog.dynamoo.com/2013/01/payroll-account-holded-by-intuit-spam.html
11 Jan 2013 - "This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik .ru:
Date: Fri, 11 Jan 2013 06:23:41 +0100
From: LinkedIn Password [password @linkedin .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.
Finances would be gone away from below account# ending in 0198 on Fri, 11 Jan 2013 06:23:41+0100
amount to be seceded: 8057 USD
Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
=====
From: messages-noreply @bounce .linkedin.com [mailto:messages-noreply @bounce .linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
• Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
• amount to be seceded: 9567 USD
• Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
• Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]dmeiweilik .ru:8080/forum/links/column.php hosted on the same IPs as in this attack*:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik .ru
demoralization .ru
dimanakasono .ru
bananamamor .ru
dmeiweilik .ru ..."
* http://blog.dynamoo.com/2013/01/changelog-spam-dimanakasonoru.html
___

Blackhole SPAM runs...
- http://blog.trendmicro.com/trendlab...lackhole-spam-runs-return-from-holiday-break/
Jan 11, 2013 - "... now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank*, and Better Business Bureau**. In particular, the Better Business Bureau BHEK spam** claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit... we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/01/ACH_bhekspam.jpg

** http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/01/BBB_BHEKspam.jpg

 

[AplusWebMaster]

Fake ADP/BBB SPAM/Malware sites to block

FYI...

Malware sites to block 14/1/13
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-14113.html
14 Jan 2013 - "A couple of interesting* posts** over at Malware Must Die!*
* http://malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html
** http://malwaremustdie.blogspot.co.uk/2013/01/decoding-guide-double-obfuscation.html
... showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:
1.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)
I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.
91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.
46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.
62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.
These following domains are all connected to these two attacks..."
(Also a long list available at the dynamoo uRL above.)
___

Fake ADP emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/14/...ons-lead-to-client-side-exploits-and-malware/
14 Jan 2013 - "... cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...e_malware_exploits_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
tetraboro .net – 222.238.109.66 – Email: bannerpick45 @yahoo .com
Name Server: NS1.HOSTCLAM .NET – 50.115.163.10
Name Server: NS2.HOSTCLAM .NET – 90.167.194.23
Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
royalwinnipegballet .net
advertizing9 .com
eartworld .net
hotelrosaire .net
Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d * ... Worm:Win32/Cridex.E.
The sample drops the following MD5 on the affected hosts:
MD5: 472d6e748b9f5b02700c55cfa3f7be1f ** ...PWS:Win32/Fareit
Once executed, it also phones back to the following command and control servers:
173.201.177.77
132.248.49.112
95.142.167.193
81.93.250.157 ..."
* https://www.virustotal.com/file/69d...1f34bcc6974f9946d569dfc8f761f883b3b/analysis/
File name: test29567554014546.bin
Detection ratio: 24/46
Analysis date: 2013-01-14
** https://www.virustotal.com/file/baa...7b948c3d742910217904e67cd71eb36e596/analysis/
File name: file-5000060_exe
Detection ratio: 15/46
Analysis date: 2013-01-11
___

Fake ADP SPAM / dekamerionka .ru
- http://blog.dynamoo.com/2013/01/adp-spam-dekamerionkaru.html
14 Jan 2013 - "This fake ADP spam leads to malware on dekamerionka .ru:
Date: Mon, 14 Jan 2013 10:49:06 +0300
From: Friendster Games [friendstergames @friendster .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 540328394
Mon, 14 Jan 2013 10:49:06 +0300
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 984259785
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and domains involved:
81.31.47.124
91.224.135.20
212.112.207.15
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dekamerionka .ru
___

Fake BBB SPAM / terkamerenbos .net
- http://blog.dynamoo.com/2013/01/bbb-spam-terkamerenbosnet.html
14 Jan 2013 - "This fake BBB spam leads to malware on terkamerenbos .net:
Date: Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB Pretense ID 68C474U93
Better Business Bureau ©
Start With Trust ©
Mon, 14 Jan 2013
RE: Issue # 68C474U93
[redacted]
The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.
We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.
We are looking forward to your prompt reaction.
Best regards
Alexis Nguyen
Dispute Councilor
Better Business Bureau
Better Business Bureau
3033 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]terkamerenbos .net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:
advertizing9 .com
alphabeticalwin .com
splatwetts .com
bestwesttest .com
eartworld .net
foxpoolfrance .net
hotelrosaire .net
linuxreal .net
tetraboro .net
royalwinnipegballet .net

 

[AplusWebMaster]

Fake SW Air / pharma SPAM

FYI...

Fake Southwest Airlines Giveaway...
- http://www.gfi.com/blog/fake-southwest-airlines-giveaway-flies-high-once-more/
Jan 15, 2013 - "A fresh campaign fake Southwest Airlines free ticket scam has made its way onto Facebook again, this time as an event invite spammed within the network.
Southwest Airlines is giving two tickets to any destination within the United States! To grab yours, just visit [URL here]
Based on the bit.ly data of the URL, it is highly likely that this scam has been going around since the 14th of this month. Once users click the shortened URL, they are redirected to a page where, purportedly, they can claim their free two tickets to the US. The page claims that the offer is only available for a certain period, suggesting that interested parties must act now or else miss this opportunity... Users are advised to ignore this Facebook event invite if you receive them and notify the creator of the invite that their post must be deleted."
(Screenshots available at the gfi URL above.)
___

xree .ru and the persistent pharma SPAM
- http://blog.dynamoo.com/2013/01/xreeru-and-persistent-pharma-spam.html
15 Jan 2013 - "No doubt sent out by the same crew who are pushing malware, this pharma spam seems to have hit new highs.
Date: Tue, 15 Jan 2013 05:35:04 -0500 (EST)
From: Account Mail Sender [invoice @erlas .hu]
Subject: Invoice confirmation
Hello. Thank you for your order.
We greatly appreciate your time and look forward to a mutually rewarding business relationship with our company well into the future.
At present, our records indicate that we have an order or several orders outstanding that we have not received confirmation from you. If you have any questions regarding your account, please contact us.
We will be happy to answer any questions that you may have.
Your Customer Login Page
Customer login: [redacted]
Thanking you in advance for your attention to this matter.
Sincerely, Justa Dayton

The link in the email goes through a legitimate hacked site to [donotclick]xree .ru/?contactus but then it redirects to a seemingly random fake pharma site. However, the redirect only works if you have the referrer set correctly.
The landing sites are on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
I can't find any malware on these sites, but you may as well block them if you can as they seem to have a lot of domains on them..."
(Long list of domains available at the dynamoo URL above.)
__

Verizon Wireless SPAM / dmssmgf .ru
- http://blog.dynamoo.com/2013/01/verizon-wireless-spam-dmssmgfru.html
15 Jan - "This fake Verizon Wireless spam leads to malware on dmssmgf .ru:
From: Friendster Games [mailto:friendstergames @friendster .com]
Sent: 14 January 2013 21:47
Subject: Verizon Wireless
IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.
Your account No. ending in 2308
Dear Client
For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
Please browse your informational message for more details relating to your new transaction.
Open Information Message
In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
• Viewing your utilization
• Upgrade your tariff
• Manage Account Members
• Pay for your bill
• And much, much more...
2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
We respect your privacy. Please browse our policy for more information

The malicious payload is on [donotclick]dmssmgf .ru:8080/forum/links/column.php (report here) hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are all connected:
81.31.47.124
91.224.135.20
212.112.207.15
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru "

:fear::fear:

 

[AplusWebMaster]

Fake EFTPS, BBB and Fed Reserve SPAM ... 2013.01.16

FYI...

Fake EFTPS, BBB and Fed Reserve SPAM
- http://www.gfi.com/blog/email-threats-highlights-eftps-bbb-and-federal-reserve-spam/
Jan 16, 2013 - "... the AV Labs have captured and recorded* a number of notable email threats last week — generally spam related to malware...
- Fake BBB Complaints Spam...
- Fake EFTPS Spam...
- FedMail ACH Spam... leads to Cridex
Users are advised to mark the above email threats as spam if they’re found in their inbox and then/or simply delete them."
(Screenshots available at the gfi URL above.)
* http://gfisoftware.tumblr.com/
___

Fake American Express SPAM / dozakialko .ru
- http://blog.dynamoo.com/2013/01/american-express-spam-dozakialkoru.html
16 Jan 2013 - "This fake AmEx spam leads to malware on dozakialko .ru:
Sent: 16 January 2013 02:22
Subject: American Express Alert: Your Transaction is Aborted
Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated
Valued, $5203
Your American Express Card account retired ZUE36213 with amount of 5070 USD.
Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100
One small way to help the environment - get paperless statements
Review billing
statement
Issue a payment
Change notifications
options
You currently reading the LIMITED DATA version of the Statement-Ready Information.
Switch to the DETAILED DATA version.
Thank you for your Cardmembership.
Sincerely,
American Express Information center

The malicious payload is at [donotclick]dozakialko .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and related domains for copy-and-pasting:
89.111.176.125
91.224.135.20
212.112.207.15
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dozakialko .ru ..."
* http://wepawet.iseclab.org/view.php?hash=90855d4318147b4c3a78374383b0e147&type=js
___

Fake EFTPS emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/16/...themed-emails-lead-to-black-hole-exploit-kit/
Jan 16, 2013 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating the EFTPS (Electronic Federal Tax Payment System), in an attempt to trick its users into clicking on exploits and malware serving malicious links found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress..._exploit_kit_eftps_batch_payment_declined.png
... Upon succcessful clienet-side exploitation, the campaign drops MD5: d35a52d639468c2c4c857e6629b3f6f0 * ... Worm:Win32/Cridex.E.
Once executed, the sample phones back to the following command and control servers:
109.230.229.250:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA
163.23.107.65:8080
174.142.68.239:8080
81.93.250.157:8080
180.235.150.72:8080
109.230.229.70:8080
95.142.167.193:8080
217.65.100.41:8080
188.120.226.30:8080
193.68.82.68:8080
203.217.147.52:8080
210.56.23.100:8080
221.143.48.6:8080
182.237.17.180:8080
59.90.221.6:8080
64.76.19.236:8080
69.64.89.82:8080
173.201.177.77:8080
78.28.120.32:8080
174.120.86.115:8080
74.207.237.170:8080
77.58.193.43:8080
94.20.30.91:8080
84.22.100.108:8080
87.229.26.138:8080
97.74.113.229:8080
We’ve already seen the same pseudo-random C&C characters used in... previously profiled malicious campaigns..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/d9c...f088b5ebdca36457bf18347693ee0e71830/analysis/
File name: calc.exe
Detection ratio: 25/46
Analysis date: 2013-01-14
___

Fake ADP SPAM / teamrobotmusic .net
- http://blog.dynamoo.com/2013/01/adp-spam-teamrobotmusicnet.html
16 Jan 2013 - "This fake ADP spam leads to malware on teamrobotmusic .net:
Date: Wed, 16 Jan 2013 18:36:25 +0200 [11:36:25 EST]
From: "notify @adp .com" [notify @adp .com]
Subject: ADP Speedy Information
ADP Speedy Communication
[redacted]
Reference ID: 14580
Dear ADP Client January, 16 2012
Your Money Transfer Statement(s) have been uploaded to the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following details:
• Please note that your bank account will be charged-off within 1 business day for the value(s) specified on the Record(s).
•Please don't reply to this message. auomatic informational system unable to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to acting users in your company that access ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 14580

The malicious payload is on [donotclick]teamrobotmusic .net/detects/bits_remember_confident.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in a few attacks recently and should be blocked if you can..."

:fear:

 

[AplusWebMaster]

Fake Vodafone/KeyBank emails serve malware

FYI...

Fake Vodafone emails serve malware
- http://blog.webroot.com/2013/01/17/...or-video-message-themed-emails-serve-malware/
Jan 17, 2013 - "Over the past 24 hours, cybercriminals resumed spamvertising fake Vodafone MMS themed emails, in an attempt to trick the company’s customers into executing the malicious attachment found in these emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/01/email_spam_vodafone_mms_malware.png
Detection rate for the malicious executable:
MD5: bafebf4cdf640520e6266eb05b55d7c5 * ... Trojan-Downloader.Win32.Andromeda.pfu.
Once executed, the sample creates the following Registry values:
\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched -> “C:\Documents and Settings\All Users\svchost.exe“
It also copies itself to other locations, and injects code in other processess. We intercepted a similar campaign last year, indicating that, depending on the campaign in question, cybercriminals are not always interested in popping up on everyone’s radar with persistent and systematic spamvertising of campaigns using identical templates. Instead, some of their campaigns tend to have a rather short-lived life cycle. We believe this practice is entirely based on the click-through rates for malicious URLs and actual statistics on the number of people that executed the malicious samples..."
* https://www.virustotal.com/file/f88...c43a8f511dae0d590fa8185c/analysis/1358366804/
File name: MMS.jpg.exe
Detection ratio: 21/46
Analysis date: 2013-01-16
___

Fake KeyBank "secure message" virus
- http://blog.dynamoo.com/2013/01/keybankcom-you-have-received-secure.html
17 Jan 2013 - "This fake KeyBank spam has an attachment called securedoc.zip which contains a malicous executable file named securedoc.exe.
Date: Thu, 17 Jan 2013 11:16:54 -0500 [11:16:54 EST]
From: "Antoine_Pearce @KeyBank .com" [Antoine_Pearce @KeyBank .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.
Help - https ://mailsafe.keybank .com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https ://mailsafe.keybank .com/websafe/about

VirusTotal results are not good*. The ThreatExpert report for the malware can be found here**. The malware attempts to call home to:
173.230.139.4 (Linode, US)
192.155.83.208 (Linode, US)
..and download additional components from
[donotclick]ib-blaschke .de/4kzWUR.exe
[donotclick]chris-zukunftswege .de/DynThR8.exe
[donotclick]blueyellowbook .com/Cct1Kk58.exe ..."
* https://www.virustotal.com/file/ef5...9a85107883e5031105b4ed11/analysis/1358440323/
File name: securedoc.exe
Detection ratio: 5/46
Analysis date: 2013-01-17
** http://www.threatexpert.com/report.aspx?md5=315b81b62fb81baa990f1317f1b68610
___

Fake Wire Transfer SPAM / dfudont .ru
- http://blog.dynamoo.com/2013/01/wire-transfer-confirmation-spam.html
17 Jan 2013 - "This spam leads to malware on dfudont .ru:
Date: Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
From: SUMMERDnIKYkatTerry @aol .com
Subject: Fwd: Wire Transfer Confirmation (FED_59983S76643)
Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]dfudont .ru:8080/forum/links/column.php hosted on:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These IPs have been used in several malware attacks recently - blocking them is a good idea. The following malicious domains are also present on these servers:
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
damagalko .ru
dozakialko .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dfudont .ru
Update: there is also a fake Sendspace spam sending visitors to the same payload...
Date: Thu, 17 Jan 2013 03:03:55 +0430
From: Badoo [noreply @badoo .com]
Subject: You have been sent a file (Filename: [redacted]_N584581.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.

 

[AplusWebMaster]

Fake Java update is malware

FYI...

Fake Java update is malware
- http://blog.trendmicro.com/trendlab...alware-poses-as-an-update-for-java-0-day-fix/
Jan 17, 2013 - "... We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport .com/cybercrime-suspect-arrested/javaupdate11.jar.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/01/fake_java_update_site.gif
Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat is clearly piggybacking on the Java zero-day incident and users’ fears. The use of fake software updates is an old social engineering tactic. This is not the first time that cybercriminals took advantage of software updates. Last year, we reported about a malware disguised as a Yahoo! Messenger, which we found in time for Yahoo!’s announcement of its update for Messenger..."

 

[AplusWebMaster]

Fake Jobs / Bank trojan ...

FYI...

Fake "A.R.T. Logistics" job offer
- http://blog.dynamoo.com/2013/01/art-logistics-fake-job-offer.html
18 Jan 2013 - "There may be various genuine companies in the world with a name similar to "A.R.T. Logistics Industrial & Trading Ltd", but this job offer does not come from a genuine company. Instead it is trying to recruit people for money laundering ("money mule") jobs and parcel reshipping scams (a way of laundering stolen goods). Note that the scammers aren't even consistent in the way they name the company.
From: ART LOGISTICS INDUSTRIAL AND TRADING LTD [info@sender .org]
Reply-To: artlogisticsltd @yahoo .com.ph
Date: 18 January 2013 07:49
Subject: A.R.T. LOGISTICS INDUSTRIAL & TRADING LIMITED
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
Export & Import Agent‚ Service Company.
46/F Tower 1, Metroplaza 223 Hing Fong Road,
Kwai Chung New Territories, Hong Kong.
A.R.T. Logistics mainly provides services to customers in Russia, Kazakhstan and Hong Kong. We provide: - Air freight - Sea freight (FCL & LCL to EU, Russia, Kazakhstan & Central Asia) - Rail freight - Road Freight (FTL & LTL to any place in Russia, Kazakhstan and Central Asia) Our company has worked in Russia, Kazakhstan & Central Asia since 2005 and has wide experience of transport such as airfreight, container and rail.
We are presently shifting our base to North America and we have collective customers in the United State & Canada but We find it difficult establishing payments modalities with this customers and we don't intend loosing our customers. We are searching for a front line representative as intermediary by establishing a medium of getting payments from this customers in Canada & America by making payments through you to us. Do contact us for more information at this e-mail: (artlogis @e-mail .ua).
Subject to your satisfaction with the front line representative offer, you will be made our foreign payment receiving officer in your region and you will deduct 10% of every transactions made through you for your services as our Financial Representative.
Sincerely,
Yasar Feng Xu
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
N.B Reply to: artlogisticsltd @yahoo .com.ph

In this case, the spam originates from 31.186.186.2 [mail.zsmirotice .cz]. Avoid!"
___

Shylock banking trojan travels by Skype
- http://h-online.com/-1786928
18 Jan 2013 - "The banking trojan Shylock has found itself a new distribution channel – Skype. The security firm CSIS* recently discovered a Shylock module called "msg.gsm" trying to use the VoIP software to infect other computers. If successful, the malware then sets up a typical backdoor. The module tries to send Shylock as a file, bypassing warnings from the Skype software by confirming them itself and cleaning any generated messages from the Skype history. Once the trojan has been transferred it connects to a command and control server which can ask it to install a VNC server allowing remote control of the computer, get cookies, inject HTTP code into web sites being browsed, spread Shylock over removable drives, or upload files to a server. The epicenter of infections is, according to CSIS, the UK... At the time of writing, the most recent VirusTotal test** shows 15 of the engines now detecting it..."
* https://www.csis.dk/en/csis/blog/3811/

** https://www.virustotal.com/file/4bd...713a23fd0e4336eabb0bf47a44d700ec842/analysis/
File name: 8fbeb78b06985c3188562e2f1b82d57d
Detection ratio: 15/46
Analysis date: 2013-01-18
___

Fake LinkedIn SPAM / shininghill .net
- http://blog.dynamoo.com/2013/01/linkedin-spam-shininghillnet.html
18 Jan 2013 - "This fake LinkedIn spam leads to malware on shininghill .net:
Date: Fri, 18 Jan 2013 18:16:32 +0200
From: "LinkedIn" [announce@e .linkedin .com]
Subject: LinkedIn Information service message
LinkedIn
REMINDERS
Invite notifications:
? From MiaDiaz ( Your renter)
PENDING EVENTS
∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.
Don't want to get email info letters? Change your message settings.
LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.
The following domains appear to be active on this IP address, all should be considered to be malicious..."
(More detail at the dynamoo URL above.)
___

Fake ADP SPAM / dopaminko .ru
- http://blog.dynamoo.com/2013/01/adp-spam-dopaminkoru.html
18 Jan 2013 - "This fake ADP spam leads to malware on dopaminko .ru:
Date: Fri, 18 Jan 2013 09:08:38 -0500
From: "service @paypal .com" [service @paypal .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 544043911
Fri, 18 Jan 2013 09:08:38 -0500
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.lexdirect.adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 206179035
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]dopaminko .ru:8080/forum/links/column.php hosted on the following familiar IP addresses:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These following malicious domains appear to be active on these servers..."
(More detail at the dynamoo URL above.)

 

[AplusWebMaster]

Phish, malware, and hacks - 2013.01.21 ...

FYI...

Phishers target UnionBank of the Philippines clients
- http://www.gfi.com/blog/phishers-target-unionbank-of-the-philippines-clients/
Jan 21, 2013 - "We have been alerted by an ongoing phishing campaign that targets clients and online banking users of the UnionBank of the Philippines. The phishing URL, which is being sent to users in the form of spam, is found hosted on a legitimate but compromised Russian domain. We have also found previous records of the said domain hosting a different phishing page a few days ago. The spam entices users to visit a certain URL to “reactivate” their account... This phishing page has closely mimicked the look or template of legitimate pages where users can enter their sensitive banking information... Once users have entered and submitted their information, a confirmation window pops up and then users are redirected to the legitimate UnionBank website... Most UnionBank users have their PayPal accounts tied to their banking accounts, so it is very important to steer clear from emails claiming to be from the bank that ask for banking details... better call them and inquire about the email you receive just to be sure. It also pays to consult this Anti-Fraud and Anti-Phishing Guidelines page* from UnionBank for guidance on how to identify phishing pages from the real ones."
* http://www.unionbankph.com/index.php?option=com_content&view=article&id=1083&Itemid=472
(Screenshots available at the gfi URL above.)
___

Malware Masks as Latest Java Update
- http://www.gfi.com/blog/malware-masks-as-latest-java-update/
Jan 21, 2013 - "... security experts have discovered a new zero-day, critical flaw on Java not so long ago and is already integrated into popular exploit kits, such as Blackhole, Redkit, Cool and Nuclear Pack. The said flaw, once exploited, is said to allow remote code execution on a target system without authentication from the user. This, of course, gives malware files the upper hand if users visit sites/URLs where they are hosted. Immediately after the vulnerability is found, Oracle has released its patch. Despite this speedy response from the company, many security experts have already began advising users to just forget the patch and disable Java in their browsers. Perhaps some users have already made the move of disabling Java entirely, or perhaps some users have opted still to apply the patch. If you belong in the former group, latter group, let this be our reminder to you: Please make sure that you’re downloading the patch straight from the Oracle website* and nowhere else because it’s highly likely that what you may be installing onto your system is malware**..."
* http://java.com/en/download/index.jsp

** http://blog.trendmicro.com/trendlab...alware-poses-as-an-update-for-java-0-day-fix/
___

Kenyan Judiciary (judiciary .go.ke) hacked to serve malware
- http://blog.dynamoo.com/2013/01/kenyan-judiciary-judiciarygoke-hacked.html
21 Jan 2013 - "The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.
> https://lh3.ggpht.com/-DbemA5jmT9g/UP0RScKxfPI/AAAAAAAAA4g/XaSZN1V3jjM/s400/judiciary-go-ke.png
The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary .go.ke /wlc.htm attempting to redirect visitors to [donotclick]dfudont .ru:8080/forum/links/column.php where there's a nasty exploit kit.
> https://lh3.ggpht.com/-OhchceHjVws/UP0aGR02XlI/AAAAAAAAA40/q9qYel1t7lU/s400/judiciary-go-ke2.png
Of course, most visitors to the judiciary .go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm."
___

LinkedIn spam / prepadav .com
- http://blog.dynamoo.com/2013/01/linkedin-spam-prepadavcom.html
21 Jan 2013 - "This fake LinkedIn spam leads to malware on prepadav .com:
From: LinkedIn [mailto :news@ linkedin .com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker
LinkedIn
REMINDERS
Invitation reminders:
From CooperWright ( Your employer)
PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]prepadav .com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can..."
___

Fake Intuit SPAM / danadala .ru
- http://blog.dynamoo.com/2013/01/intuit-spam-danadalaru.html
21 Jan 2013 - "This fake Intuit spam leads to malware on danadala .ru:
Date: Mon, 21 Jan 2013 04:45:31 -0300
From: RylieBouthillette @hotmail .com
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.
Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
amount to be seceded: 5670 USD
Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]danadala .ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)..."

:fear:

 

[AplusWebMaster]

Exploit kit, 'Droid malware - 2013.01.22

FYI...

Blackhole exploit kit on avirasecureserver .com
- http://blog.dynamoo.com/2013/01/cheeky-exploit-kit-on.html
22 Jan 2013 - "What is avirasecureserver .com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit*. This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP... There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm... QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=788732

- https://www.google.com/safebrowsing/diagnostic?site=AS:20860
"Of the 18705 site(s) we tested on this network over the past 90 days, 1489 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-21... Over the past 90 days, we found 14 site(s) on this network... that appeared to function as intermediaries for the infection of 670 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s)... that infected 1080 other site(s)..."
___

'Droid malware spreads through compromised legitimate Web sites
- http://blog.webroot.com/2013/01/22/android-malware-spreads-through-compromised-legitimate-web-sites/
22 Jan 2013 - "... our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign...
Sample screenshot of the executed Android malware:
> https://webrootblog.files.wordpress...oid_browser_fake_google_play_applications.png
... Sample malicious URLs displayed to Android users:
hxxp ://adobeflashplayer-up .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxxp ://googleplaynew .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxp ://browsernew-update .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
... Detection rate for the malicious .apk files:
flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e * ... Android.SmsSend.212.origin.
Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 * ... HEUR:Trojan-SMS.AndroidOS.Opfake.bo.
... Upon execution, the Android sample phones back to gaga01 .net/rq.php – 93.170.107.57 – Email: mypiupiu1 @gmail.com transmitting..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/207...18836bcc24e8e8bd1172f892/analysis/1358799096/
File name: flash_player_installer.apk
Detection ratio: 5/46
Analysis date: 2013-01-21
** https://www.virustotal.com/file/689...3f0e08d358eb7276f28d4f7d/analysis/1358799258/
File name: Android_installer-1.apk
Detection ratio: 5/46
Analysis date: 2013-01-21

> https://www.google.com/safebrowsing/diagnostic?site=AS:57062
"Of the 2027 site(s) we tested on this network over the past 90 days, 23 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-22... Over the past 90 days, we found 75 site(s) on this network... that appeared to function as intermediaries for the infection of 104 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 496 site(s)... that infected 1485 other site(s)..."
___

Something evil on 109.123.66.30
- http://blog.dynamoo.com/2013/01/something-evil-on-1091236630.html
22 January 2013 - "109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here*). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here. Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands .com - in this case darkhands .com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www .darkhands .com. In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars). Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group... Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here**)... It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea."
(Long list of domains at the dynamoo URL above.)
* http://urlquery.net/report.php?id=796905

** http://blog.dynamoo.com/2012/12/something-evil-on-8722926138.html
___

Fake Swiss tax SPAM / africanbeat .net
- http://blog.dynamoo.com/2013/01/dutch-language-swiss-tax-spam.html
22 Jan 2013 - "This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat .net:
From: report@ ag .ch via bernina .co .il
Date: 22 January 2013 13:48
Subject: Re: je NAT3799 belastingformulier
Mailed-by: bernina .co .il
[redacted]
Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
vindt u aanbevelingen en tips van onze fiscalisten HIER
( Wacht 2 minuten op het verslag te laden)
Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.
Kanton Aargau
Sonja Urech
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 6253 Aarau
Tel.: +41 (0)62 332 31 62
Fax: +41 (0)62 332 33 18
Translated as:
We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
You can find recommendations and tips from our tax specialists HERE
(Wait 2 minutes for the report to load)
We ask you to correct the error and send the corrected report to your tax advisor as soon as possible.

The link leads to an exploit kit at [donotclick]africanbeat .net/detects/urgent.php (report here*) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea)..."
(More at the dynamoo URL above.)
* http://urlquery.net/report.php?id=801678

:fear:

 

[AplusWebMaster]

Fake ADP, EFTPS, exploit kit, etc...

FYI...

Fake Intuit emails lead to Black Hole Exploit Kit
- http://blog.webroot.com/2013/01/23/...themed-emails-lead-to-black-hole-exploit-kit/
Jan 23, 2013 - "Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails. Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
dopaminko .ru – 212.112.207.15
Name server: ns1.dopaminko .ru – 62.76.185.169
Name server: ns2.dopaminko .ru – 41.168.5.140
Name server: ns3.dopaminko .ru – 42.121.116.38
Name server: ns4.dopaminko .ru – 110.164.58.250
Name server: ns5.dopaminko .ru – 210.71.250.131
More malicious domains are known to have responded to the same IP (212.112.207.15)...
Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure..."
(More detail at the webroot URL above.)
___

Phishing Scam spreads via Facebook PM
- http://www.gfi.com/blog/phishing-scam-spreads-via-facebook-pm/
Jan 23, 2013 - "We’ve seen a number of cases wherein phishers have used compromised Twitter accounts to send direct messages (DMs) to their followers. We’re now beginning to see this same tactic used in Facebook in the form of private messages (PMs), and this isn’t just some spam mail in your inbox claiming you have received a “private message”... Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them... Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook—”Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves."
(Screenshots available at the gfi URL above.)
___

Fake NACHA SPAM / canonicalgrumbles .biz
- http://blog.dynamoo.com/2013/01/nacha-spam-canonicalgrumblesbiz.html
23 Jan 2013 - "... fake NACHA spam leads to malware on canonicalgrumbles .biz... The malicious payload is at [donotclick]canonicalgrumbles .biz/closest/984y3fh8u3hfu3jcihei.php (report here*) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting .com). I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=814512
___

Bogus Job SPAM ...
- http://blog.dynamoo.com/2013/01/h-seal-is-real-legitimate-firm.html
23 Jan 2013 - "H Seal is a real, legitimate firm. This email is -not- from H Seal, but a criminal organisation wanting to recruit people for money laundering and other unlawful activities. Originating IP is 199.254.123.20 ..."
(More detail at the dynamoo URL above.)
___

Fake Corporate eFax SPAM / 13.carnovirious .net
- http://blog.dynamoo.com/2013/01/corporate-efax-spam-13carnoviriousnet.html
23 Jan 2013 - "This spam is leading to malware on 13.carnovirious .net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then... The spam leads to an exploit kit on [donotclick]13.carnovirious .net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well..."
(More detail at the dynamoo URL above.)
___

Fake USPS SPAM / euronotedetector .net
- http://blog.dynamoo.com/2013/01/usps-spam-euronotedetectornet.html
23 Jan 2013 - "This fake USPS spam leads to malware on euronotedetector .net... The malicious payload is at [donotclick]euronotedetector .net/detects/updated_led-concerns.php hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecome, Korea) which has been used in several recent attacks..."
(More detail at the dynamoo URL above.)
___

Fake BT Business SPAM / esenstialin .ru
- http://blog.dynamoo.com/2013/01/bt-business-spam-esenstialinru.html
23 Jan 2013 - "This fake BT Business spam leads to malware on esenstialin .ru... The malicious payload is on [donotclick]esenstialin .ru:8080/forum/links/column.php hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
91.224.135.20 (Proservis UAB, Lithunia)..."
(More detail at the dynamoo URL above.)
___

Something evil on 74.91.117.50
- http://blog.dynamoo.com/2013/01/something-evil-on-749111750.html
23 Jan 2013 - "OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run. The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.
These are the domains that I can see right now:
13.blumotorada .net
13.carnovirious .net
The domains are registered wit these apparently fake details:
Glen Drobney office @glenarrinera .com
1118 hagler dr / neptune bch
FL 32266 US
Phone: +1.9044019773
Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking."
___

Fake ADP SPAM / elemikn .ru
- http://blog.dynamoo.com/2013/01/adp-spam-elemiknru.html
22 Jan 2013 - "This fake ADP spam potentially leads to malware on elemikn .ru:
Date: Tue, 22 Jan 2013 12:25:06 +0100
From: LinkedIn [welcome @linkedin .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 815979361
Tue, 22 Jan 2013 12:25:06 +0100
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 286532564
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]elemikn .ru:8080/forum/links/column.php but at the moment the domain does not seem to be resolving (which is a good thing!)
___

Fake "Batch Payment File Reversed" SPAM / kendallvile .com
- http://blog.dynamoo.com/2013/01/batch-payment-file-reversed-spam.html
22 Jan 2013 - "This spam leads to malware on kendallvile .com:
From: batchservice @eftps .net [batchservice @eftps .net]
Date: 22 January 2013 17:56
Subject: Batch Payment File Reversed
=== PLEASE NOT REPLY TO THIS MESSAGE===
[redacted]
This notification was mailed to inform you that your payment file has Reversed. 2013-01-21-9.56.22.496135
Detailed information is accessible by sign into the Batch Provider with this link.
--
With Best Regards,
EFTPS
Contact Us: EFTPS Batch Provider Customer Service

This leads to an exploit kit on [donotclick]kendallvile .com/detects/exceptions_authority_distance_disturbing.php (report here*) hosted on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which should be blocked if you can."
* http://www.urlquery.net/report.php?id=802578

:fear:

 

[AplusWebMaster]

Fake Flash, LinkedIn, pharma, efax ...

FYI...

Fake Flash Updates - via SPAM attachment...
- http://www.gfi.com/blog/fake-adobe-flash-updates-resurfaces-in-the-web/
Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
(Screenshots available at the gfi URL above.)
___

Malicious BT SPAM
- http://www.gfi.com/blog/beware-malicious-bt-spam-landing-in-inboxes/
Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."
* http://gfisoftware.tumblr.com/post/41277073286/british-telecom-order-notice-attachment-spam
___

Fake ADP SPAM / 14.sofacomplete .com
- http://blog.dynamoo.com/2013/01/adp-spam-14sofacompletecom.html
24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
Digital Certificate About to Expire
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013
Renewing Your Digital Certificate
1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
Deleting Your Old Digital Certificate
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on 73.246.103.26 (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."
___

Fake LinkedIn emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/24/...ils-lead-to-client-side-exploits-and-malware/
Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_malware_exploits_black_hole_exploit_kit.png
... Name servers used by these malicious domains:
Name server: ns1.http-page .net – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: ns2.http-page .net – 7.129.51.158 – Email: ezvalue @yahoo .com
Name Server: ns1.high-grades .com – 208.117.43.145
Name Server: ns2.high-grades .com – 92.121.9.25
Sample malicious payload dropping URL:
hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
Upon execution, the same creates the following process on the affected hosts:
%AppData%\Bytaa\yjdoly.exe
The following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Rekime
... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
177.1.100.2 :11709
190.33.36.175 :11404
213.109.254.122 :29436
41.69.182.117 :29817
64.219.114.114 :13503
161.184.174.65 :14545
93.177.174.72 :10119
69.132.202.147 :16149..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/224...5d63bbd7eaaafa147283aca261df445b58d/analysis/
File name: info.ex_
Detection ratio: 30/44
Analysis date: 2013-01-23
___

Fake pharma sites 24/1/13
- http://blog.dynamoo.com/2013/01/fake-pharma-sites-24113.html
24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
From: "Account Info Change" [noreply @etraxx .com]
Subject: Updated information
Attention please:
- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.
Click Here to Unsubscribe

As with a few days ago, these sites are hosted on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
Currently active spamvertised sites are as follows:
(Long list available at the dynamoo URL above.)
___

Fake Efax Corporate SPAM / epimarkun .ru
- http://blog.dynamoo.com/2013/01/efax-corporate-spam-epimarkunru.html
24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
Date: Thu, 24 Jan 2013 04:04:42 +0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 963153883]
You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
* The reference number for this fax is [eFAX-009228416].
View attached fax using your Internet Browser.
� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax � Customer Agreement.

There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf .ru
esekundi .ru
esenstialin .ru
disownon .ru
epimarkun .ru
damagalko .ru
dumarianoko .ru
epiratko .ru
dfudont .ru ..."

:fear:

 

[AplusWebMaster]

Fake UPS, FedEx SPAM ...

FYI...

Chase Phish, LinkedIn, American Express Open and Verizon Wireless Spam
- http://www.gfi.com/blog/email-threa...rican-express-open-and-verizon-wireless-spam/
Jan 25, 2013 - "In this week’s Email Threats roundup, we are highlighting spam and phishing campaigns that have made a comeback, such as LinkedIn and Chase spam, but took advantage of different social engineering lures this time around. You Know It’s Awkward When… you receive an email notification that claims to originate from LinkedIn, saying you have an event invitation from one of your employees; however, (1) you don’t own a company and (2) you don’t have people under you that you can call “employees.” Furthermore, isn’t LinkedIn Events the latest thing-of-the-past?... these don’t matter now. What does matter is that recipients should not click any of the malicious links in the message body as they lead to serious system infections..."
- http://gfisoftware.tumblr.com/post/40690037065/chase-online-credentials-phish
- http://gfisoftware.tumblr.com/post/40852233046/malicious-linkedin-spam
- http://gfisoftware.tumblr.com/post/40682042750/malicious-american-express-open-spam
- http://gfisoftware.tumblr.com/post/40603662118/malicious-verizon-wireless-spam
___

Fake Craigslist fax-to-email...
- http://techblog.avira.com/2013/01/2...ake-craigslist-fax-to-email-notifications/en/
Jan 25, 2013 - "If you receive such a message containing an HTML page attached, don’t open it. The email pretends to come from “craigslist – automated message, do not reply <robot @craigslist .org>” and has the subject ”Efax Corporate”...
> http://techblog.avira.com/wp-content/uploads/2013/01/craigslist-fax-malware.jpg
... contains a malicious java script code which would download malware on your computer.
> http://techblog.avira.com/wp-content/uploads/2013/01/craigslist-malware.jpg ..."
___

Fake UPS SPAM / eziponoma .ru
- http://blog.dynamoo.com/2013/01/ups-spam-eziponomaru.html
25 Jan 2013 - "This fake UPS spam leads to malware on eziponoma .ru:
From: messages-noreply @bounce .linkedin .com... On Behalf Of LinkedIn Password
Sent: 25 January 2013 04:12
Subject: UPS Tracking Number H0931698016
You can use UPS Services to:
Ship Online
Schedule a Pickup
Open a UPS Services Account
Welcome to UPS .com Customer Services
Hi, [redacted].
DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With Respect , Your UPS Customer Services...

The malicious payload is at [donotclick]eziponoma .ru:8080/forum/links/column.php which is hosted on:
94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
___

Fake FedEx SPAM / vespaboise .net
- http://blog.dynamoo.com/2013/01/fedex-spam-vespaboisenet.html
25 Jan 2013 - "This fake FedEx spam leads to malware on vespaboise .net:
Date: Fri, 25 Jan 2013 15:39:33 +0200
From: services @fedex .com
Subject: FedEx Billing - Bill Prepared to be Paid
FedEx Billing - Bill Prepared to be Paid
fedex.com
[redacted]
You have a new invoice(s) from FedEx that is prepared for discharge.
The following invoice(s) are ready for your overview:
Invoice Number
Invoice Amount
2-649-22849
49.81
1-181-19580
257.40
To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http ://www.fedex .com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http ://www.fedex .com/us/account/fbo
Thank you,
Revenue Services
FedEx
Please Not try to reply to this message. auto informer system cannot accept incoming mail.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
review our privacy policy . All rights reserved.

The malicious payload is at [donotclick]vespaboise .net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent."
___

Blackhole exploit kit - distribution
- http://www.symantec.com/connect/blogs/trojanpandex-new-spam-affair
Jan 24, 2013 - "... -redirect- ... to the following malicious URL:
dfudont .ru :8080/[REMOVED]/column.php...
BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:
Web Attack: Blackhole Exploit Kit Website 8
Web Attack: Blackhole Exploit Kit
Web Attack: Blackhole Functions
Web Attack: Blackhole Toolkit Website 20
Web Attack: Blackhole Toolkit Website 31...
Heatmap distribution for IPS detections associated with Blackhole exploit kit:
> https://www.symantec.com/connect/sites/default/files/images/image4_26.png
... If the Blackhole exploit is successful, W32.Cridex* is then downloaded onto the compromised computer... ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email."
* W32.Cridex: https://www.symantec.com/security_response/writeup.jsp?docid=2012-012103-0840-99
W32.Cridex!gen1: https://www.symantec.com/security_response/writeup.jsp?docid=2012-032300-4035-99

- http://centralops.net/co/DomainDossier.aspx - Jan 25, 2013
canonical name dfudont .ru
addresses: 94.23.3.196, 195.210.47.208, 202.72.245.146
domain: DFUDONT .RU
nserver: ns1.dfudont .ru. 62.76.185.169
nserver: ns2.dfudont .ru. 41.168.5.140
nserver: ns3.dfudont .ru. 42.121.116.38
nserver: ns4.dfudont .ru. 110.164.58.250
nserver: ns5.dfudont .ru. 210.71.250.131
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person...
country: FR
origin: AS16276
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 7886 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-25, and the last time suspicious content was found was on 2013-01-25... we found 458 site(s) on this network... that appeared to function as intermediaries for the infection of 3498 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1447 site(s)... that infected 6601 other site(s)..."
- http://centralops.net/co/DomainDossier.aspx - Jan 27, 2013
canonical name dfudont .ru
addresses: 195.210.47.208, 202.72.245.146
domain: DFUDONT .RU
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person...
country: KZ - Kazakhstan
origin: AS48716
- https://www.google.com/safebrowsing/diagnostic?site=AS:48716
"... over the past 90 days, 25 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-27, and the last time suspicious content was found was on 2013-01-27... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 23 site(s)... that infected 965 other site(s)..."

:fear:

 

[AplusWebMaster]

Bogus BBB emails spread Zbot

FYI...

Bogus BBB emails spread Zbot...
- http://www.hotforsecurity.com/blog/new-wave-of-bbb-scam-spreads-downloader-of-zbot-5135.html
Jan 25, 2013 - "... Better Business Bureau spam campaign.... the e-mails infect people with a Trojan that steals sensitive information from recipients... the BBB attack consists of a message supposedly from the Better Business Bureau telling recipients that a business customer has filed a formal complaint against them. The bogus e-mail invites the recipient to reply and mend the situation, but not before they open the attached document that, depending on the campaign, hides a downloader, a password stealer, and a BlackHole component. The subject line of these messages generally read: “complaint report,” “complaint ID,” “case” and a set of random digits. The bogus e-mails used in the January campaign carry as an attachment a zip file named “case” and arbitrary signs that hide a password stealer and a downloader of ZBot – identified by Bitdefender as Trojan.Generic.KD.835502. To make it more believable, attackers deliver the exe file with the Adobe Reader icon, so if file extensions are hidden by the operating system, chances are you’ll mistake it for a PDF document...
> http://www.hotforsecurity.com/wp-co...ve-of-BBB-Scam-spreads-Downloader-of-ZBot.png
ZBot is a banker Trojan that steals e-banking information and logs keystrokes, but also has some limited backdoor and proxy features that allows its masters to take control of the machine. Crooks seem to find the BBB scam highly rewarding, as they refresh it several times a year since it was first spotted in 2010. It was November 2012 when Bitdefender anti-spam lab signaled another huge wave of BBB scam spreading Trojan.Generic.8271699, a downloader awfully similar to the infamous BlackHole exploit pack... Organizations such as the Better Business Bureau NEVER send complaints via e-mail with attachments and links, exactly to avoid frauds. EXE files are a big no-no in e-mail messages. In fact, they are so dangerous that no company will e-mail you this kind of attachment. If your e-mail messages carry an exe file, just get rid of it..."
___

Super Bowl Scams ...
- https://www.bbb.org/blog/2013/01/dont-fall-for-the-latest-super-bowl-scams/
Jan 22, 2013 - "... be on the alert for knock-off team jerseys, counterfeit memorabilia and phony game tickets... Tickets for the big game can be an even bigger rip-off. There are thousands of Super Bowl tickets currently listed on Craig’s List, but the site offers no guarantees of any kind and does not require identification of its listers. Buying in person isn’t always an improvement, as it’s gotten easier and easier for scammers to make fake tickets that look real... In general, avoid scams by being -skeptical- of:
• Offers that sound “too good to be true”
• Pushy sales tactics
• Poor quality of merchandise
• Offers that require wire transfer of funds ..."
More: https://www.bbb.org/blog/
___

Phishing Scams use Facebook Info for Personalized SPAM
- https://www.bbb.org/blog/2013/01/ne...ams-uses-facebook-info-for-personalized-spam/
Jan 25, 2013 - "... scammers are exploiting the fact that you’re more likely to click on a link if it was sent by a friend. Scammers find your information through Facebook or other social media accounts. Some set up fake accounts and send out friend requests. When you accept the request, they can view your friends and personal and contact information. Other scammers rely on social media users not locking down their privacy settings*, so basic information, such as your name, email address and friends’ names, is publicly available..."
* http://www.facebook.com/help/392235220834308/

:sad:

 

[AplusWebMaster]

Bogus Paypal emails lead to BlackHole Exploit Kit

FYI...

Bogus Paypal emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/28/...themed-emails-lead-to-black-hole-exploit-kit/
Jan 28, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
duriginal .net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
Name server: NS1.HTTP-PAGE .NET – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: NS2.HTTP-PAGE .NET – 7.129.51.158 – Email: ezvalue @yahoo .com
The campaign shares the same infrastructure... three of these campaigns have been launched by the same malicious party.
Upon successsful client-side exploitation, the campaign drops MD5: 423daf9994d552ca43f8958634ede6ee * ...Trojan-Spy.Win32.Zbot.ilmw..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/56a...608964010f9bdc27c8ba69fa5e8eeafe199/analysis/
File name: contacts.exe
Detection ratio: 25/46
Analysis date: 2013-01-28
___

Zbot sites to block - 28/1/13
- http://blog.dynamoo.com/2013/01/zbot-sites-to-block-28113.html
28 Jan 2013 - "These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can. There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers..."
(Long list at the dynamoo URL above.)
___

Fake Facebook SPAM / gonita .net
- http://blog.dynamoo.com/2013/01/most-recent-events-on-facebook-spam.html
28 Jan 2013 - "This fake Facebook spam leads to malware on gonita .net:
Date: Mon, 28 Jan 2013 17:30:50 +0100
From: "Facebook" [addlingabn2 @bmatter .com]
Subject: Most recent events on Facebook
facebook
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
Log in to Facebook and start connecting
Sign in
Please use the link below to resume your account :
http ://www.facebook .com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301

The malicious payload is at [donotclick]gonita .net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea)... malicious domains are active on the same IP..."

 

[AplusWebMaster]

Fake FedEx, Intelius SPAM...

FYI...

Intelius SPAM (or is it a data breach?)
- http://blog.dynamoo.com/2013/01/intelius-spam-or-is-it-data-breach.html
30 Jan 2013 - "This spam was sent to an email address only used for register for intelius.com . Either there has been a data breach at Intelius, or they have decided to go into the gambling business.
From: Grand Palace Slots [no-reply @tsm -forum .net]
Date: 30 January 2013 10:39
Subject: Try to play slots - 10$ free
Mailed-By: tsm-forum .net
Feel the unique excitement of playing at the world's premiere games!
Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!
This is a great offer, especially when you see what else Grand Palace has to offer:
- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!
And in the end we want to give you 10$ absolutelly free! (Use code CASH10)
Hurry up! Your free Grand Palace cash is waiting! Play Today!
http ://www .igrandpalacegold .com
Click here to opt out of this email:
http ://unsubscribe .igrandpalacegold .com

The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www .igrandpalacegold .com on 91.217.52.125 (Fajncom SRO, Czech Republic)... I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option.."
___

Fake FedEx emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/29/...themed-emails-lead-to-black-hole-exploit-kit/
Jan 29, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
vespaboise.net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
... Upon successful client-side exploitation, the FedEx themed campaign drops MD5: c2f72ff5b0cf4dec4ce33e4cc65796b1 * ...PWS:Win32/Zbot.gen!AM.
... It also attempts to connect to the following IPs:
14.96.171.173, 64.219.114.114, 68.49.120.165, 70.50.58.41, 70.136.9.2, 71.42.56.253,
71.43.217.3, 72.218.14.223, 76.219.198.177, 80.252.59.142, 83.111.92.83, 87.5.135.46,
87.203.87.232, 98.71.136.168, 98.245.242.245, 108.83.233.190. 115.133.156.53,
151.66.19.166. 194.94.127.98, 206.45.59.85 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/1e8...6bc938a83785b81be71b9788efbcc3bd1df/analysis/
File name: calc.exe
Detection ratio: 24/46
Analysis date: 2013-01-30
___

Malicious Spam Emails Target Nightclub Disaster in Santa Maria
- http://www.symantec.com/connect/blogs/malicious-spam-emails-target-nightclub-disaster-santa-maria
Jan 30, 2013 - "... spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse. Further analysis of the malicious file shows that the threat creates the following file:
%SystemDrive%\ProgramData\ift.txt
It also alters the registry entries for Internet Explorer. The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an infostealer. Samples of the spam emails are shown below (Figures 1 and 2). The email has the following characteristics:
Subject: Video mostra momento exato da tragedia em Santa Maria no Rio Grande Do Sul segunda-feira, 28 de janeiro de 2013
Subject: VIDEO DO ACIDENTE DA BOATE DE SANTA MARIA RS.
Translation: Video shows the beginning of the tragedy in Santa Maria, Rio Grande Do Sul Monday, January 28, 2013
Translation: Video of the Nightclub accident in Santa Maria RS
1) https://www.symantec.com/connect/sites/default/files/images/NightclubDisasterSpam1_0.png
2) https://www.symantec.com/connect/sites/default/files/images/NightclubDisasterSpam2_0.png
Users are advised to exercise caution when looking for videos, images, and news of recent popular events. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams."
___

Fake FDIC SPAM / 1wstdfgh.organiccrap .com
- http://blog.dynamoo.com/2013/01/fdic-spam-1wstdfghorganiccrapcom.html
30 Jan 2013 - "Here's a slightly new spin on old spam, leading to malware on 1wstdfgh.organiccrap .com:
Date: Wed, 30 Jan 2013 16:16:32 +0200
From: "Тимур.Носков @fdic .gov" [midshipmanc631 @buprousa .com]
Subject: Important notice from FDIC
Attention!
Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.
We apologize for causing you troubles by this measure.
If you need any assistance, please do not hesitate to contact us.
Sincerely yours,
Federal Deposit Insurance Corporation
Security Department

The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa .com/track .php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap .com/closest/984y3fh8u3hfu3jcihei .php (report here*) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:
1wstdfgh.organiccrap .com
23v4tn6dgdr.organiccrap .com
v446numygjsrg.mymom .info
3vbtnyumv.ns02 .us
crvbhn7jbtd.mywww .biz "
* http://urlquery.net/report.php?id=891059

 

[AplusWebMaster]

Fake Facebook, FDIC emails serve malware links...

FYI...

Fake FDIC SPAM / 123435jynfbdf.myWWW .biz
- http://blog.dynamoo.com/2013/01/fdic-spam-123435jynfbdfmywwwbiz.html
31 Jan 2013 - "More FDIC themed spam, leading to a malicious payload on the same IP as this one:
From: ".Афанасьев @fdic .gov" [mailto:dickysmv341 @homesextapes .com]
Sent: 30 January 2013 15:03
Subject: Changing security requirements
Importance: High
Dear Sirs,
In connection with the introduction of a new security system for the purpose of preventing new cases of wire fraud, all your account ACH and WIRE transactions will be temporarily blocked unless the special security requirements are met.. In order to fully re-establish your account, you are asked to install a special security software. Please open the link below to download and install the latest security version.
We apologize for the inconveniences caused to you by this measure.
Please do not hesitate to contact us if you have any questions.
Yours faithfully,
Federal Deposit Insurance Corporation
Security Department

In this case the malicious payload is at [donotclick]123435jynfbdf.myWWW .biz./closest/984y3fh8u3hfu3jcihei.php and is hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US). At the moment the following domains seem to be active:
123435jynfbdf.myWWW .biz
1wstdfgh.organiccrap .com
23v4tn6dgdr.organiccrap .com
v446numygjsrg.mymom .info
1wvrbtnytjtyjj.mymom .info
1ewgthytj.mymom .info
3vbtnyumv.ns02 .us
crvbhn7jbtd.mywww .biz
1dfcsdbnhgnnh.mywww .biz
13rehjkfr.mywww .biz
___

Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/31/...mails-serve-client-side-exploits-and-malware/
Jan 31, 2013 - "In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs. Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...ation_request_email_spam_exploits_malware.png
... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
... Malicious domain name reconnaissance:
kidstoytowers .com – 62.75.181.220 – responding to the same IP is also the following domain – dailyfrontiernews .com
Upon successful client-side exploitation, the campaign drops MD5: 9356fcd388b4bae53cad7aea4127d966 * ...W32/Injector.YMS!tr..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/d97...c5edf7054acff979f585a044478bc7c5cbd/analysis/
File name: test53356736863192.bin
Detection ratio: 3/46
Analysis date: 2013-01-28
___

Fake American Airlines email
- http://msmvps.com/blogs/spywaresucks/archive/2013/01/25/1823091.aspx
Jan 25 2013 - "This is -not- a real American Airlines / American Eagle email:
> http://msmvps.com/cfs-filesystemfil...ogapi/0523.image_5F00_thumb_5F00_380EFE9A.png
These types of spoof emails still work, fooling too many people. As always, if you hover your mouse cursor over the hyperlink it becomes easy to tell that the email is not legitimate.
> http://msmvps.com/cfs-filesystemfil...ogapi/5483.image_5F00_thumb_5F00_21200751.png
___

Dear Facebook, this change sucks
- http://msmvps.com/blogs/spywaresucks/archive/2013/01/03/1822008.aspx
Jan 3 2013 - "1. I don’t want to receive emails (aka most likely SPAM) from strangers.
> http://msmvps.com/cfs-filesystemfil...ogapi/0844.image_5F00_thumb_5F00_15139385.png
2. Your “control who can send you messages” link is broken.
> http://msmvps.com/cfs-filesystemfil...ogapi/3426.image_5F00_thumb_5F00_7E249C3B.png

> http://msmvps.com/cfs-filesystemfil...ogapi/5355.image_5F00_thumb_5F00_2B09D94A.png
Filed under: I ain't happy about this*...
* http://msmvps.com/blogs/spywaresuck...is_2E00__2E00__2E00__2E00__2E00_/default.aspx

:fear::fear:

 

[AplusWebMaster]

Fake Photo, Booking SPAM ...

FYI...

Fake Booking .com ‘Credit Card was not Accepted’ emails lead to malware
- http://blog.webroot.com/2013/02/01/...s-not-accepted-themed-emails-lead-to-malware/
Feb 1, 2013 - "Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking .com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...pted_hotel_reservation_email_spam_malware.png
... Sample detection rate for the malicious executable: MD5: 75db84cfb0e1932282433cdb113fb689 * ... TrojanDownloader:Win32/Kuluoz.B...
Once executed, the sample phones back to the following command and control (C&C) servers:
hxxp:// 66.232.145.174 :6667...
hxxp:// 175.45.142.15 :8080...
hxxp:// 66.84.10.68 :8080...
hxxp:// 202.169.224.202 :8080...
hxxp:// 89.19.20.202 :8080...
hxxp:// 74.208.111.15 :8080...
hxxp:// 85.214.50.161 :8080
hxxp:// 184.106.214.159 :8080
hxxp:// 46.4.178.174 :8080
hxxp:// 217.11.63.194 :8080
hxxp:// 82.113.204.228 :8080
hxxp:// 85.214.22.38 :8080
hxxp:// 202.153.132.24 :8080
hxxp:// 85.186.22.146 :8080
hxxp:// 77.79.81.166 :8080
hxxp:// 84.38.159.166 :8080
hxxp:// 81.93.248.152 :8080
hxxp:// 118.97.15.13 :8080 ...
More malware variants are known to have phoned back to the same IPs..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/1fc...9d8a33285ca98d00632b50e6/analysis/1359641226/
File name: BookingInfo.exe
Detection ratio: 26/46
Analysis date: 2013-01-31
___

Fake Photo SPAM / eghirhiam .ru
- http://blog.dynamoo.com/2013/02/photos-spam-eghirhiamru.html
1 Feb 2013 - "Here's a tersely-worded Photos spam leading to malware on eghirhiam .ru:
Subject: Photos

Good day,
your photos here http: //www.jonko .com/photos.htm

As is usually the case, the malware -bounces- through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam .ru:8080/forum/links/public_version.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
The following IPs and domains are all related and should be blocked:
82.148.98.36
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko .ru
dekamerionka .ru
dfudont .ru
disownon .ru
dmpsonthh .ru
dmssmgf .ru
dumarianoko .ru
eghirhiam .ru
epiratko .ru
esekundi .ru
evkotnka .ru
evskindarka .ru
evujalo .ru
exiansik .ru
eziponoma .ru ..."
___

Something evil on 50.116.40.194
- http://blog.dynamoo.com/2013/02/something-evil-on-5011640194.html
1 Feb 2013 - "50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans .org/read/walls_levels.php - report here*) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:
14.goodstudentloans .org
14.mattresstoppersreviews .net"
* http://urlquery.net/report.php?id=903191

:fear:

 

[AplusWebMaster]

Fake pharma SPAM and more...

FYI...

Fake StumbleUpon SPAM / drugstorepillstablets .ru
- http://blog.dynamoo.com/2013/02/stumbleupon-spam-drugstorepillstabletsru.html
4 Feb 2013 - "This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets .ru:
Date: Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From: StumbleUpon [no-reply @stumblemail .com]
Subject: Update: Changes to Your Email Settings
Hi [redacted],
This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.
Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.
Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!
Thanks for Stumbling,
The StumbleUpon Team
P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.
StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107

There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK)..."
(More detail at the dynamoo URL above.)
___

Something evil on 108.61.12.43 and 212.7.192.100
- http://blog.dynamoo.com/2013/02/something-evil-on-108611243-and.html
4 Feb 2013 - "A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die*:
helloherebro .com
painterinvoice .ru
painterinvoicet .ru
immediatelyinvoicew .ru
While you are at it, you might like to block 212.7.192.100** (Dediserv, Netherlands) as well."
* http://malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html

** http://malwaremustdie.blogspot.co.uk/2013/01/peeking-at-jdb-exploit-kit-infector.html
___

Phytiva / XCHC pump-and-dump SPAM
- http://blog.dynamoo.com/2013/02/phytiva-xchc-pump-and-dump.html
4 Feb 2013 - "This pump-and-dump spam (at least I assume that's what it is) caught my eye:
From: Hugh Crouch [tacticallyf44 @riceco .com]
Date: 4 February 2013 12:39
Subject: RE: Targeting the global Cosmoceutical market
US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.
Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.
We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
For more information, please visit
You can unsubscribe from all our future email communications at

The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www .xn--80aakfmpm2afbm .xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid."
___

Fake FedEx emails lead to malware
- http://blog.webroot.com/2013/02/04/...racking-detail-themed-emails-lead-to-malware/
Feb 4, 2013 - "... the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...gnumber_trackingdetail_spam_email_malware.png
... Detection rate for the malware variants distributed over the past 24 hours:
MD5: bf061265407ea1f7c21fbf5f545c4c2b * ...PAK_Generic.001
The campaign is ongoing, so watch what you click on!..."
(More detail at the websense URL above.)
* https://www.virustotal.com/file/603...51e5b649fb1d8d57cda413c3c712749a2a2/analysis/
File name: ukjlbkma.exe
Detection ratio: 30/46
Analysis date: 2013-02-04
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Tax Documents Notification E-mail Messages - February 04, 2013
Fake Apple Coupon Offer E-mail Messages - February 04, 2013
Malicious Attachment E-mail Message - February 04, 2013
Fake Product Order Request E-mail Messages - February 04, 2013
Fake Portuguese Money Deposit E-mail Messages - February 04, 2013
Fake Purchase Order Notification E-mail Messages - February 04, 2013
Fake Product Order E-mail Message - February 04, 2013
Fake Telegraphic Transfer E-mail Messages - February 04, 2013
Fake Money Transfer Notification E-mail Messages - February 04, 2013
Malicious Personal Photograph Attachment E-mail Messages - February 04, 2013
Malicious Personal Pictures Attachment E-mail Messages - February 04, 2013
Fake Xerox Scan Attachment E-mail Messages - February 04, 2013
(More detail and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake Amazon emails lead to BlackHole...

FYI...

Fake ‘Your Kindle e-book Amazon receipt’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/05/...themed-emails-lead-to-black-hole-exploit-kit/
5 Feb 2013 - "Kindle owners, watch what you click on! Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon .com. In reality, when users click on -any- of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...ndle_ebook_receipt_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
starsoftgroup.net – 175.121.229.209; 198.144.191.50 – Email: wondermitch @hotmail .com
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in the following previously profiled campaigns, indicating that they’ve been launched by the same cybercriminals... Upon successful client-side exploitation, the campaign drops MD5: 13d23f4c1eb1d4d3841e2de50b1948cc * ... UDSangerousObject.Multi.Generic...
Upon execution, the sample also phones back to the following C&C servers:
hxxp :// 195.191.22.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 37.122.209.102 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 217.65.100.41 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 173.201.177.77 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 210.56.23.100 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 213.214.74.5 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 180.235.150.72 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
We’ve already seen the same pseudo-random C&C communication characters (DPNilBA) used... As well as the same C&C server IPs (173.201.177.77; 210.56.23.100; 180.235.150.72) ...
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/74b...df398e6f91a92df6988b067c5e39af4e6a2/analysis/
File name: DWIntl20.Dll
Detection ratio: 7/46
Analysis date: 2013-02-04
___

Free Disneyland Tickets Survey SCAM
- http://www.hoax-slayer.com/disneyland-tickets-survey-scam.shtml
Feb 5, 2013
Outline: Various -Facebook- messages claim that users can receive free tickets to Disneyland by liking and sharing a picture and participating in online surveys.
Brief Analysis: The supposed giveaways are scams designed to trick people into spamming their friends and participating in -bogus- online surveys. No matter how many surveys they complete, participants will -never- receive the promised Disneyland tickets. These offers are not endorsed by and have no connection to Disney. If you receive one of these messages, do not click any links that it contains.
> http://www.hoax-slayer.com/images/disneyland-tickets-scam.jpg
___

Fake Amazon .com SPAM / salam-tv .com
- http://blog.dynamoo.com/2013/02/amazoncom-spam-salam-tvcom.html
5 Feb 2013 - "This fake Amazon email leads to malware on salam-tv .com:
Date: Tue, 5 Feb 2013 18:32:06 +0100
From: "Amazon.com Orders" [no-reply @amazon .com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazoncom Today's Deals See All Departments
Dear Amazon.com Customer,
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Details:
E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001
Order Grand Total: $ 91.99
Earn 3% rewards on your Amazon .com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C59-2302433-5787713
Subtotal of items: $ 91.99
Total before tax: $ 91.99
Tax Collected: $0.00
Grand Total: $ 90.00
Gift Certificates: $ 1.99
Total for this Order: $ 91.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon .com, the Amazon .com logo and 1-Click are registered trademarks of Amazon .com, Inc. or its affiliates. Amazon .com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571
Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload should be at [donotclick]salam-tv .com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
morepowetradersta .com
capeinn .net
starsoftgroup .net
salam-tv .com "
___

Malwarebytes uncovers digital certificate-spoofing Trojan
- http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/
Update (Feb 4th, 3:44 PM): Egnyte has promptly taken down the illicit account following our call. However, digital signature is still in use.
"... we just spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:
> http://blog.malwarebytes.org/wp-content/uploads/2013/02/digi1.png
This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does -not- exist and was registered with bogus data... The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:
> http://blog.malwarebytes.org/wp-content/uploads/2013/02/invoice.png
... the malware connects to: som.egnyte .com ... size matters as many antivirus scanners have trouble with detecting larger files. Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed (See this ThreatExpert report* for proof). Its certificate has, since then, been revoked... What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people... Digital certificate theft can be used in targeted attacks as a spear phishing attack for example...An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely..."
* http://www.threatexpert.com/report.aspx?md5=cff3b8ec4c49051811213d3551eb3c28

:fear:

 

[AplusWebMaster]

Fake job offers / Google store - malicious apps ...

FYI...

Fake job offer inukjob .com, ineurojob .com and hollandsjob .com
- http://blog.dynamoo.com/2013/02/inukjobcom-fake-job-offer-also.html
6 Feb 2013 - "This fake job offer from inukjob .com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.
From: Victim
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people
Good afternoon!
Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny? While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.
Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
most of them devoted themselves to our job.
We are in all respects ready to remove all your doubts and help you to understand all details.
Position is called the "Regional Manager".
Functional duties:
- to represent the interests of foreign companies in the region (For example: providing your address for correspondence.)
- to take control of transactions between the company and the client in your area.
For more information, please, email us attaching your CV, the country and city of residence.
It will considerably increase your chances for employment. Email: Kelsey @inukjob .com
Best Regards,
PR Manager

I've seen another variant with a reply address of Delores @inukjob .com. In all these cases, the email appears to come from the victim (here's why*). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN .COM. The WHOIS details are fake:
Tara Zwilling info @inukjob .com
315-362-4562 fax: 315-362-4511
3201 Oak Street
Syracuse NY 13221
us
There is -no- number 3201 Oak Street in Syracuse, New York (see for yourself**) and the Zip code is incorrect, it should be 13203 and -not- 13221. There's -no- web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany). The following mailservers can be found at that IP:
mx.ineurojob .com
mx.hollandsjob .com
mx.inukjob .com
You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts .net (also on 31.214.169.94) and ns2.ariparts .net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:
hollandsjob .com
pracapolsk .com
ariparts .net
ineurojob .com
All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid."
* http://blog.dynamoo.com/2011/09/why-am-i-sending-myself-spam.html

** http://goo.gl/maps/KimC4
___

Google store - malicious apps
- http://blog.webroot.com/2013/02/05/android-security-tips-and-windows-autorun-protection/
5 Feb 2013 - "Recently, two applications designed with malicious intent were discovered within the Google Play application store. The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers. The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer. The malware was designed to record audio through the computer’s microphone. AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates. An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security. With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network. While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection... For all users, we recommend ensuring that AutoRun is -disabled- on your computer. Even though Microsoft rolled out updates to disable, it is possible it could be enabled. Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs."